Almost a year after the requirement took effect to protect unclassified government data on contractor networks there's been a lack of enforcement but that doesn't mean you shouldn't be serious about compliance.
Almost a year after taking effect, contractors are wondering if the DOD’s 800-171 cyber mandate to protect unclassified data on their networks is being enforced after several indicators that it is not. So, why should contractors invest the significant amount of resources required to achieve 800-171 compliance, knowing that enforcement may not occur any time soon – or possibly ever?
Some would say that a mandate is only as good as the consequences of not complying and that consequences are only as good as the enforcement of those consequences. Regardless of enforcement, we strongly recommend that DOD contractors take their 800-171 compliance responsibilities seriously.
Indicators of Enforcement – or the Lack Thereof?
DOD and those of us assisting contractors with their 800-171 compliance efforts have communicated at length about the consequences of non-compliance, some of which are pretty severe, i.e., contract termination, breach of contract lawsuits and possible conviction of criminal fraud.
After about a year past the deadline, we have not heard of any contractors being charged with non-compliance, much less any facing criminal charges for this reason. Although the same was true of HIPAA (and likely other similar mandates) when first put in place -- it took years for assessments and penalties for non-compliance to actualize.
That being said, the lack of publicly-known criminal charges in the first year may or may not be an indication that the mandate is not being enforced.
A stronger indicator is the fact that DOD systems managed by contractors continue to be hacked as a result of a lack of the most basic controls.
One example is the recent penetration of a contractor-maintained employee travel system for the Pentagon that exposed the personal and credit card data of a reported 30,000 DOD employees. 800-171 requirements were specifically designed to protect this kind of Controlled Unclassified Information in nonfederal information systems.
According to news reports, the DOD subsequently took, “… steps to have the vendor cease performance under its contracts,” but only after the breach was discovered. The termination of the contract did not occur as a result of demonstrating non-compliance to 800-171, but as a result of the type of failure that compliance is supposed to prevent.
If You’re Making Money without Spending Money - Why Bother?
While there are companies that are doing the right things to ensure their internal infrastructure meets 800-171 requirements, the fact is that most have not ramped up their efforts. If there is no enforcement, one might ask, “Why bother?”
Well, first, enforcement will inevitably catch up when compliance oversight is driven from the top down. Leaders recently positioned under the current administration have a new focus on accountability and are working with legislators on better ways to hold accountable those responsible for cybersecurity.
For instance, Federal Chief Information Security Officer Grant Schneider has described the White House’s new national cyber strategy as, “…a movement from policy and process to one of action and accountability.”
Over the next year, we will likely start to see the effects of this “action and accountability” movement trickle down to operational levels.
Another reason for contractors to ramp up their 800-171 compliance efforts is to maintain the company’s reputation. While non-compliance might go unnoticed to government auditors for a brief period of time, the longer you go without basic protections, the more you can count on these systems being breached -- and those breaches being made public. Once your company ends up in the headlines, your brand and reputation are tarnished forever, the impact of which will not be isolated to just the one agency customer that was breached. You will have to answer to shareholders, the balance of your other government and private-sector customers, the owners of the data that was exposed (along with their legal teams), and potentially legislators, depending on the sensitivity of the breach.
The bottom line is that if your company’s financial future depends on government business, you should be working towards 800-171 compliance.
Now is the time to think “long term investment” rather than short-term “how much money can we make without spending money.” In the long run, any type of cyber breach of a government system under your company’s oversight will seriously threaten your ability to get future work. Period.
Advancing Toward Compliance
The fact that there might not be immediate external pressure to comply with 800-171, but that it can be expected in the future, affords a forward-thinking company the opportunity to develop a thoughtful action plan. Many of the requirements can be addressed incrementally as you move through natural technology refresh tasks, business process improvement, etc., but only if you are aware of the requirements and are working to build them in. Even if you have concluded that complying with 800-171 will be an overwhelming task and expense, at the very least, you need to be showing a good faith effort in that direction.
If you are not sure of the best approach, we recommend taking the following initial steps:
- Get familiar with 800-171 – You can’t plan for what you don’t understand. Astonishingly, many DOD contractors still don’t fully understand what it takes to comply.
- Stand up an internal working group – Diversity is your friend. Include a leader from each area of your company that will be impacted by the requirements.
- Assess your current state – For each 800-171 requirement, identify where you already have a process or program that does address or could be modified to address that requirement and where you will need to create one.
- Prioritize - Determine what level of compliance is achievable with minimal investment vs. what a more comprehensive path to compliance might look like. Address the low-hanging fruit first.
For detailed insight into these recommended steps and more, see our previous article.