Skip to navigation Skip to content

Potential Fines on Prime Contractors for Subcontractor Data Breaches

Minute Read

Defense contractors have been victims of a series of high-profile data breaches in recent years.  Interestingly, the prime contractor on a Department of Defense (DoD) contract is often not the direct cause of the data breach. Most prime contractors subcontract portions of the work out to other companies, resulting in the sharing of sensitive defense information across multiple organizations. In some cases subcontractors have inadequate cybersecurity controls in place to protect the data entrusted to them, resulting in breaches of confidential defense data.

Fines for Data Breaches

The DoD has begun taking action to address leaks of sensitive and confidential information from defense industrial base (DIB) suppliers. The issue arose recently during a confirmation hearing for DoD Chief Information Officer, Dana Deasy. During the hearing, Senator Joe Manchin of West Virginia expressed his desire for “very, very severe” financial penalties to be levied upon DoD prime contractors whose subcontractors breach sensitive information. Manchin argued that someone needs to be held accountable for these data breaches, and suggested that prime contractors should be responsible for ensuring their subprime contractors have adequate cybersecurity measures in place. Deasy stated that the DoD had not yet considered the possibility of levying fines on prime contractors for weaknesses in their subprime contractor’s cyber defense. However, he acknowledged that some form of intervention is necessary.

Download CMMC Whitepaper

Data Breaches and the Cybersecurity Maturity Model Certification

Senator Manchin’s comments come at a time when the DoD is working on an initiative designed to improve the overall cybersecurity posture of the entire defense industrial base. This initiative is called the Cybersecurity Maturity Model Certification (CMMC). Currently, contractors are required to comply with NIST SP 800-171 to be eligible for defense contracts. However, contractors are permitted to self-certify their compliance, and recent research has revealed that the majority of contractors actually fall short of compliance with the NIST SP 800-171 requirements.

Under the CMMC, each defense RPF will list the mandatory level of CMMC compliance required to be eligible to bid on the contract. The required level of compliance will depend upon the details of the contract. To achieve a particular CMMC certification level, a contractor will need to implement the required security controls for that level and then have that compliance certified by a third-party auditor. All contractors working with the DoD will be required to achieve at least Level 1 CMMC compliance, whether or not they have access to controlled unclassified information (CUI). To date, the DoD has not stated if it will hold prime contractors responsible for determining whether or not their subprime contractors have achieved the necessary level of CMMC compliance to be included on the contract, however this is certainly a possibility.

Responsibility for Data Security

It is very plausible that in the future prime contractors that are not able to vouch for their subcontrctor’s cybersecurity may be subject to massive penalties and may even be declared  ineligible to bid on government contracts. Subcontractors will need readily available, affordable security solutions that are flexible enough to be used with any endpoint. The security solutions will also need to be sufficiently robust to meet or exceed encryptions standards specified by CMMC. Learn more about Attila Security’s GoSilent, a CSfC-approved solution that provides CNSA Top Secret (TS) level security for protecting data. GoSilent is installed at governments and enterprises worldwide, protecting mission critical data and IP.