Businesses contracted with the U.S. Department of Defense (DoD) have experienced a growing awareness of the requirements of the Defense Federal Acquisition Regulation Supplement (DFARS) and the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. While the Dec. 31, 2017, deadline has long since passed, many DoD contractors have foregone regulatory compliance. That decision is now putting them at risk as the DoD is refusing to renew contracts, is issuing “stop work” orders, and is declining new contracts for non-compliant contractors.
There are several reasons businesses contracted with the DoD should achieve DFARS and NIST SP 800-171 compliance. Not only is it the right thing to do, but it’s required to maintain existing DoD contracts as well as be considered for new contracts. The compliance regulations also require tier one subcontractors of businesses working with the DoD to meet DFARS and NIST SP 800-171 standards. Here’s a quick look at all of the reasons your company should work toward achieving regulation compliance as soon as possible.
The Growing Threat
While every business leader has heard of cybersecurity, not everyone realizes the severity of the threats their businesses face daily. According to the 2019 Internet Security Threat Report by Symantec, one in ten URLs are malicious, web attacks are up 56 percent, and more than 4,800 websites are compromised with formjacking code each month. While overall ransomware is down 20 percent, enterprise ransomware is up 12 percent, according to the Symantec report. Furthermore, supply chain attacks are up 78 percent over the previous year, according to the report, and 48 percent of malicious email attachments are office files. The same report shows malware attacks increased by 25 percent. Cybersecurity is more important than ever due to the rising rate of threats and attacks, especially when it comes to private businesses.
While everyone knows prime contractors with the DoD are required to be DFARS and NIST 800-171 compliant, there is a flow down clause in the regulation as well. According to DFARS 252.204-7012, subcontractors which provide “operationally critical support” or where subcontractor work includes covered defense information (CDI), they are also required to achieve DFARS and NIST SP 800-171 compliance. The government enforces compliance for DFARS and NIST by subcontractors through the prime contractor. This means organizations directly contracted with the DoD will be especially cautious of subcontracting with businesses which have not already achieved compliance.
The Impact On Profits
Whether your organization is a major player in aerospace development or it’s a small subcontractor for other businesses contracted with the DoD, the DFARS and NIST SP 800-171 regulations can have a major impact on your bottom line. Even if you don’t see the connection between your company and regulatory compliance, it may become a prerequisite to obtaining future contracts.
As mentioned above, part of the DFARS and NIST SP 800-171 regulations require tier one subcontractors to achieve the same compliance standards as direct DoD contractors. So whether your business is a prime DoD contractor or a subcontractor, now is the time to achieve compliance before it loses profits associated with “stop work” orders on existing contracts. Additionally, think of the lost revenue of future contracts that are awarded to companies that are DFARS and NIST SP 800-171 compliant when yours isn’t.
No New Contracts
As previously discussed, compliance is also likely going to be a factor when it comes to the contract process. With recent guidance from the U.S. Secretary of Defense and the DoD, a procuring agency can consider whether your business is compliant with government regulations. DoD procurement agencies will most likely consider DFARS and NIST SP 800-171 compliance as a factor in the source selection process. That means your company’s ability to effectively compete for contracts will be nil if your business is up against others that are already DFARS and NIST SP 800-171 compliant.
While compliance with DFARS and/or NIST SP 800-171 may not be explicitly outlined in the source selection process, it can impact your business’s ability to secure contracts. DFARS section 252.204-7008 states, “by submission of this offer, the offeror represents that it will implement the security requirements specified by NIST SP 800-171.” That means you may be the frontrunner for a new contract but that can change quickly when it’s discovered that your company is not DFARS and NIST SP 800-171 compliant, even if it wasn’t mentioned in the source selection process to begin with. It’s better to achieve compliance now so you can tout it when it comes time.
Liability and Litigation
Businesses that contract with the DoD risk liability, litigation, and breach of contract issues if they are not DFARS and NIST SP 800-171 compliant. Though DFARS doesn’t specifically mention the False Claims Act (FCA), a non-compliant company contracted with the DoD may be at risk of being found in violation of the act. Though there are currently no judicial findings on this issue, there exists the potential for a business contracted with the DoD to be found in violation of the FCA by “fraud in the inducement” or “implied certification.”
The bottom line is, this could be the basis of the government to seek remediation for a breach of contract with your business if it’s not compliant with DFARS and NIST SP 800-171. It’s better to cover your business in advance than have to deal with breach of contract, FCA, or other litigation issues stemming from non-compliance after the fact.
Selling Your Business
When it comes time to sell your company, you might find it difficult if regulatory compliance has not already been achieved. Most buyers (and their attorneys) are now savvy enough to ask if your company has achieved DFARS and NIST SP 800-171 compliance. This is especially true if you’re business is already a prime or tier one subcontractor for the DoD.
Even if a buyer is still interested in acquiring your company despite non-compliance with DFARS and NIST SP 800-171 regulations, it will impact the valuation of your company. That means you will likely be offered a lower price in the long run than if your company had already achieved compliance. The small investment of achieving compliance now could boost the value of your business in the event you decide to sell it in the future.
Compliance Is Easier Than You Think
While achieving compliance can seem confusing and costly, it’s actually easier than you think. DFARS requires contractors to provide “adequate security” for CDI while it is being processed, stored, or transmitted on the contractor’s information system or network. Many of the 110 requirements outlined in NIST SP 800-171 are common-sense requirements your business may already have in place.
Your business can hire a third-party vendor such as Dox Electronics to help you perform an audit of your information system(s) to determine if you are DFARS and NIST SP 800-171 compliant. If you aren’t, the audit will identify where your business’s shortcomings are as well as a plan for remediation. This will allow you to become compliant quickly and effectively. In addition, some states are also offering grants to assist in covering the cost of becoming DFARS and NIST 800-171 compliant.
If you decide to work with a third-party vendor, ensure you are working with an organization that specializes in DFARS and NIST SP 800-171 compliance such as Dox Electronics. They should have a proven history of successfully conducting audits and assisting companies in achieving compliance. Furthermore, they should provide both managed services and cloud services as these are also areas covered in the DFARS regulation that can also reduce your costs. Finally, vendors such as Dox should be able to assist you in locating funds to help offset the costs of reaching compliance.
Doing the Right Thing
The DoD and U.S. government recognizes the threat of other nation states and private hackers. Hackers, foreign entities, and others are always looking to make a profit or gain a strategic advantage from the proprietary data of others including the American government. Consider the story by CNet about China stealing secret U.S. weapon plans in a Navy hack or The New York Times piece about the Chinese theft of nuclear technology from Los Alamos National Laboratory in New Mexico. Incidents of such technology theft are not isolated to China. An online article at Task & Purpose reports “How the U.S. and Russia Steal Each Others’ Top Military Secrets.”
The purpose of regulations such as DFARS and NIST SP 800-171 is to mitigate the risk to such national security interests. Now that you better understand the growing threats businesses contracted with the DoD face, you should also understand that achieving regulatory compliance is the right thing to do for both your company and your country.
When your organization fails to adhere to DFARS and NIST SP 800-171 requirements, you are subjecting your business assets and those of the government to higher risk. Valuable confidential information, trade secrets, and proprietary data can be devastating in the wrong hands and is often sold to the highest bidder on the dark web.
To learn more about DFARS and NIST SP 800-171 compliance, regulation audits, or funding for companies seeking regulatory compliance, contact Dox today at (585) 473-7323. Our experts are here to assist you in achieving compliance as quickly, efficiently, and affordably as possible.