With just over a month left, defense contractors are scrambling to meet a complex new cyber security standard by Dec. 31, or risk losing their federal contracts. Some contractors are calling it the “clause of death.”
Lax promotion and education on the part of major contractors and the Department of Defense have left the Pacific Northwest cluster of small contractors stressed or unprepared. Some contractors also expressed concern about the department’s one size fit all approach to implementation.
“Most of them are unaware,” said Jerry Leishman, director of Bridge Partners Consulting, a Seattle-based company that offers services to help contractors comply with the regulations. “Nobody told them. Others don’t understand it so they don’t think it applies to them. Or they don’t believe the government’s going to enforce it.”
The latest update to the Department of Defense regulations is the Defense Federal Acquisition Supplement (DFARS), a clause that requires implementation of the NIST SP 800-171 cybersecurity standard. The Department of Defense set the Dec. 31 deadline three years ago.
The department extended the deadline once already, and according to Leishman won’t do it again.
Leishman says the department made the standards clear to so-called prime contractors, but that those larger companies didn’t thoroughly communicate the requirements with the subcontractors that work for them.
“I don’t think enough communication has come from the primes,” Leishman said. “They have a responsibility to educate and push this down to their subcontractors.”
Oregon-based prime contractors in the Pacific Northwest Defense Coalition include FLIR Systems, Insitu and Vigor Industrial, among others. They oversee dozens of subcontractors that lack resources to bid for large defense contracts on their own.
“We’ve been good at doing that [educating subcontractors],” said Insitu CEO Ryan Hartman. “But clearly there’s a lot more that we can and should do.”
Insitu began preparation in 2015, Hartman said, and took “every bit of two years” to comply with the rules. Just this month, the company came into compliance with all 110 NIST standards.
“We were very proactive,” he said. “It was clear this would not be delayed. This was the real deal.”
Apparently, however, the standard was not clear to smaller subcontractors, some of whom did not have the luxury of three years to meet the complex rules. Insitu notified its subcontractors in the third quarter of 2016 (Hartman says they’ve all succesfully met the standards).
Subcontractors working for other primes received notice even later. In April of this year, Christian Page, Chief Information Officer at Beaverton-based Axiom Electronics, began receiving strange documents about DFARS requirements from the company’s primes, mostly large aerospace contractors.
“Our customers started sending us documents, and we were like, ‘what is this?’” he said. “There was a point where we said, ‘we’ve got to do this fast
Page, the sole employee of around 100 assigned to the project, got the security infrastructure up to date over the summer. The 110 NIST standards included a lot of policy changes, he said, and some technical requirements like two-factor authentication, which was difficult to install on the company’s Windows operating system.
As crunch-time approached, documents and information continued to trickle in. On Halloween, he took a break from trick-or-treating with his kids to respond to a cyber security-related document request from a prime.
Now, he’s “fairly confident” Axiom will thoroughly meet the requirements by the deadline. He’s putting the finishing touches on policy and training materials.
Page has years of experience as a CIO. If the person in his position was new, he said, things could have turned out much worse.
Smaller contractors lack sophisticated software or robust legal teams. If they don’t have someone on staff with Page’s resume, they can hire a consultant like Leishman. But Page said that can cost upwards of $20,000.
“Boeing has entire teams doing the work and documentation,” Leishman said. “Smaller companies don’t have those resources.”
With other security standards, Leishman and DeMella said, prime contractors bore the brunt of the government’s scrutiny. This time is different.
“All the subs have been getting a break,” Leishman said. “That’s not the case with DFARS.”
The Pacific Northwest Defense Coalition consists mainly of smaller subcontractors like Axiom, companies in the $5- to $100 million revenue range.
At a PNDC-sponsored cybersecurity seminar on October 25, Page said, these small contractors listened with apprehension to a sort of good cop/bad cop routine.
First, Vicki Michetti, Chief Information Officer for the Department of Defense, said some of the complex upgrades could take just a few hours.
“She said something like, ‘it’s not a big deal. You can hammer out some policies in an afternoon,’” Page said. “Then we had a lawyer filling us with dread.”
That lawyer was Jonathan DeMella of Davis Wright Tremaine.
“The government has been starkly unforgiving in its statement that cybersecurity is a concern,” DeMella said in a phone call afterward. “Doesn’t matter if you’re Lockheed or a small business making one part for a submarine.”
He tempered that warning, however, saying the severity with which the DoD enforces the regulations would depend on how unprepared contractors are, whether that was intentional and whether they have a plan of action in place. NIST contains hundreds of requirements. DeMella says contractors shouldn’t fret too much if they can’t meet one or two by the deadline.
DeMella said the DoD put in a good deal of effort promoting the requirements at trade shows and other events. Where the department fell short was failing to tailor the regulations to fit the size and scope of different contractors.
“Meeting these requirements is costly and burdensome, especially if you’re a small business,” he said. “Everyone understands it’s important, but there needs to be more flexibility.”
Leishman predicts that defense industry mergers and acquisitions will increase over the next few years, as small contractors sell out to larger companies, in large part because they failed to meet the strict cybersecurity requirements.
Axiom isn’t the only local success story. Two other subcontractors that met the standards well ahead of the deadline are PacStar Communications and Metal Technologies. It took each company eight months.
Subcontractors agreed that the regulations are crucial for national security and well designed — they just needed a better ad campaign, so to speak, and more flexibility for the different sizes of contractors.
“These are natural investments to be making,” Hartman said. “But like any huge initiative it could always be better. There was tons of confusion and a lack of clarity.”