Academic journal article American University Law Review

Regulating Information Security in the Government Contracting Industry: Will the Rising Tide Lift All the Boats?

Academic journal article American University Law Review

Regulating Information Security in the Government Contracting Industry: Will the Rising Tide Lift All the Boats?

Article excerpt

The government is strengthening cyber and information security regulations to address increasing cybersecurity risks. These regulations will affect government contractors in many ways; for instance, contractors must apply new technologies to monitor cybersecurity threats and develop stronger information security protections. This "rising tide" of regulation should lift"all boats," namely members of the government contracts sector. Some small business contractors or larger contractors without experience working with the government, however, may not be equipped to fully comply with these strengthened regulations. The government may as a result lose a number of would-be competitors for contracts requiring cyber and information security protections. Alternatively, some contractors lacking resources and experience may compete for the contracts anyway, which could serve to weaken the security of government information and information systems. This Article gives an overview of existing and new regulatory requirements and analyzes the difficulties some contractors may have complying with them. This Article also suggests ways to ensure all contractors can effectively comply with the regulations. Federal agencies can develop incentives, protections, or training requirements for contractors. Agencies can also develop opportunities for information sharing, which would help smaller or larger, inexperienced contractors get involved in contracts requiring cyber and information security in a manner that better ensures compliance and mitigates security risk. The government may also want to develop an iterative process of regulation, which would help ensure all contractors can keep pace with the increases in cyber and information security regulation.

INTRODUCTION

There is an oft-quoted aphorism that "a rising tide lifts all the boats."1 It has often been used to support a variety of economic policies. President Kennedy used the analogy to support federal investment in a dam project in Arkansas. The rationale for the investment was that the benefit to a section of Arkansas would bear benefits to the states in general.2 Thus, the resulting collective good-the "rising tide"-would benefit all individuals. In later years, President Reagan and other proponents of supply-side economics used the same phrase to support a philosophy that favorable economic conditions for business would spur economic growth, contribute to an overall stronger economy, and hence, benefit everyone.

In the context of cybersecurity regulation of the government contracting community, it appears the federal government is operating with the same philosophy. Steadily-though with varying degrees of speed-the federal government has raised standards for cyber and information security. Few would deny this is a positive trend.4 The risk of harm arising from cybersecurity breaches and the exposure of sensitive information warrants increased vigilance and protection.5 The means by which the federal government is mandating that protection, however, threatens to outpace the technology and resources available for subsets of the government contracting community, particularly small businesses. The regulations might also affect larger businesses just entering the government contracts industry or seeking work with new federal agencies; they may find that the cost of compliance outweighs the benefit of participating in the new market.6 In that sense, the rising tide arguably lifts some "boats," but only those equipped with the technology and resources necessary to brave the waves of cyberthreats. It is difficult to see how some "boats" lacking the technology and experience to implement new protections can rise with the regulatory tide. They may not have the technology required to ensure the necessary cyber and information security protections required under new regulation.7 Further, they may lack the experience necessary to ensure appropriate cyber and information security. In that respect, the rising tide does not promise to liftall boats. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.