National Cyber Security Awareness Month: 3 Steps to Safeguarding Your Contracts
As another government fiscal year comes to a close, agencies are moving to the execution phase. For contracts that involve cybersecurity elements, acquisition planning, and contract administration have become increasingly more complex with the recent laws and regulations governing cybersecurity. With October designated as National Cyber Security Awareness Month, this is a perfect opportunity to review current and new contracts and self-audit existing cybersecurity management practices.
In a panel discussion at the New York Times 2015 DealBook Conference, IBM CEO, Ginni Rometty, predicted that “Cyber crime is the greatest threat to every company in the world.” With data breaches such as the U.S. Office of Personnel Management and the recent Equifax hacks, major attacks have become a common occurrence. Larger-scale breaches gain media attention due to the millions of records that are comprised. However, “smaller” attacks, such as those involving identity theft, happen every day and can lead to the devastating data leaks that impact a majority of the population.
Contracting professionals are the cybersecurity gatekeepers of the Federal acquisition process. Cyber criminals know this and are constantly looking for ways to exploit vulnerabilities. How can contracting professionals safeguard their contracts and do their part to practice good cybersecurity management? Here are three suggestions.
Step 1: Compile a Checklist
Contracting professionals are responsible for certifying that cybersecurity requirements have been met and keeping contracts secure. Focusing on relationships with key individuals in all relevant areas of the organization is one way to contribute to cybersecurity management. Creating a checklist of questions can serve as an overview as well as a conversation starter for establishing those key relationships. Questions can include:
- What kind of data do we store? Process? Transmit?
- Who has access to the data?
- What kind of cybersecurity training do we provide to our staff?
- Do we have a written incident response plan? When and how is it tested?
- Who is responsible for maintenance of our information systems?
Knowing the answers to these questions better prepares contracting professionals to handle potential cyber threats.
Step 2: Know Which Rules and Regulations Apply
The axiom “an ounce of prevention is worth a pound of cure” rings true especially during the acquisition planning phase. For contracts governed by cybersecurity laws and regulations, knowing which ones apply is a crucial step to securing contracts. Today, there are three main Federal cybersecurity regulations:
- The 1996 Health Insurance Portability and Accountability Act (HIPAA)
- The 1999 Gramm-Leach-Bliley Act, or the Financial Services Modernization Act of 1999
- The 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA)
There are also key FAR (FAR 52.239-1 and 52.204.21) and DFARS (DFARS 252.204-7012, 252.204-7008, 252.204-7009, and 252.239.7010) clauses that contracting professionals should be aware of, as well as reporting requirements that are associated with certain provisions. Keeping track of the ever-changing cybersecurity landscape can become a full-time, but necessary, job.
Step 3: Be Vigilant
Cyber criminals are constantly looking for vulnerabilities and ways to infiltrate systems. Finding out who the contracting professional is on large-dollar procurements does not require much effort, especially if the solicitation is posted on FedBizOps. That could make the individual an easy target. As gatekeepers of the acquisition process, contracting professionals can do their part by knowing who in their organization is responsible for network security, reporting any suspicious activity, validating all requests for data before providing information, creating complex passwords and keeping them secure, being mindful of what gets posted on social media, and separating business and personal accounts. Although we’ve heard these practical security tips before, they bear repeating especially since cyber attacks are on the rise.
Interested in knowing what other steps are needed to safeguard contracts? Learn effective cybersecurity risk management practices and how to assess cyber risk to ensure compliance throughout the contracting cycle.