By Keir X. Bancroft | 62 Am. U. L. Rev. 1145 (2013)
The government is strengthening cyber and information security regulations to address increasing cybersecurity risks. These regulations will affect government contractors in many ways; for instance, contractors must apply new technologies to monitor cybersecurity threats and develop stronger information security protections. This “rising tide” of regulation should lift “all boats,” namely members of the government contracts sector. Some small business contractors or larger contractors without experience working with the government, however, may not be equipped to fully comply with these strengthened regulations. The government may as a result lose a number of would-be competitors for contracts requiring cyber and information security protections. Alternatively, some contractors lacking resources and experience may compete for the contracts anyway, which could serve to weaken the security of government information and information systems.
This Article gives an overview of existing and new regulatory requirements and analyzes the difficulties some contractors may have complying with them. This Article also suggests ways to ensure all contractors can effectively comply with the regulations. Federal agencies can develop incentives, protections, or training requirements for contractors. Agencies can also develop opportunities for information sharing, which would help smaller or larger, inexperienced contractors get involved in contracts requiring cyber and information security in a manner that better ensures compliance and mitigates security risk. The government may also want to develop an iterative process of regulation, which would help ensure all contractors can keep pace with the increases in cyber and information security regulation.