What Small Businesses Need to Know

Why is cybersecurity important?

Today, more than ever, the Department of Defense (DoD) relies upon external contractors to carry out a wide range of missions and shares sensitive data with these entities. Inadequate safeguards threaten America’s national security and put servicemembers’ lives at risk.

What has DoD done to address this issue?

In April 2009, the DoD and DNI CIOs launched the Joint Task Force Transformation Initiative to develop a comprehensive set of cybersecurity standards and align publications produced by different federal agencies. Over the years, Congress added more requirements in the National Defense Authorization Act (NDAA), the National Institute of Standards and Technology (NIST) produced several iterations of cybersecurity standards and DoD implemented these measures through changes to DoD policies and the Defense Federal Acquisition Regulation Supplement (DFARS).

How does this affect small businesses?

Under an interim rule issued in December 2015 (DFARS § 252.204-7012), DoD contractors (including small businesses) must:

(1) Provide adequate security to safeguard covered defense information that resides in or transits through their internal unclassified information systems from unauthorized access and disclosure

(2) Rapidly report cyber incidents and cooperate with DoD to respond to these security incidents, including access to affected media and submitting malicious software.

What is adequate security?

Minimum cybersecurity standards are described in NIST Special Publication 800-171 and break down into the following 14 areas:

  • Access Control
  • Awareness & Training
  • Audit & Accountability
  • Configuration Management
  • Identification & Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Maintenance
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • System & Communication Protection
  • System & Info Integrity

In each of these areas, there are specific security requirements that DoD contractors must implement. Full compliance is required no later than December 31, 2017. Contractors must notify the DoD CIO within 30 days of contract award of any security requirements not implemented at the time of contract award. Contractors can propose alternate, equally effective measures to DoD’s CIO through their Contracting Officer.

If DoD determines that other measures are required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability, contractors may also be required to implement additional security precautions.

How do small businesses attain these standards?

The standards reference another document (NIST Special Publication 800-53), which goes into more detail about the controls. In addition, NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, Sections 3.3 to 3.6 provides small businesses a systematic step-by -step approach to implementing, assessing and monitoring the controls.

Although these requirements may initially seem overwhelming, small businesses can use this framework to divide the project into small, manageable chunks and work toward attaining compliance. Incurred costs may also be recoverable under a cost reimbursement contract pursuant to FAR 31.201-2.

May contractors outsource these requirements?

Contractors may use subcontractors and/or outsource information technology requirements, but they are responsible for ensuring that the entities they use meet the cybersecurity standards. If they anticipate using cloud computing, they should ensure the cloud service meets FedRAMP “moderate” security requirements and complies with incident reporting, media and malware submission requirements.

What if there is a potential breach?

Don’t panic. Cybersecurity occurs in a dynamic environment. Hackers are constantly coming up with new ways to attack information systems, and DoD is constantly responding to these threats. Even if a contractor does everything right and institutes the strongest checks and controls, it is possible that someone will come up with a new way to penetrate these measures. DoD does not penalize contractors acting in good faith. The key is to work in partnership with DoD so that new strategies can be developed to stay one step ahead of the hackers.

Contact DoD immediately. Bad news does not get any better with time. These attacks threaten America’s national security and put servicemembers’ lives at risk. DoD has to respond quickly to change operational plans and to implement measures to respond to new threats and vulnerabilities. Contractors should report any potential breaches to DoD within 72 hours of discovery of any incident. Report these incidents directly online at

Interpret potential breaches broadly to include all actions taken using computer networks that result in actual or potentially adverse effects on information systems and/or the information residing therein. These include:

  • possible exfiltration, manipulation or other loss or compromise of controlled technical information from an unclassified information system and
  • any unauthorized access to an unclassified information system on which such controlled technical information is resident or transiting

Be helpful and transparent. Contractors must also cooperate with DoD to respond to security incidents. Contractors should immediately preserve and protect all evidence and capture as much information about the incident as possible. They should review their networks to identify compromised computers, services, data and user accounts and identify specific covered defense information that may have been lost or compromised.