Well “up in arms” may be a bit strong. But small business advocates like Carol White, the Air Force’s deputy director for small business programs, are reporting that a recent Department of Defense contracting rule may put small government contractors at a disadvantage. That’s according to a report from Federal News Radio.
The new rule requires multifactor identification on any contractor owned system that uses certain Defense Department information. It also imposes certain reporting requirements in the event the system is hacked or compromised.
According to the Federal News Radio report:
“The office of Defense Procurement and Acquisition Policy (DPAP) issued a class deviation — an emergency workaround to the usual process of writing acquisition rules — ordering all of DoD’s contracting officers to insert new language into their contracts requiring, among other things, multifactor authentication on any contractor-owned system that houses unclassified but “controlled” Defense information and quick notification to DoD when any of those systems appear to have been breached.
“We’re hearing from a lot of our people in out in the field saying, ‘Hey, this is going to be a huge impact to our small contractors,’” Carol White, the Air Force’s deputy director for small business programs, said during a panel I moderated last week at AFCEA NoVA’s annual Air Force IT day. “It’s mostly anecdotal at this point, and we need to hear more from our small business contractors, but this is potentially going to drive up their costs.” (emphasis added)”
Cyber security in general is an increasing cost item for businesses. That cost disproportionately hits small businesses which don’t have the funds to invest in implementing security measures like larger counterparts.
It’s not just the out-of-pocket cost that hurts. Sometimes the biggest cost is in time and people to implement security measures.
Security doesn’t magically get put into place. Making changes to your computing systems often involves ambitious programming and project management undertakings. It may require considerable testing, as any change to a system may have unanticipated ripple effects.
Worse, implementing system changes, especially to meet a deadline, distracts your limited staff in a small business. That can disrupt the business. Responsibilities such as serving other customers may get put on the back burner, because you have to make hard choices.
Of course, security can’t be ignored. That’s why the cost of implementing security measures needs to be carefully factored into federal contracts and subcontracts (and private contracts, too). The implementation timing also needs to be factored in. It shouldn’t just be assumed that all will be absorbed by the businesses. The smallest businesses are least able to absorb the time and money.
Small businesses, when negotiating contracts be sure to highlight the security compliance costs — whether it’s a government contract or a private contract. And if you’re a DOD contractor or subcontractor, speak up. Help the other parties understand what’s involved for you. Everything has a cost.
Pentagon Photo via Shutterstock