By Angela Dingle on Friday, May 3, 2019
As a government contractor, you face increased oversight and heightened competition on a daily basis. As a result, you must leave no stone unturned in your efforts to retain and successfully bid on valuable contracts. As the federal government places greater value on the protection of sensitive data, cyber, and cybersecurity, government contractors must do the same. If you are in technology, you are already aware of how the changes in the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) clauses related to safeguarding information can become a critical part of your compliance and win strategy when responding to a Request For Proposal (RFP). But what about those government contractors that don’t provide technology products and services?
What you understand about cybersecurity and how it impacts your business can make or break your ability to bid, win, and execute a government contract. Good cyber hygiene habits can help.
Wait…what is Cyber Hygiene?
No, it’s not a new set of guidelines for brushing your teeth! But it is a good analogy for maintaining the health of your computer systems and devices. Norton describes cyber hygiene as training ourselves to think proactivity about our cybersecurity—like we do with our daily personal hygiene—to resist cyber threats and online security issues. In the same way you use the right toothbrush and maintain a routine for brushing and flossing your teeth, you need a set of best practices for maintain the health of your computer systems and devices.
What’s cyber got to do, got to do with it (while doing my Tina Turner impression)?
Government contractors (defense contractors, in particular) are targeted because our adversaries know that you may have access to and/or produce military designs, specifications, and other information that is of interest to them. But it’s not just designs and specifications that are being targeted— the personal data you hold on citizens and government employees is also at risk. Research indicates that nearly half of small businesses in the US have suffered a cyber attack in 2018. However, small businesses are less likely to have strategies in place to ward off attacks, detect them early if they do occur, and reduce the damage. And, they are less likely to be able to withstand the financial impact of a hack or breach.
Since 2013, the Department of Defense (DoD) and civilian agencies have worked with the FAR Council to introduce a number of new regulations designed to hold contractors responsible for adequately securing their information systems. If you have an existing government contract, you may already be familiar with The Privacy Act of 1974. It has been around for a long time and ensures that the government and its contractors protect Personally Identifiable Information (PII). It has become a focus from a cybersecurity standpoint because the context of this Act has now been interwoven into security regulations and major security breaches such as the 21.5 million records that were stolen from the Office of Personnel Management (OPM). However, if you notice FAR 52.204-21 or DFARS 252.204.7012 clauses in the RFP, there are some specific cybersecurity details you will need to include in your response.
For everyone else, just know that understanding these regulations and practicing good cyber hygiene can mean the difference between contract success and lost contract revenues, civil penalties, and millions of dollars in costs for non-compliance.
We’re not a technology company, so why should I be concerned about cybersecurity?
Cybersecurity affects everyone, whether you are a private citizen, nursing home, construction company, or training provider. It affects businesses of all sizes, whether you are a solopreneur, small business, or corporate giant. That means, even if you are not in technology, some of the products and services you offer to the government must be protected in the same manner as technology systems. For example, if you are a construction company, or a civil engineer, the designs that you create for a new bridge or the company from whom you purchase the locks that are installed on a new government building may be of interest to our adversaries.
So, if you are doing business with the federal government, it’s not enough to be proficient in your craft, you need to know the cybersecurity trends affecting your industry and how to ensure that you are adequately protecting your intellectual property; internal information systems; the goods and services you provide to the government; and any government systems that your personnel may come in contact with.
So, how can I incorporate good cyber hygiene into my RFP response?
Let’s just start with the basics. If you are submitting your proposal electronically (e.g., via email or through a government supplied portal), scan your files and any attachments for viruses prior to uploading them to the portal or attaching them to your email response. If you haven’t already done so, turn on two-factor authentication. One of the most popular hacks today is for someone to spoof your email address and either request funds or send malicious emails on your behalf. Using two-factor authentication can reduce the likelihood that your email address will be spoofed. Now, let’s talk about ways to weave good cyber hygiene practices into your RFP response.
Describe how your understanding of the threats related to your industry affect your technical approach, the specific cyber practices you plan to use during the contract and how they will help to ensure and on time, on budget delivery.
Does your organization chart include a role for security? Use it to demonstrate the importance and your commitment to good cyber practices. Have your internal systems been assessed for cyber risk? If so, discuss how it helps to lower risk and ensure business continuity. Are you using subcontractors? If so, discuss how you flow down FAR/DFARS clauses to your subs and the approach you use to ensure they are complying with cyber requirements. Do you have an established incident response process? If so, use it to demonstrate your team’s ability to resolve problems.
Does your company have a cyber insurance policy? Be sure to highlight it as one of the methods you use to mitigate risk. Do you track the cost of cyber compliance separately in your accounting system? Describe how this helps to ensure transparency in your billing rates or product costs.
Do you train your employees, subcontractors, or vendors on soft skills and security awareness? If so, discuss the type and frequency of training you provide. Research indicates that soft skills such as communications and marketing are key to engaging and changing the behaviors of the workforce. By conducting training, you demonstrate your commitment to good cyber hygiene and risk mitigation.
As always, be sure to thoroughly read the instruction in the solicitation and submit a complete, correct, and compliant response.
Okay, let’s bring this home.
Cyber attacks can have a devastating impact on your business, including but not limited to: negative media attention; the inability to fulfil your contractual obligations; damaged corporate reputation; and penalties. Most businesses are unaware that they have been attacked until notified by law enforcement, customers, auditors, or external resources that raise a concern.
When it comes to evaluating the response to an RFP, the Federal Government is assessing the level of risk associated with doing business with you based on your technical ability, management processes, pricing, and past performance. Why not highlight your company’s cybersecurity practices to give you a competitive advantage and position your company as the government’s low risk provider of choice?
About the Author:
Ex Nihilo Management, LLC, a 100% WOSB, is a trusted advisor to the government and its team members, providing objective IT governance, risk, and compliance services based on a thorough understanding of customer requirements and deep systems integration experience. Ex Nihilo’s President & CEO, Angela Dingle is a leadership coach, management consultant, and speaker with over 20 years’ management and technology experience in public, private, and non-profit sectors. She is the author of Discovering Your Girl Powers and has worked with Fortune 500 companies, national non-profits, state, local, and Federal Governments to help them achieve their strategic objectives. Angela is the Chair of the Board of Directors at Women Impacting Public Policy (WIPP), a nonpartisan organization that strengthens the impact of women entrepreneurs in policy and economy. Angela may be reached at firstname.lastname@example.org.