Executive Order Improving the Nation’s Cybersecurity has Teeth; Especially for Federal Contractors 

By Eric Noonan • May 13, 2021

To understand just how consequential president Biden’s executive order on cybersecurity is for federal contractors, look no further than the Wall Street Journal article that bluntly explained how the new order will impact federal contractors:

“Contractors that fail to comply with the baseline standards would essentially be prohibited from selling their products to the federal government, a black mark that could be crippling to a company’s commercial viability as well.”

 

Mandatory Baseline Standards for all Federal Contractors


Aggressive timeframe for implementation.

The executive order calls for mandatory baseline standards for all federal contractors to replace the patchwork of inconsistent and unenforced agency-specific policy that exists today. However, unlike many executive orders, this isn’t just a call to action, the clock already started ticking, and common baseline standards are to be here within 120 days. Current federal contractors doubting that the federal government can do anything within 120 days should remember that the Cybersecurity Maturity Model Certification (CMMC) was published and made federal acquisition law within nine months. 

Effects the largest supply chain in the world.

The executive order mandates that within less than six months, the largest supply chain in the world, which includes many hundreds of thousands of large and small privately held companies and trillions of dollars of committed federal contracting dollars, will be required to meet baseline cybersecurity standards to do business with the federal government. This is one of the most common sense and consequential actions to improve cybersecurity ever proposed and largely in this administration’s control. They have tremendous influence over federal acquisition regulations. Many Americans might be surprised that we didn’t already have mandatory cybersecurity minimums for government contractors. I expect special interest groups to ask who is going to pay for this immediately. Still, in many instances, like defense contractors doing business with the Department of Defense (DoD), these mandatory minimums have been in place for nearly a decade; they just haven’t been enforced. For defense contractors, in some cases, the cost of cybersecurity should have been paid for as far back as 2015.

To meet this level of protection the cost on organizations is unavoidable.

The executive order does not leave very much room for federal contractors to find a way out of implementing mandatory cybersecurity minimums on their corporate networks. In many ways, the arguments around cost are nonsensical. Americans are paying for this one way or the other, be it the OPM hack, the Equifax hack, Colonial pipeline, SolarWinds, etc. the list goes on and on. Yet, nobody asks who paid for the fire alarms in their house or pays for the regulation to implement fire safety code in retail outlets, or even who pays for the antilock brakes and airbags mandated in our vehicles. We accept that the cost for all these things is built into the products and services we consume. We expect these protections and don’t even ask questions about their existence. We know they have to be baked into the product or service we are buying before it comes to market.

This level of expectation around minimum protections just became the new standard by which all federal contractors will be measured before the end of 2021. The federal government isn’t going to buy contractors products and services if they don’t come with assurances that you have met the mandatory minimums for cybersecurity. Certainly, you can argue with the fire inspector why you have no fire alarms in your house or the acquisition official for your federal contract about who will pay for your corporate cybersecurity, but it’s an argument you are going to lose.

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMCEnclave: Add Versatility with a More Flexible Approach

The enclave approach to CMMC compliance is one of the most cost effective and least disruptive ways to safeguard CUI. You can maintain high-value custodial security of CUI without upending your existing processes, procedures, and people. That way, you can maintain the proper level of CMMC compliance and remain eligible…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft

CMMC Con 2021 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.