According to Steptoe and Johnson’s E-Commerce Law Week,
The U.S. Department of Defense, the General Services Administration, and NASA last month proposed a change to the Federal Acquisition Regulation (FAR) that would require contractors to safeguard their information systems containing information provided by or generated for the government. The proposed rule … would require government contracts with all federal contractors and appropriate subcontractors to mandate basic information security measures.
Is this a good idea?
In particular, should Canadian governments be concerned about the security of the IT systems in place among businesses that contract with them? If so, should cybersecurity standards be imposed by contract, as a condition of public procurement? Or should they be fixed in law instead, so that businesses that do not bid on government contract would also have to be secure?
(The US promotes a number of government policies by the economic incentive of requiring compliance in order to get government work. So far as I know, that is not common here. Is that because we have a more efficient legislative or enforcement system?)
Are governments in Canada credible in talking about cybersecurity, so that such a requirement of the public sector would be fair?