But contractor advocates and attorneys say the rule is too vague and imposes a significant burden on companies, particularly smaller ones. The Pentagon acknowledges in the proposed rule that it would affect nearly 49,000 small businesses, but says the cost of not protecting information — in reduced performance and lost valuable data — is far greater.
Under the proposed rule, contractors would be required to apply either a “basic” or “enhanced” level of protection to unclassified information, as designated by the government. Some larger companies already have in place controls that adhere to the basic level, but the enhanced standards require a “fairly sophisticated level of protection,” in accordance with National Institute of Standards and Technology standards, said Alan Chvotkin, executive vice president and counsel for the Professional Services Council, an industry association.
Additionally, the rule calls for companies to report to contracting officers any attempt or successful intrusion into protected information and to cooperate with any subsequent Pentagon investigations.
“What you’re doing is applying a government system of security ... in a private sector environment that is likely to be far more diverse in terms of its architecture, in terms of its systems, in terms of its size,” said Benjamin A. Powell, a partner in WilmerHale’s regulatory and government affairs department.
Chvotkin and Powell said there is ambiguity about what data would require protection. Guarding classified data can be expensive, but it’s a clear and confined set of information, said Chvotkin. In addressing unclassified information, it’s “not clear the scope of the data” that would require protection, he added.
Additionally, “no funds are provided to anybody as part of this rule-making process,” said Gregory H. Petkoff, special counsel in WilmerHale’s regulatory and government affairs department. “Certainly the end state that they’re looking for here is a good one ... but what I don’t see here is any kind of a migration plan.”
Contractor advocates also criticize the reporting requirement as overly stringent. Chvotkin said many companies would need to implement a new set of controls to monitor their networks to ensure there was no attempt at a breach.
“The government wants a lot of authority to go inspect [and] assess [a] breach,” Chvotkin said.
The Pentagon was set to hold a public meeting on the new rule this week but late last week canceled the meeting without explanation. Comments on the rule are due next month.
“This will help standardize [requirements], so in that sense it’s a move in the right direction,” said Petkoff. But, he added, the regulations “need work.”