Additionally, the government would mandate that contractors be more careful about sending government information to subcontractors, asking that they ensure the subcontractors need that particular information and that these businesses offer the same level of security.
“For the larger prime contractors who have been doing business with the government for many years, I don’t think this will be much of a change,” said Connie Bertram, who heads Cooley’s Washington employment and labor and government contractor compliance practice groups. “For smaller contractors, they may need to upgrade their systems ... and undertake other steps to make sure they’re in compliance.”
In its proposed rule, the government says that not implementing these basic protection measures would lead to “reduced system performance and the potential loss of valuable information.” The rule would apply to all federal contractors and subcontractors, and the government said it does not consider the cost impact significant.
But industry advocates are focused on getting more clarity on some of the requirements. The proposal in one section calls for the “best level” of security and in another section says contractors may only transmit information by phone or fax when the sender has a “reasonable assurance” that only those authorized will receive the information.
“Those kinds of phrases are hard to know how to implement,” said Alan Chvotkin, executive vice president and counsel at the Professional Services Council, an industry association.
Still, Bertram said implementing the rule’s standards may be a positive step for some companies, particularly smaller ones, whose employees may still be making mistakes like using their personal e-mails for company business.
“It’s probably going to require a lot of companies to make some investments in technology which were probably a little overdue,” she said. “It’s going to end some bad habits that needed to end a long time ago.”
Ed Hammersla, chief operating officer of Herndon-based Raytheon Trusted Computer Solutions, said the requirements aren’t a surprise.
“If anybody’s not securing their information at least to [these] standards, they ought to be,” he said.
Still, Chvotkin said the PSC intends to submit comments.
“I’m worried about the scope, I’m worried about the information to be protected,” he said.