It’s a tough time to be a compliance executive at a federal contractor. Whether you’re a Chief Compliance Officer, Chief Legal Officer, Chief Security Officer, or VP or Director accountable for compliance, you are faced with a rapidly changing landscape dominated by privacy and security rules.

What you know, but is often unappreciated by others, is that you’re accountable for protecting What Matters Most. If you screw up, it isn’t just a fine or a slap on the wrist; it can mean catastrophic loss of revenue, massive brand and reputation damage, or devastating legal or administrative consequences.

We surveyed our customers -- executives at large federal contractors -- what they were worried about in 2019, and here’s what they said.

1. Controlled Unclassified Information / NIST 800-171

What it is
NIST 800-171 (or just 800-171) are rules that any non-Federal computer system must follow in order to store, process, or transmit “Controlled Unclassified Information (CUI),” which is an extremely broad swath of information that isn’t classified.

Why it matters
Rules for (CUI) have been developing for a couple of years now, but regulatory oversight has become far more specific and demanding. If you’re a federal contractor OR subcontractor, you almost certainly are handling CUI, and therefore are subject to NIST 800-171. In addition, we expect that more specific compliance reviews, instead of just self-certification, are in store for 2019.

What executives need to do
800-171 requires specific documentation related to your plan and controls. Unlike an FCL or SOC, there aren’t “certifications” by third parties so you can be evaluated (and penalized) by anyone -- including your prime contractors and each contracting officer or customer. In addition, executives need to understand how 800-171 relates to DFARS and Reporting Requirements (see #2 and #5 below).

2. Cybersecurity Regulations (DFARS 252.204-7012 and similar measures)

What it is
In general cybersecurity regulations kick in when a contractor possesses information or data that the government considers sensitive. While DFARS 252.204-7012 isn’t the only cybersecurity regulation you need to worry about, it’s the most obvious for federal contractors. It applies to your company if you handle “covered defense information” (CDI).

Why it matters
Federal contractors have always been focused on cybersecurity, but until now it wasn't necessarily a hard and fast contracting requirement for our customer COs. That changed with the Dec 31, 2017 DFARS deadline, and the rule enforcement is tightening for 2019. This clause is require in every federal contract, and in addition to outlining rules and controls requires extensive reporting requirements. If you don’t comply, you can't be awarded contracts, period.

What executives need to do
First, you need to know whether you handle CDI and if so what types. Second, you need to have a clear set of documented cyber controls in place. Third, you need to have a mechanism to report any issues internally so that your team can work with regulators. 800-171 and DFARS 252.204-7012 are in the same family, so focusing on both as you roll out new compliance rules and processes is crucial.

3. Insider Threat

What it is
For federal contractors, insider threat rules should be well known by now. They require that cleared companies have a plan and leadership structure, conduct regular (and extensive) training, have intense internal reporting mechanisms, and may require specific systems controls. You can read more of our thoughts on insider threat here.

Why it matters
While your security team has been sweating this for a couple of years now, it’s about to become your problem because enforcement is intensifying. Until now regulators have only sought to confirm that the plans and structures were documented, but weren’t really confirming execution or effectiveness. Do you really follow that plan that you developed? Can your employees talk to regulators to demonstrate their knowledge of your program? Can you show regulators a complete record of all reportable information and what action was taken? That is now the focus, and your company will get hammered if you aren’t ready.

What executives need to do
Recognize that having a plan document, some PowerPoint training files, and someone with an ITPSO title isn’t enough. You, as the accountable executive, will be inspected on your program’s actual conduct of its insider threat program, which probably starts with you. If you're an executive, you probably delegate this to a security team leader, so you must have clear measures of success in place. Avoid embarrassment and extremely expensive fixes and make sure that you have a healthy, functioning program. 

4. New Inspection Methods like DSS In Transition

What it is
Many federal contractors are subject to inspection by Intelligence Community or Defense Security Service officials if you have cleared personnel. The process for inspections (or Security Vulnerability Assessments) is about to change radically to focus on assets, risks, and controls instead of traditional box-checking.

Why it matters
Your team needs to forget everything it thinks it knows about facility clearance compliance. For many years, as long as you had the right documents and your paperwork was in order, you were good to go. The new approach -- which they’re calling “DSS in Transition” (DiT), requires a clear inventory of your assets, how they are protected, and evidence that protection is occurring. It’s a lot more like SOC 2 Type 2 than what your team is used to.

What executives need to do
First, you need to help your security teams understand assets. That’s something that only the executive team can own -- and DSS is going to want to talk to you about it (not just the FSOs). In addition, every security program will be unique -- so no more cookie cutter stuff. Your team needs to be communicating, aligned, flexible and adaptive.

5. New Reporting Requirements (SEAD 3, DFARS, DSS, etc)

What it is
Across the board, the federal government is increasing the range and quantity of information that contractors must report. DFARS will require increased reporting of cyber incidents, DSS will require more reporting on insider threat and risk-based criteria, and SEAD 3 dramatically increases to scope of what’s reportable and who must report information.

Why it matters
In ThreatSwitch’s view, this is the #1 concern for 2019. The scope is potentially extraordinary, and the requirements will be different for every company. Most companies don’t even seem to be aware of the requirement, which is alarming. DFARS’ cyber reporting requirements will be incredibly difficult to manage given the increasing frequency of cyber attacks on businesses of all sizes. DSS in transition will require your team to provide information on the assets it protect and controls -- and each company’s reporting posture will be different.  SEAD 3 will require your employees and your team to report on themselves, but will also require them to report on others on issues ranging from alcohol abuse to “any activity that raises doubts” about their peers.

What executives need to do
Every executive must be aware of the scope of reportable information in their company, and must put in place procedures to report to regulators that aren’t utterly soul-crushing for security teams and employees. At a minimum, automated form-based automation for general reporting is a must, as email is not nearly secure or robust enough to handle the problem. In short, executives need to expect a much higher reporting volume, and they need to make it easy and painless for information to be reported and managed.

See for yourself how ThreatSwitch can set your security program up for success in 2019.