One of the biggest challenges for small businesses in the Aerospace and Defense industry is the high cost of entry. From Quality to Accounting and now to Information Systems compliance, not only is meeting contractual/regulatory requirements time-consuming, but it’s also costly. On 31 December 2017, new rules for Defense contractors will go into effect based on the National Institute of Standards and Technology (NIST) 800-171. By mid-2015, almost 80% of contracts had the relevant Defense Federal Acquisition Regulations Supplement (DFARS) clause as a requirement, according to SIGNAL in their January 2016 edition.
So what does this mean for small businesses? It means if a prime or sub-contract award has this clause in full or by reference, there are dozens of new requirements that relate to the handling, security, and configuration of Information Systems which house Controlled Unclassified Information (CUI). The first question you may ask is: “What is considered CUI?” That question is much easier asked than answered.
NuWaves provides secure physical and digital resources for our employees, vendors, and customers through on-site assets and service providers.
For detailed answer, see the original classification description here
. A quick definition is that it encompasses For Official Use Only (FOUO) and Sensitive But Unclassified (SBU) types of information which do not meet the threshold for classification, but are nonetheless important to the national interests of the US (or our important interests). That’s a vague definition, and rightfully so; the types of information change every day, which means the conservative response is that everything related to DoD contracts is CUI. Contracting Officers should be able to tell businesses one way or the other if the information is CUI, but being flowed down in the contract would be a good indication.
Back to our title question: Can small businesses keep up with these rising costs associated with compliance? One thing to remember is that while these requirements seem stringent, the goal is to maintain security of important information that’s outside of the government information systems. That’s an honorable and worthy use of our time as contractors, since cyber security is a major concern, and will remain so into the future.
New businesses seeking government work should probably pause to consider the capital expenditures for these requirements and map out a plan to meet them by 31 December 2017. That means drawing up a budget or having a service provider quote out the required controls. It would not be surprising to see companies pop-up to meet this need; it’s quite possible that packages are available to meet these requirements as millions of government contractors scramble to be compliant.
Now is the time to plan and budget for this compliance, as it will likely be a substantial expenditure in 2017. Remember, businesses have to be compliant by 31 December 2017, not just have a plan or a budget or an implementation path.