Wyoming Business Tips for March 8

A weekly look at issues facing Wyoming business owners and entrepreneurs from the Wyoming Small Business Development Center (SBDC) Network, a collection of business assistance programs at the University of Wyoming.

By Andi Lewis, program manager, Wyoming Procurement Technical Assistance Center (PTAC)

It is becoming increasingly important that federal contractors implement a robust cybersecurity program. Why?

The No. 1 reason is to protect your company from unscrupulous people or organizations that want to hold your data for ransom, deliberately harm your company or steal your information. Another reason could be that your company wants to pursue contracts with the Department of Defense (DOD) and other federal agencies. Or, perhaps your company is interested in going after future Small Business Innovation Research or Small Business Technology Transfer contracts, or Other Transactional Agreements.

Regardless of what agencies your company intends to do business with, defending against cyberattacks begins by understanding cyber activity risks, the vernacular of the industry, and how to protect your company and yourself.

Implementing a cybersecurity program is not an easy task. Let’s start with a definition: Cybersecurity is the art of protecting networks, devices and data from unauthorized access or criminal use, and the practice of ensuring confidentiality, integrity and availability of information.

Sounds straightforward enough. But, in learning the ropes of federal government contracting, you’ll find that there are several rules and regulations that surround cybersecurity. And this is where it gets complicated. At the present time, there are several Federal Acquisition Regulation (FAR) and DOD clauses that deal with cybersecurity.

-- FAR clause 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems. If included in the contract, this clause applies to any federal contractor that processes Federal Contract Information (FCI). This rule states that contractors are required to apply 15 cybersecurity and facilities security best practices to protect their information systems. These best practices are known as the FAR Critical 15 or FAR Critical 17, and are restated in the Cybersecurity Maturity Model Certification (CMMC) Level 1 requirements.

-- DFARS clause 252.204-7012 - Safeguarding Covered Defense Information and Cyber Incident Reporting. This requirement is in all contracts, except for contracts solely for the acquisition of commercial off-the-shelf items. Additionally, the contractor shall include the clause in subcontracts for which performance will involve covered defense information or operationally critical support. 

-- DFARS clause 252.204-7021 - Cybersecurity Maturity Model Certification Requirements. As of November 2020, this interim rule specifies CMMC requirements and enables the department to verify the protection of FCI and controlled unclassified information within the unclassified networks of Defense Industrial Base companies. The interim rule includes a phased rollout of CMMC implementation in fiscal years 2021-25. Starting in fiscal year 2021, the department will pilot the implementation of CMMC requirements for Level 3 and below on select new acquisitions.

This brief overview is not meant to give guidance. Its goal is to have companies understand that becoming cyber-compliant is not something that can be done overnight. It will take effort and time. Proof of compliance will be necessary. Leadership must be onboard, along with the company’s IT cadre, and assistance from cyber professionals may be necessary in order to understand the requirements.

It’s not a one-time process. It’s an ongoing process that will need to be continually controlled and updated. It’s also not something to leave until the last minute.

To learn more about cybersecurity, you can attend our upcoming GRO-Biz Conference. This year, the conference takes place virtually March 9-11. In addition to learning about cybersecurity, attendees can hear from experts on several topics designed to help government contracting newcomers and experts. To reserve your spot, visit www.wyomingsbdc.org/ptac.

You also can sign up for no-cost, confidential assistance with government contracting at www.wyomingsbdc.org/ptac.

The Wyoming SBDC Network offers no-cost advising and technical assistance to help Wyoming entrepreneurs think about, launch, grow, reinvent or exit their business. In 2020 alone, the Wyoming SBDC Network helped Wyoming entrepreneurs start 95 new businesses; support 6,954 jobs; and bring a capital impact of $18 million to the state. The Wyoming SBDC Network is hosted by UW with state funds from the Wyoming Business Council and funded, in part, through a cooperative agreement with the U.S. Small Business Administration.

To ask a question, call 1-800-348-5194, email wsbdc@uwyo.edu, or write 1000 E. University Ave., Dept. 3922, Laramie, WY 82071-3922.