Wyoming Business Tips for June 4

A weekly look at Wyoming business questions from the Wyoming Small Business Development Center (WSBDC), part of WyomingEntrepreneur.Biz, a collection of business assistance programs at the University of Wyoming.

By Andrea Lewis, WSBDC procurement specialist

“I want to do contract work for the Department of Defense, and I have been hearing about cybersecurity regulations. Can you explain them?” Joe, Cheyenne

If your company is a Department of Defense (DOD) contractor or subcontractor, the Department of Defense cyber requirements are something that you will need to understand and comply with by Dec. 31. The purpose of this article is not to go into detail about the requirements, but to alert business owners to their existence and where to find more information.

Cyber threats are on the increase and cost companies a lot of money. Impacts are downtime, loss of revenue, reputational damage and loss of customers. Most cyberattacks (89 percent) have a financial or an espionage motive. Weak, default or stolen passwords are the cause of 64 percent of confirmed data breaches.

Having to comply with the regulations depends on what type of contract you have with the DOD and, if within that contract, certain clauses are listed. Commercial items that are bought “off the shelf” -- no customization -- generally are not required to have the clauses in their contracts. Agricultural bulk products and petroleum products are subject to the regulations.

In general, the DOD clauses require contractors to safeguard certain information that is either on their internal systems or networks, or passing through their systems or networks. The clauses also require the contractor to report cyber incidents that either affect certain information or that affect the contractor’s ability to perform “operationally critical support” requirements.

The contractor also is required to submit any malicious software discovered that was “isolated in connection with a reported cyber incident” to the DOD Cyber Crime Center. If requested by the DOD, the contractor also needs to “submit media and additional information for damage assessment.”

The definition of information that needs to be protected is past the scope of this tip. However, the regulations that define it can be found at DFARS Regulations (review DFARS clauses 252.204-7008 and 252.204-7012).

DOD has several programs, both regulatory and voluntary, to improve cybersecurity. The agency is using the National Institute of Standards and Technology special publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” as a framework for companies to follow when developing cybersecurity programs.

If you are doing business with the DOD, take the time to understand its cybersecurity rules and regulations, and be aware that implementation is due at the end of the year.

For more information, call the WSBDC Network Procurement Technical Assistance Center at (307) 772-7372 or email amlewis@uwyo.edu.

A blog version of this article and an opportunity to post comments are available at www.wyomingsbdc.org/blog1/.

The WSBDC is a partnership of the U.S. Small Business Administration, the Wyoming Business Council and the University of Wyoming. To ask a question, call 1-800-348-5194, email wsbdc@uwyo.edu, or write 1000 E. University Ave., Dept. 3922, Laramie, WY, 82071-3922.