The Department of Defense issued basic NIST government contractor compliance requirements in the form of security guidelines in its Defense Federal Acquisition Regulation System supplement. This proclamation makes them mandatory for approximately 65,000 primary and subcontractors who work with DOD. For most government contractors, fulfilling such requirements can be costly. Small business owners have low cybersecurity literacy overall. In addition, mountains of new regulations contributed to poor compliance rates by industry.
Small businesses cannot keep up with government contractor compliance requirements
In a 2018 survey of small and mid-sized defense contractors, 45% said they hadn’t read NIST’s basic guidance on securing controlled unclassified information systems. This is true despite the fact that DOD made following such requirements mandatory in 2016. Most reported the NIST document was difficult to understand. Many had concerns about the costs associated with compliance. In addition, government contractors are underestimating the price of implementing such protections by nearly a factor of 10.
The DOD recognized that many government contractors do not have the in-house resources to implement the requirements fully. Therefore, the revised draft indicates how an organization might use appropriate third-party contractors to assist with compliance. They recommend hiring an IT managed service provider (MSP) to perform specific tasks. These can include evaluating an organization’s resiliency to cyberattack or providing a Security Operations Center capability.
Managed Service Providers can help meet government contractor compliance requirements
There are many services than an MSP can provide to small business contractors. The following is a menu of options provided to Tampa Bay government contractors by Concertium:
Advice on compliance requirements:
Interpretation of government contract requirements, including the federal acquisition regulation (FAR); cost accounting standards (CAS); agency FAR supplements, such as the defense federal acquisition regulation supplement (DFARS); and other contract requirements.
Proposal and pricing support:
Assistance in preparing proposals, including evaluation of solicitation requirements, forward pricing rate development, proposal pricing, proposal review team support, proposal compliance analysis, proposal audit support, and contract negotiation advice.
Contract cost accounting and compliance support:
Advice related to accounting for contractor costs in compliance with applicable CAS and regulations, such as evaluating cost accounting practice compliance, preparing or validating contractor-incurred cost proposals, and quantifying contract cost impacts of cost accounting practice changes.
Compliance risk management and governance:
Support in establishing government contract compliance risk management and control practices that provide timely identification, intervention, monitoring, and resolution of emerging contract compliance risks and threats.
Compliance capabilities development: Assistance
in developing contract compliance capabilities needed to support contractor business strategy, including identifying contract compliance and bid eligibility requirements; conducting capabilities gap analyses and preparing capabilities development project plans; assisting in the identification and evaluation of permissible cost accounting practices; preparing Cost Accounting Standards Board (CASB) disclosure statements; and developing compliance processes, policies, and procedures.
Contract claims and dispute support:
Assistance in protecting contractor entitlements to equitable compensation for contract changes and in contract disputes, such as identification of contract change fact patterns, cost or price impact analyses, request for equitable adjustment preparation, claim preparation support, and expert witness report preparation and testimony.
Audit readiness evaluation:
Evaluation of audit readiness and support in preparing for government audits or reviews, such as pre-award accounting system surveys, proposal audits, incurred cost submission adequacy evaluations and audits, DFARS contractor business systems compliance audits and reviews, and CASB disclosure statement audits.
Pre- and post-close government contractor acquisition and divestiture transaction support, such as acquisition target contract compliance risk due diligence, quantification and estimation of contracts-related financial risks, evaluation of balance sheet risk reserves, providing guidance on purchase agreement terms, integration and carve-out transaction support, and Department of Defense external restructuring proposal development.
Government contractor audit support:
Assistance in managing risks of government audits, such as providing strategic guidance in responding to auditor requests and preparing responses, evaluating audit report findings, developing positions and responses to adverse audit findings, and providing advice on contractor strategies for setting or resolving adverse audit finding issues.
Compliance training from fundamentals of government contracting for executive management to detailed training on topics such as cost accounting standards, contractor business systems, and recent regulatory changes.
What’s next? Let’s get started, it’s free………
We hope this overview of government contractor compliance requirements is helpful. In addition, we have other articles on cloud security. Do you have questions that you need answered? Do you need help implement these strategies in your own business? Please feel free to contact us today and we can give you a free assessment of your company’s IT needs.