Government Contract? New Contract Language.
The Pentagon is changing it’s contractual requirements for cyber security. Essentially, they are bolstering their contractual language on the requirements for companies that do business with the government. This is where their 3rd Party (4th & 5th party) cyber security and privacy program comes into play. We have all seen the self-certification process where a contractor promises to do everything you require of them in order to win the contract. However, the only real way it is tested is when the breach happens. Then the owner of the data, in this situation, the government, has to own the breach because it is their data.
As an attorney, the contractual language is very important to me from a financial responsibility perspective. As a cyber security professional I understand you can’t absolve yourself of the responsibility of protecting the data your clients give to you with contractual language.
Your 3rd Party program must be more than a check the box exercise, it needs to fall within the purview of your risk management program. By risk ranking your vendors (partners) and working with them, you can not only help them understand where they stand, they can also focus and deliver the right level of data security requirements. If you build the relationship and develop a trusted partner that meets (or exceeds) your expectations you not only meet your goals but also your customer expectations.