Since last year, I have been writing about the increasing impact of cybersecurity on contract awards. DoD has issued guidanceon how it will evaluate system security plans, and it has indicated that, along with cost, schedule, and performance, cybersecurity is the “fourth pillar” of its acquisitions. As a result, contractors need to shift their view of cybersecurity compliance as a cost center to a business driver and an increasingly important factor in gaining a competitive advantage.
The momentum has continued into 2019, and there are several developments that indicate source selections will continue to emphasize cybersecurity compliance. DoD has indicated it is looking at requiring a third-party audit of cybersecurity compliance, comparable to an ISO certification. DoD also recently announced that it is working with NIST on cybersecurity standards that contractors would need to follow before they can win a contract. A big part of the challenge with cybersecurity compliance is that the standards seem to be a moving target, so DoD’s announcement is unfortunately more of the same. But the notion that contractors would need to meet certain requirements to even be eligible for award is a new development. In the past, cybersecurity compliance has largely been a matter of contract administration. Now, with increasing use of cybersecurity as part of best value evaluation factors, and with the prospect of new cybersecurity standards that will serve as “gating” requirements for winning contracts with DoD, it is clear how your compliance posture impacts your ability to win contracts.
And this is not just for DoD contracts. We recently worked with a client on a civilian agency procurement that required compliance with the more robust cybersecurity requirements found in the DFARs, including compliance with NIST SP 800-171. This was surprising because these requirements have not yet been included in the FAR. This civilian agency solicitation required submission of the offeror’s system security plan in the proposal, and the plan was evaluated and rated in the best value tradeoffs. We have also heard from several clients recently who were unable to join a team to pursue a large contract because their potential teaming partners were dissatisfied with the level of their cybersecurity compliance. Many large prime contractors have adopted vetting processes for potential subcontractors that include an assessment of their cybersecurity posture. In one instance, a teaming arrangement fell through because the potential teaming partner also wanted to see evidence that the company had cybersecurity insurance, which it did not.
The latest rumor is that the proposal to add NIST SP 800-171 requirements to the FAR will be issued this August. GSA is also working on significant cybersecurity regulations to be issued this year. The FAR and GSA initiatives continue to drive home the point that it is important for contractors of all sizes, and across all industries and agencies, to have a plan for their cybersecurity. This is not just a matter of compliance anymore—increasingly, it is the difference between winning and losing contracts.
The competitive effect of cybersecurity and its impact for small and mid-sized firms across all industries has led us to put together an event called “Gaining a Competitive Edge through Cyber, Data, and Personnel Security,” which we will be hosting in Tysons Corner, VA, on June 5. Our goal for this event is to bring together perspectives from government, large prime contractors, and small businesses on how cybersecurity, data, and personnel security are driving the pursuit of prime contracts and subcontracts and creating an opportunity to gain a competitive advantage. We want to give attendees actionable information on how to address the impact of cybersecurity compliance in prime contracts and subcontracts, protecting your data rights and IP in these contracts, how cybersecurity and data rights impact mergers and acquisitions for federal contractors, and the importance of a robust insider threat program, employee training, and other risk mitigation strategies.
In addition to several members of our team, speakers at the event will include:
- Jerry Howe, General Counsel for Leidos;
- Mark Drever, President and CEO of Xcelerate Solutions;
- Philip McMann, Partner at Aronson Capital Partners;
- and Tim Brennan, CEO of SysArc, Inc.
About the Author: Jon Williams is a partner with PilieroMazza and a member of the Government Contracts Group. He may be reached at jwilliams@pilieromazza.com.