To understand just how consequential president Biden’s executive order on cybersecurity is for federal contractors, look no further than the Wall Street Journal article that bluntly explained how the new order will impact federal contractors:
“Contractors that fail to comply with the baseline standards would essentially be prohibited from selling their products to the federal government, a black mark that could be crippling to a company’s commercial viability as well.”
Mandatory Baseline Standards for all Federal Contractors
Aggressive timeframe for implementation.
The executive order calls for mandatory baseline standards for all federal contractors to replace the patchwork of inconsistent and unenforced agency-specific policy that exists today. However, unlike many executive orders, this isn’t just a call to action, the clock already started ticking, and common baseline standards are to be here within 120 days. Current federal contractors doubting that the federal government can do anything within 120 days should remember that the Cybersecurity Maturity Model Certification (CMMC) was published and made federal acquisition law within nine months.
Effects the largest supply chain in the world.
The executive order mandates that within less than six months, the largest supply chain in the world, which includes many hundreds of thousands of large and small privately held companies and trillions of dollars of committed federal contracting dollars, will be required to meet baseline cybersecurity standards to do business with the federal government. This is one of the most common sense and consequential actions to improve cybersecurity ever proposed and largely in this administration’s control. They have tremendous influence over federal acquisition regulations. Many Americans might be surprised that we didn’t already have mandatory cybersecurity minimums for government contractors. I expect special interest groups to ask who is going to pay for this immediately. Still, in many instances, like defense contractors doing business with the Department of Defense (DOD), these mandatory minimums have been in place for nearly a decade; they just haven’t been enforced. For defense contractors, in some cases, the cost of cybersecurity should have been paid for as far back as 2015.
To meet this level of protection the cost on organizations is unavoidable.
The executive order does not leave very much room for federal contractors to find a way out of implementing mandatory cybersecurity minimums on their corporate networks. In many ways, the arguments around cost are nonsensical. Americans are paying for this one way or the other, be it the OPM hack, the Equifax hack, Colonial pipeline, SolarWinds, etc. the list goes on and on. Yet, nobody asks who paid for the fire alarms in their house or pays for the regulation to implement fire safety code in retail outlets, or even who pays for the antilock brakes and airbags mandated in our vehicles. We accept that the cost for all these things is built into the products and services we consume. We expect these protections and don’t even ask questions about their existence. We know they have to be baked into the product or service we are buying before it comes to market.
This level of expectation around minimum protections just became the new standard by which all federal contractors will be measured before the end of 2021. The federal government isn’t going to buy contractors products and services if they don’t come with assurances that you have met the mandatory minimums for cybersecurity. Certainly, you can argue with the fire inspector why you have no fire alarms in your house or the acquisition official for your federal contract about who will pay for your corporate cybersecurity, but it’s an argument you are going to lose.