A unit of the Small Business Administration (SBA) has filed objections to the Department of Defense’s (DoD) implementation of federal cybersecurity requirements.
SBA’s Office of Advocacy says the rule will impose a significant financial burden on small businesses and could make it more difficult for small businesses to qualify for DoD contract awards.
Backgound
The federal government’s cybersecurity rules were developed by the National Institute of Standards and Technology (NIST). Guidelines entitled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (NIST Special Publication 800-171) were created to ensure that sensitive federal information remains confidential when stored in non-federal information systems and by outside organizations like contractors.
NIST’s publication focus on minimum standards and best practices for 14 different “Security Requirement Families,” including access, incidence response, and assessments of information systems and security controls. It provides a detailed list of basic and derived security requirements federal contractors need to employ to meet each of the standards.
DoD is the first agency to move toward implementation of the NIST rules, with other agencies sure to follow.
On August 26, 2015, DoD published a rule amending the Defense Federal Acquisition Regulation Supplement (DFARS). Subsequently, on December 30, 2015, DoD provided notice that both large and small contractors would be given more time – until December 31, 2017 – to comply with the rules. Until that time, however, contractors still would be required to document both their cybersecurity shortcomings as well as their progress toward full compliance with NIST rules. According to the DFARS, in order to qualify for DoD contracts, businesses would not be allowed to have any security system gaps when full compliance with the NIST guidelines becomes mandatory on December 31, 2017.
SBA’s Objections
On February 29, 2016, the SBA’s Office of Advocacy published its concerns with the December 30th version of DoD’s rule. The Advocacy Office finds DoD’s regulatory impact analysis to be “deficient in its estimation of affected small businesses” and contends that DoD has not considered significant alternatives. In addition, SBA says the cost of compliance with the rule will be a significant barrier to small businesses engaging in the federal acquisition process. Specifics are as follows:
- SBA cites DoD’s estimate that 10,000 contractors will be impacted by the rule and that no more than 5,000 of these are small businesses. SBA speculates that DoD’s estimates includes only small business prime contractors, and if that’s the case, the number of small businesses affected by the interim rule is vastly underestimated.
- The Advocacy Office recommends that DoD should either:
Collaborate with universities and other organizations to provide low-cost cybersecurity services to small businesses participating in the federal acquisition process, or
Provide a one-time subsidy to small businesses participating in the federal acquisition process to help cover the cost of initial consultations with third-party vendors to assess their information systems and security controls for vulnerabilities.
- SBA says the compliance cost for small businesses should be viewed in two ways: as prime contractors and as subcontractors.
The compliance cost for small business prime contractors will be very high as many firms will be forced to purchase services from outside vendors to provide adequate safeguards for DoD information. Because most small businesses have neither the technical expertise nor the information technology personnel or software to conduct these services in-house, they will be forced to incur cost associated with software, infrastructure, consultation, and training.
Small business subcontractors may be faced with the imposition of additional requirements that are not directly required in the NIST requirements but are required by the prime contractor under the terms and conditions of a DoD contract. SBA offers the example of the DFARS requirement that both primes and subcontractors must provide DoD with notification of any security breach within 30 days of the discovery of a cyber incident. Large prime contractors are likely to require their subcontractors to report such infractions to the prime much sooner than the time required by the regulation.
Recommendations
In order to address these adverse impacts on the small business community, SBA’s Advocacy Office is calling on DoD to:
- Revisit its initial regulatory analysis to ensure their estimation of the number of small businesses impacted by this interim final rule includes small business prime contractors as well as small business subcontractors.
- Consider significant alternatives, such as collaborating with universities or other organizations to provide low-cost cybersecurity services to small businesses, or providing a one-time subsidy to small businesses to help cover the cost of initial consultations with third-party vendors.
SBA’s full statement on this matter can be viewed at: https://www.sba.gov/advocacy/2-29-16-interim-rule-defense-federal-acquisition-supplement-network-penetration-reporting