|
Federal Market Intelligence for Small Business |
|
|
|
|
Column: Cybersecurity's Increasing Impact on Prime Contract and Subcontract Awardsby Jon Williams, partner, PilieroMazza PLLCSince last year, I have been writing about the increasing impact of cybersecurity on contract awards. The Defense Dept. has issued guidance on how it will evaluate system security plans, and it has indicated that, along with cost, schedule, and performance, cybersecurity is the “fourth pillar” of its acquisitions. As a result, contractors need to shift their view of cybersecurity compliance as a cost center to a business driver and an increasingly important factor in gaining a competitive advantage. The momentum has continued into 2019, and there are several developments that indicate source selections will continue to emphasize cybersecurity compliance. DOD officials have indicated they are looking at requiring a third-party audit of cybersecurity compliance, comparable to an ISO certification. DOD officials also recently announced that the department is working with the National Institute of Standards and Technology on cybersecurity standards that contractors would need to follow before they can win a contract. A big part of the challenge with cybersecurity compliance is that the standards seem to be a moving target, so DOD’s announcement is unfortunately more of the same. But the notion that contractors would need to meet certain requirements to even be eligible for award is a new development. Cybersecurity a “gating” requirement In the past, cybersecurity compliance has largely been a matter of contract administration. Now, with increasing use of cybersecurity as part of best- value evaluation factors, and with the prospect of new cybersecurity standards that will serve as “gating” requirements for winning contracts with DOD, it is clear how your compliance posture impacts your ability to win contracts. And this is not just for DoD contracts. We recently worked with a client on a civilian agency procurement that required compliance with the more robust cybersecurity requirements found in the Defense Federal Acquisition Regulations (DFARs), including compliance with NIST SP 800-171. This was surprising because these requirements have not yet been included in the Federal Acquisition Regulation (FAR). This civilian agency solicitation required submission of the offeror’s system security plan in the proposal, and the plan was evaluated and rated in the best value tradeoffs. We also have heard from several clients recently who were unable to join a team to pursue a large contract because their potential teaming partners were dissatisfied with the level of their cybersecurity compliance. Many large prime contractors have adopted vetting processes for potential subcontractors that include an assessment of their cybersecurity posture. In one instance, a teaming arrangement fell through because the potential teaming partner also wanted to see evidence that the company had cybersecurity insurance, which it did not. NIST cyber rules added to the FAR? The latest rumor is that the proposal to add NIST SP 800-171 requirements to the FAR will be issued this August. The General Services Administration also is working on significant cybersecurity regulations to be issued this year. The FAR and GSA initiatives continue to drive home the point that it is important for contractors of all sizes, and across all industries and agencies, to have a plan for their cybersecurity. This is not just a matter of compliance anymore—increasingly, it is the difference between winning and losing contracts. Cyber competitive edge event The competitive effect of cybersecurity and its impact for small and mid-sized firms across all industries has led us to put together an event called “Gaining a Competitive Edge through Cyber, Data, and Personnel Security,” which we will be hosting on June 5 in Tysons Corner, VA. Our goal for this event is to bring together perspectives from government, large prime contractors, and small businesses on how cybersecurity, data, and personnel security are driving the pursuit of prime contracts and subcontracts and creating an opportunity to gain a competitive advantage. We want to give attendees actionable information on how to address the impact of cybersecurity compliance in prime contracts and subcontracts, protecting your data rights and IP in these contracts, how cybersecurity and data rights impact mergers and acquisitions for federal contractors, and the importance of a robust insider threat program, employee training, and other risk mitigation strategies. In addition to several members of our team, speakers at the event will include: Jerry Howe, General Counsel for Leidos; Mark Drever, President and CEO of Xcelerate Solutions; Philip McMann, Partner at Aronson Capital Partners; and Tim Brennan, CEO of SysArc, Inc. Event information: https://bit.ly/2UqvqVh
Jon Williams has over 15 years of experience advising contractors on a wide range of government contracting matters and FAR compliance, including the federal procurement programs for small businesses (i.e.,8(a), HUBZone, WOSB and SDVOSB programs). He represents contractors in bid protests, size protests and appeals, SBA audits and investigations, subcontracting plan compliance reviews, IG investigations, and suspension and debarment proceedings. He regularly helps contractors to establish teaming, subcontract, joint venture and mentor-protégé relationships. He also counsels contractors on cure notice responses, requests for equitable adjustment, claims and disputes on government contracts. This column was reprinted with permission from PilieroMazza PLLC.
|
|
Copyright © 2019 Business Research Services Inc. All rights reserved.