We have talked a lot about the overlapping compliance requirements that many organizations face, when it comes to data security. Complying with State laws, Federal requirements, industry regulators, and even International laws such as the EU GDPR. We have also spoken to the importance of holding external vendors / contractors to the same security credentials expected internally. Flipping the perspective, you can then see the additional challenges organizations face as the hired contractor / vendor, adhering to the standards of other organization(s) in addition to all these other requirements.
Government contractors now face additional, and confusing, requirements. The Department of Defense (DoD) issued an interim rule, effective immediately, that places new network security requirements and cloud computing provisions on DoD contractors. Learning from the mistakes of the OPM breach, the new requirements (see a detailed list here) expand the coverage on the types of information safeguarded, with established security standards, and sets up new reporting requirements for contractors at all levels. The rule will affect 10,000 contractors, half of whom are small businesses.
The new DoD reporting requirements are quite strict, with the requirement to disclose a great deal of information to the DoD about a security incident and lengthy investigation procedures that may have a costly impact on contractors. As if this wasn’t enough, contractors face the challenge of adhering to this new DoD requirement while meeting the demands of other regulators.
While the new DoD requirements are effective immediately, they are not the only change on the horizon. The Office of Management and Budget (OMB) also proposed guidelines to homogenize the way vendors secure data, government-wide. It’s not clear if this could or will replace the DoD guidelines or other guidelines set upon contractors by other agencies of the government. NextGov offers some insight into the Pentagon vs OMB rules and how they could play out. What is clear is that current government contractors and vendors are facing an increasingly complex regulatory environment, one that will prove costly in the event of a security incident.
Delivering on the promise of data security while working with government agencies is more challenging than ever before. Federal, state and local governments already rely on Absolute for endpoint security and data risk management solutions. Learn how we can complete your data security needs at Absolute.com