Fed. contractors face new cyber-safety rule
Nearly 500 local firms must comply with security requirements.
Federal contractors need to better protect their government data, or they could lose their business with the government.
A looming new federal security directive will require businesses working with the federal government to protect their cyber data, or have a detailed plan for doing so, by year’s end. The directive is called “NIST
800-171” — or sometimes just “rule 171” — and it will control whether companies from defense engineering firms to janitorial outfits can do business with the federal government.
For local contractors, the stakes are hi g h. Nearly 500 area companies must comply, said Philip Raterman, director
of the University of Dayton Research Institute’s Fastlane division.
And that number does not count sub-contractors, said Rob Gillen, program man- ager and senior electrical engineer for Fastlane.
“This is becoming a thing for Ohio,” Raterman said.
The concern is a timely one. Recently, the “Wan- naCry” ransomware cyber attack hit at least 74 coun- tries. Retailer Brooks Brothers said Fridaythat some of its customer payment infor- mation was compromised at some stores between April 4, 2016 and March 1, 2017. Brooks Brothers custom
ers are at risk of having had credit card data — names, account numbers, expiration dates and verification codes — stolen, media reports said.
“We are finding that a lot of companies are not aware of this requirement and face losing their government contracts,” said Tamara Wams- ley, a strategist with Fastlane. “This issue could impact the success of many local companies, could result in lost jobs. This is a big deal.”
“It’s not just for R&D (research and development firms),” Gillen said. “It’s for janitors, it’s for accountants.”
“(It’s for) anyone who has information classified by the government that needs to be protected,” said Shawn Walker, co-founder and vice president of Miamisburg-based Secure Cyber Defense LLC.
Today, the rule affects only Department of Defense contractors. But Gillen said it will “almost certainly” expand to impact every federal contractor and sub-contractor, Gillen said.
The rule is essentially a list of 110 requirements with which contractors must com- ply.
“They have to do it this year or even earlier,” Gil- len said.
UDRI will be working with Air Force and military con- tractors on what contractors need to do in a June 1 training session at UDRI’s River Campus headquarters, 1700 S. Patterson Blvd. The train-
ing is free but registration is required at fastlane-mep.org/ cyber-compliance/.
The day will have two training sessions. The first is focused on Air Force small business innovation and research grant awardees. There will also be sessions for federal licensees and Department of Defense contractors. How much work will
compliance require? That depends on the size of the contractor in question and how much federal informa-
tion they have. “Starting from nothing, it will probably take six to 12 months to get all of the technology in place to be able to say you’re compli
ant,” Walker said. “To put the plan together may take 30 to 60 days.”
Once compliance is in place, constant monitoring is required. Within 72 hours of a hacking incident, every contractor will be required to report it to the DoD. Today, the average hacking victim may not even know of a hacking incident for something like 200 days, Wamsley said.
Hackers “are getting better and better,” Raterman
said. “It’s knowing shortly after it happens how to stop it, then recovering from it.”
Shawn Waldman, CEO of Secure Cyber Defense, said his company has a monitoring center at its Miamisburg office to constantly track hacking attempts and report them in “real time.”
“We receive, process and respond to all of those alarms out of that center,” he said.