By the middle of this year, the U.S. Small Business Administration should have a strategy in place to assist small businesses with cybersecurity.
The 2017 National Defense Authorization Act is chock full of interesting legal changes for government contractors, and although we have chronicled it in depth, that does not mean there is not necessarily more to be mined from the whopping 1,587-page legislation.
Buried in section 1841, the 2017 NDAA contains an interesting directive for the new head of the SBA–who, pending Senate confirmation, will be former CEO of the professional wrestling franchise WWE, Linda McMahon. Section 1841 instructs the SBA head to work with the Department of Homeland Security to develop a cybersecurity strategy for small businesses.
Cybersecurity–especially the lack of it–has been in the news quite a bit lately. But cybersecurity is not only a concern for government agencies and massive global conglomerates. Cybersecurity should be a concern for all businesses, no matter how small. Indeed, the hack that led to the release of millions of personal information belonging to government workers has reportedly been linked to a government contractor. And, although popular culture depicts hackers cracking the firewall and breaking the encrypted code, the truth is that many hackers are mostly adept at taking advantage of carelessness and human error.
In order to help small businesses deal with this threat, the 2017 NDAA instructs the new SBA Administrator and the Secretary of Homeland Security to work together to create a strategy for small businesses development centers that will seek to protect small businesses from cybersecurity threats. The content of the strategy, according to the NDAA, must include plans to allow Small Business Development Centers access to existing DHS and other federal agency services, as well as methods for providing counsel and assistance to small businesses, including training, assistance with implementation, information sharing agreements, and referrals to specialists when necessary.
The strategy also must include an analysis of how SBDCs can rely on existing government programs to benefit small businesses, identify additional resources that may be needed, and explain how SBDCs can leverage partnerships with Federal, State, and local government entities to enhance cybersecurity.
The SBA Administrator must collaborate with with the DHS Secretary no later than 180 days after enactment of the bill (President Obama signed the 2017 NDAA on December 23) and submit the strategy to the Committees on Homeland Security and Small Business of the House of Representatives and the Committees on Homeland Security and Governmental Affairs and Small Business and Entrepreneurship of the Senate.
For small contractors, the new policy comes at a good time. Last summer, the FAR Council issued a final rule titled “Basic Safeguarding of Contractor Information Systems.” The rule created two new FAR provisions (FAR 4.19 and FAR 52.204-21); together, these FAR provisions impose fifteen specific requirements for safeguarding “covered contractor information systems.” The new FAR requirements supplement DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), which imposes several more requirements on covered DoD contractors. Clearly, policymakers are focusing on ensuring that contractors appropriately protect electronic information.
Many small contractors could use help understanding and complying with the FAR and DFARS cybersecurity requirements and adopting best practices for cybersecurity. Thus, by the middle of this year, the SBA should have a strategy in place to assist small businesses stave off the threat of cyber attack. Only time will tell whether this strategy will prove effective, but the notion of assisting small businesses in this arena is certainly a positive step.