Government contracting's organic cybersecurity evolution
Government contract practitioners find themselves inundated with updates about new and impending cybersecurity regulations. The alphabet soup of references can seem overwhelming at times: DFARS, NIST, FAR, GSAR, FedRAMP, CMMC, etc.
The cast of federal contracting cybersecurity enforcers is also multiplying: undersecretary of defense for acquisition and sustainment, Defense Pricing and Contracting, Defense Contract Management Agency, Defense Industrial Base Cybersecurity Assessment Center, Department of Defense Office of Inspector General, Defense Counterintelligence and Security Agency (formerly the Defense Security Service), Naval Criminal Investigative Service, et al.
Plainly, federal customers — civilian and military — are taking a number of ambitious cybersecurity initiatives. These both extend the bar, making cyber requirements apply to more procurements, and raise it, by increasing what the government requires to satisfy contractual security requirements. Meanwhile the fundamental government contracting system is evolving organically to enforce existing cybersecurity requirements.
The acquisition system has seen developments in at least three different areas, each of which are addressed in this article: Bid protests, False Claims Act litigation and suspension and debarment.