On September 24, 2015, the Government Accountability Office (GAO) published a report titled: "Defense Cybersecurity - Opportunities Exist for DOD to Share Cybersecurity Resources With Small Businesses" which addresses "the extent to which the DOD Office of Small Business Programs (OSBP) has integrated cybersecurity into its existing outreach and education efforts for defense small business." GAO's review and subsequent Report were done as a result of a provision in the Joint Explanatory Statement accompanying the 2015 NDAA which required GAO to perform such an assessment.
In November 2013, the DoD published a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to include a new clause, DFARS 252.204-7012 titled "Safeguarding Unclassified Controlled Technical Information." This clause essentially requires DoD contractors and subcontractors to
provide adequate security and protections to safeguard unclassified controlled technical information (UCTI) residing on or transiting through their unclassified information systems from unauthorized access and disclosure. On August 26, 2015, the DoD issued an Interim Rule significantly expanding the scope of DFARS 252.204-7012 and others, with respect to the reporting of cyber incidents by DoD contractors and subcontractors.
In 2014, and official from the FBI testified that businesses are increasingly being targeted by foreign entities theft of trade secretes and other proprietary information. In February 2015, the Director of National Intelligence reported that cyber threats to the U.S. are increasing in frequency, scale, sophistication and severity.
The DoD has an Office of Small Business Programs (OSBP) that focuses specifically on small business contracting and subcontracting. According to the GAO Report, in fiscal year 2014, DOD obligated approximately $55.5 Billion to small business prime contractors. Therefore, small businesses are receiving a significant amount of federal contracts, many of which involve access to technical information used or provided to the government. It is also well known that small businesses generally have fewer resources compare to large businesses when it comes to cybersecurity and the ability to counter such cybersecurity threats.
The GAO Report noted: (1) the DoD's OSBP is not required to integrate cybersecurity into current or new outreach/education efforts; (2) the OSBP currently does not disseminate cybersecurity information/resources to small businesses in its outreach and education efforts; (3) OSBP officials acknowledged that while they are not required to educate small businesess on cybersecurity, they do feel that cybersecurity is an important and timely issue for small businesses and are therefore considering incorporating it into existing outreach efforts.
The GAO identified 15 existing cybersecurity outreach and education resources the OSBP could leverage for its small business contractors. Examples include:
- The DoD's Defense Security Service offers online cybersecurity training programs on various topics that are available to the public through its public website.
- The SBA maintains a learning center that contains an online program that covers cybersecurity concepts for small businesses.
- The Department of Homeland Security provides cyber awareness resources to the public.
- The Federal Communications Commission hosts a planning tool on its website that is targeted to small businesses.
The GAO's ultimate recommendation was that the Secretary of Defense direct the Director of the DoD OSBP, as part of its existing outreach efforts, to identify and disseminate cybersecurity resources to defense small businesses. The DoD issued a letter in response to the GAO's draft Report which provided their concurrence, acknowledged that the resources identified in the Report reflected a thorough assessment, and stated that "[f]uture outreach by the DoD OSBP will increase awareness of the cybersecurity education resources among the DoD Small Business workforce through training events, education programs and by issuing guidance to the Military Departments and Defense Agencies."
If you have questions about the GAO Report or whether you are in compliance with federal regulations regarding cybersecurity protections, please contact us at: (808) 369-9710 or firstname.lastname@example.org.