Government Contractor 2023 Cybersecurity Landscape – What to Know (Part 1 of 2)

Key Details: Cybersecurity regulations, requirements, and forthcoming implementations are set to spark a pivotal year for the government contracting community. From the Cybersecurity Maturity Model Certification (CMMC) to the National Institute of Standards and Technology’s (NIST) announcement of framework revisions, 2023 will greatly impact all aspects of the cybersecurity landscape for government contractors. With several regulations that are set to be implemented or are expected to be updated, government contractors are encouraged to stay ahead by fully understanding the requirements they may be subject to and conducting an internal review relating to cybersecurity health. Stay tuned for Part 2 of this series and contact Ryan & Wetmore for further information and expertise. 

Key Regulations Government Contractors Should Look Out For 

The items below contain the key cybersecurity regulations that government contractors should be aware of in 2023. Please note that this list is not exhaustive. As such, contractors are encouraged to thoroughly review and understand the upcoming and changing regulations that may impact their business.

1. CMMC 2.0 implementation. 
2. Revision of NIST Special Publication (SP) 800-171
3. Department of Veterans Affairs (VA) release of final rule

Coming in Part 2 of this series:  

4. NIST announcement of intent to revise the Cybersecurity Framework 
5. New National Cybersecurity Strategy 

CMMC 2.0 Implementation  

As Ryan & Wetmore previously reported, implementation of CMMC 2.0 is on the horizon. Department of Defense (DoD) officials have been hinting that they expect the CMMC program to ramp up in the summer of 2023. However, CMMC 2.0 is still undergoing the rulemaking process with timelines as lengthy as 24 months. As such, CMMC 2.0 will not be a contractual requirement until the rulemaking process is complete. Currently, it is unknown when the rulemaking process will be complete (and whether it will be an interim or proposed final rule) or which contracts will be covered. Consequently, contractors are encouraged to begin preparations for implementing program requirements by instituting controls under National Institute of Standards and Technology (NIST) SP 800-171.  

As previously reported, CMMC 2.0 brings out three levels of compliance. Contractors are encouraged to review and understand the requirements under the various tiers in this program.  

Revision of NIST SP 800-171 

In July 2022, NIST announced their plans to begin updating the series of publications relating to Controlled Unclassified Information (CUI), starting with SP 800-171. An initial draft of the revised SP 800-171 is expected to be released in late spring of 2023. Based on public comments, feedback, workshops, and discussion with federal agencies, NIST wants to provide additional clarity and consistency with the controls presented in SP 800-53 through implementing additional requirements. The goal is to align with the requirements under SP 800-53 Revision 5 and include an overlay of CUI requirements to NIST SP 800-53. Interested parties can review the full list of proposed revisions here.  

VA Release of Final Rule   

The VA’s final rule, titled “VA Acquisition Regulation: Acquisition of Information Technology; and Other Contracts for Goods and Services Involving Information, VA Sensitive Information, and Information Security; and Liquidated Damages Requirements for Data Breach” went into effect on February 24, 2023. This final rule amended the VA Acquisition Regulation (VAAR) and imposes new cybersecurity requirements and processes aimed at protecting VA data and health information. These additional processes require all contractors at any tier to implement internal controls to adequately handle sensitive information.  

Covered contractors include businesses who have access to sensitive VA information. These contractors are now required to: 

1. Comply with VA information security and privacy program policies. This includes compliance with the Veterans Health Administration requirements, HIPAA, and the Privacy Act. 
2. Compliance with background and screening requirements. 
3. Annual completion of VA security awareness training. 
4. Annual completion of Veterans Health Administration Privacy and HIPAA training. 
5. Report security incidents within one hour of discovery or suspicion.
6. Flow down requirements in subcontracts and Business Associate Agreements at all levels. 

This final rule was effective February 24, 2023. As such, contractors are encouraged to perform a self-assessment to ensure compliance and to lower the risk of penalties, contract termination, or withheld payments.  

Conclusion and Action Plan 

The 2023 cyber ecosystem will see a wide variety of updates, enhancements, and shifts as Federal agencies continue to patch together state, sectoral, and contract rules. Contractors are encouraged to monitor the status of various regulations and follow the steps below to determine whether additional compliance measures are required:  

• Understand which regulations and compliance requirements may impact your business. 
• Conduct an internal review to determine your overall cybersecurity health. 
• Analyze your incident detection, reporting, and response plans and whether internal controls are documented and in place. 
• Determine your compliance with NIST 800-171 and related updates. 
• Review your contracts and related agreements with subcontractors to ensure any flow down requirements are in place. 
• Understand what CMMC 2.0 level your business is required to comply with and perform a self-assessment to measure the strength of your cybersecurity ecosystem. 
• Identify gaps in defenses and invest in capabilities. This can include investing in employee training or service providers.
• Understand and provide training on the most common types of cybersecurity threats such as phishing attempts, malware, viruses, ransomware, and spyware.
• Ensure your networks are secure and that you have updated antivirus software.
• Monitor any cloud service provider accounts and enable multi-factor authentication. 
• Analyze your company’s capture strategy and pipeline of future contracts. Identifying the requirements of the future will enable your company to prepare ahead of time. 

As heightened regulations continue to be introduced, it is now more important than ever to ensure you have the necessary cybersecurity defenses in place.

Today’s Thought Leaders

About Peter Ryan

Partner, Co-founder, & CPA

Peter T. Ryan co-founded Ryan & Wetmore in 1988 with business partner Michael J. Wetmore. Peter provides clients with the best strategies for success. His expertise extends across various industries. Peter obtained a Master of Business Administration in Finance from the University of Baltimore and a Bachelor of Arts in Accounting from the Catholic University of America.

Read Pete’s full bio.

About Rosie Cheng

Finance Consultant

Rosie Cheng is a Finance Consultant at Ryan & Wetmore. She focuses on government contracting services and produces many of the firm’s government contracting newsletters. Rosie graduated from Georgetown University with a Master of Science in Management and from William and Mary with a Bachelor of Business Administration.