While the Department of Defense’s (DOD) recent, and renewed, focus on cybersecurity may not constitute “war” per se, the agency appears to have little problem littering the regulatory battlefield with rumors of an impending “shock and awe” strike. Like the actions taken by Nathanael Greene or Francis Marion, DOD’s current efforts to address cybersecurity are, at the very least, disorienting and unconventional. Unfortunately, this does not help federal contractors. Cybersecurity is the three-ton, rainbow-colored elephant sitting atop every federal contractor’s dining room table on Thanksgiving Day. It is, thus an “issue”—and one that is impossible to ignore. While some contractors may liken DOD’s continuing promulgation of cybersecurity rules and regulations to just another screed from “Drunk Uncle” Sam, the sobering reality is that compliance with these requirements is absolutely critical to the avoidance of catastrophic liability. As such, many in the federal procurement community are now in the untenable position of deciding how—or when—to proceed in securing Controlled Unclassified Information (CUI) and, specifically, Covered Defense Information (CDI) being received or generated as part of contract performance. DOD’s irregular warfare against cyber threats also has the unintended effect of disorienting requiring activities and contracting officers still struggling properly to identify CUI and CDI to contractors in the absence of clear guidance.
8.7.2019