Susan Cassidy is quoted in Politico Pro's "Morning Cybersecurity" newsletter regarding the December 31st deadline for defense contractors to meet minimum cybersecurity requirements for the systems they operate for the Pentagon. According to Cassidy, the cybersecurity rule presents “a problem for DoD because there’s a lot of subjectivity in what is ‘adequate security.'” Cassidy says that the Pentagon will likely assess protections based on the sensitivity of each company’s work. “If you are providing commercial items like cleaning products to the government, you might have less ‘adequate security’ requirements than if you are working on a large weapons system."
Cassidy says the plan is an important first step even if overall compliance remains unfinished: “What the government has now is information it can use to help it evaluate contractor compliance.”
To Cassidy, companies are taking the new regulation seriously even though they have some breathing room to implement it. Given that the contracting community has had four years to prepare for the new regulatory environment, “DoD’s been somewhat patient...on these security controls,” Cassidy says. “It’ll be interesting to see how much they enforce it going forward and how [DoD’s] auditing of this compliance works out in the coming year."
As for 2018, Cassidy says that this could be a big year for civilian contractor cybersecurity. The government, Cassidy says, is likely to propose a new regulation “sometime in the next year” that standardizes data protection requirements no matter what agency a contractor is supporting.