Cybersecurity in government contracting

The government contracting industry is well aware of the high stakes involved in protecting sensitive national security and government data, says Charles Barley Jr., a principal at RSM US LLP.

“There are people who want to do America harm, and breaches are still happening, so cybersecurity is absolutely at the forefront of contractors’ minds,” Barley says. “Government contractors know they must elevate their overall cybersecurity program and the systems that house it.”

Barley notes that geopolitical events, recent elections and ongoing global conflicts tend to drive spikes in cyberattacks. As such, cybersecurity is an ongoing priority for government contractors.

“State-sponsored threat actors are still trying to get into our critical infrastructure,” he says. “Attacks on contractors of all types are constant, so no one can be complacent.”

Weakest links

Barley points out that the human factor is often the Achilles’ heel in government contractors’ cybersecurity defenses. Attackers frequently exploit human error—such as weak passwords, phishing scams and inadvertent data exposure—to infiltrate contractor networks.

“Hackers prey on the idea that people will not have their guard up,” he says. “Someone might click on things they should not, which will then launch attacks inside the contractor’s systems. Eventually, the threat actors can permeate the entire organization.”

Another major concern is supply chain vulnerabilities. Because the federal government relies heavily on third-party providers, ensuring that all vendors comply with cybersecurity standards is crucial. Federal agencies such as the Department of Defense (DOD) have implemented stringent regulatory requirements to ensure robust cybersecurity measures exist across its contractor networks.

“The federal government doesn't build anything,” Barley says. “They buy everything, but because they outsource so many functions to third parties, they have to trust that contractors will maintain a strong security posture.”

However, verifying that subcontractors maintain adequate security measures remains a challenge for government contractors, often necessitating independent third-party assessments. Barley notes that the cost of regulatory compliance is one of the biggest hurdles for government contractors.

Potential obstacles

The financial burden of implementing security controls often falls on contractors, Barley says. For example, the DOD has raised security expectations for defense contractors, requiring them to invest in cybersecurity compliance measures, such as the Federal Risk and Authorization Management Program and the Cybersecurity Maturity Model Certification program, before securing new contracts or renewing existing contracts. Furthermore, maintaining top cybersecurity talent presents another challenge because the demand for skilled professionals continues to outpace supply.

Outsourcing cybersecurity functions to managed security service providers is an increasingly viable strategy for government contractors. By leveraging third-party professionals, contractors can focus on their core mission-critical objectives, while still ensuring robust security is designed, implemented and managed by competent external service providers.

“Contractors need to take a hard look at themselves and say, ‘At what point do I stop trying to build systems internally or manage my security posture with a nimble team, when I can simply look outside, repurpose and refocus my small and agile workforce for critical initiatives, and allow a professional to handle certain activities on my behalf?’” Barley says. “That’s a decision that contractors often have to grapple with.”

Barley adds, however, that regulatory compliance is only the baseline—government contractors must implement continuous monitoring to proactively detect and respond to threats. This includes performing regular security assessments, conducting penetration testing and providing employee cybersecurity awareness training programs to mitigate risks associated with human error.

The role of AI

Artificial intelligence and automation are reshaping cybersecurity strategies in multiple industries, and government contracting is no exception. Although AI offers enhanced threat detection and automated responses, it also introduces emerging risks. Poorly trained AI models or compromised algorithms can lead to erroneous decisions, Barley says, and contractors must carefully vet AI solutions to ensure data integrity and system transparency.

“A form of automation has been around for decades, but now it’s gotten a facelift,” Barley says. “The fact remains that the moment you allow a computer to make autonomous decisions on your behalf, you are trusting the algorithm. So, if there's a flaw in the coding, or if there's an issue with the data quality, AI will make poor decisions that pose significant challenges to desired business outcomes.”

Barley adds, “If a hacker obtains the ability to manipulate the foundation AI coding and puts in a subroutine that causes one plus one to equal three, your output will be flawed. So, you must have limits on AI, and you must have checks to verify what the AI solutions are telling you.”

The takeaway

Government contractors play a crucial role in national security. For this reason, they must remain vigilant in protecting sensitive information and critical infrastructure. “The government contracting community takes cybersecurity very seriously,” Barley says. “No one disagrees about how important this is.”