Federal contractors need to better protect their government data, or they could lose their business with the government.
A looming new federal security directive will require businesses working with the federal government to protect their cyber data, or have a detailed plan for doing so, by year’s end.
The directive is called “NIST 800-171” — or sometimes just “rule 171” — and it will control whether companies from defense engineering firms to janitorial outfits can do business with the federal government.
For local contractors, the stakes are high. Nearly 500 area companies must comply, said Philip Raterman, director of the University of Dayton Research Institute’s Fastlane division.
And that number does not count sub-contractors, said Rob Gillen, program manager and senior electrical engineer for Fastlane.
“This is becoming a thing for Ohio,” Raterman said.
The concern is a timely one. Recently, the “WannaCry” ransomware cyber attack hit at least 74 countries. Retailer Brooks Brothers said Friday that some of its customer payment information was compromised at some stores between April 4, 2016 and March 1, 2017.
Brooks Brothers customers are at risk of having had credit card data — names, account numbers, expiration dates and verification codes — stolen, media reports said.
“We are finding that a lot of companies are not aware of this requirement and face losing their government contracts,” said Tamara Wamsley, a strategist with Fastlane. “This issue could impact the success of many local companies, could result in lost jobs. This is a big deal.”
“It’s not just for R&D (research and development firms),” Gillen said. “It’s for janitors, it’s for accountants.”
“Anyone who has information classified by the government that needs to be protected,” said Shawn Walker, co-founder and vice president of Miamisburg-based Secure Cyber Defense LLC.
Today, the rule affects only Department of Defense contractors. But Gillen said it will “almost certainly” expand to impact every federal contractor and sub-contractors, Gillen said.
The rule is essentially a list of 110 requirements with which contractors must comply.
“They have to do it this year, by the end of this calendar year or even earlier,” Gillen said.
UDRI will be working with Air Force and military contractors on what contractors need to do in a June 1 training session at UDRI’s River Campus headquarters, 1700 S. Patterson Blvd. The training is free but registration at fastlane-mep.org/cyber-compliance/ is required.
The day will have two training sessions, in the morning and the afternoon. The first is focused on Air Force small business innovation and research grant awardees. There will also be sessions for federal licensees and any DoD contractor.
How much work will compliance require? That depends on the size of the contractor in question and how much federal information they have.
“Starting from nothing, it will probably take six to 12 months to get all of the technology in place to be able to say you’re compliant,” Walker said. “To put the plan together may take 30 to 60 days.”
Once compliance is in place, constant monitoring is required. Within 72 hours of a hacking incident, every contractor will be required to report it to the DoD. Today, the average hacking victim may not even know of a hacking incident for something like 200 days, Wamsley said.
Hackers “are getting better and better,” Raterman said. “It’s knowing shortly after it happens how to stop it, then recovering from it.”
Shawn Waldman, CEO of Secure Cyber Defense, said his company has a monitoring center at its Miamisburg office to constantly track hacking attempts and report them in “real time.”
“We receive, process and respond to all of those alarms out of that center,” he said.
Thank you for reading the Dayton Daily News and for supporting local journalism. Subscribers: log in for access to exclusive deals and newsletters.
Thank you for supporting in-depth local journalism with your subscription to the Dayton Daily News. Get more news when you want it with email newsletters just for subscribers. Sign up here.