In December 2018, the Inspector General of the Department of Defense (DoD) released a report on the recent audit of the U.S. Ballistic Missile Defense System (BMDS). This audit found that security protocols that should protect networks and systems containing technical information about the BMDS were not put in place. While the audit was performed on the Department of Defense’s own systems, DoD Contractors now have the chance to learn from the audit and take action to ensure their compliance with the Department’s cyber security mandates such as DFARS.

Lessons for DoD Contractors

DoD contractors can use the released report to learn what they may expect if the DoD decides to audit their company’s System Security Plans (SSP). While there is no guarantee that this audit will be similar to the audits performed on DoD Contractors’ systems, they can still use the audit to gain insight into the criteria the DoD uses to assess Security System Plans and work out how to improve security measures and avoid making the same mistakes as BMDS.

Objectives of the DoD’s Security Audit

The key objective of the DoD’s security audit was to determine whether DoD Components implemented security controls and processes at DoD facilities. These security controls should protect BMDS technical information from both internal and external cyber threats.

Findings of the DoD’s Security Audit

In the failed audit, the DoD found that officials did not consistently implement security controls and processes to protect technical information regarding the BMDS. Some network administrators had not put in place multifactor authentication to secure access to BDMS technical information. This increases the chance that an experienced hacker could break into the systems and steal important classified information.

Three of the five Components that the DoD audited did not identify and mitigate known network vulnerabilities. They also, in many cases, did not consistently verify the effectiveness of the security controls they had implemented. Without careful consideration of the security risks and the adequacy or inadequacy of the security controls in place to protect against them, BMDS has no way of knowing whether they have taken enough action to keep their data safe.

Some auditors found that physical security at DoD facilities was inadequate. For example, server racks that are not locked up can be compromised by workers or intruders. Similarly, some officials failed to adequately protect classified data that was stored on removable media, which can easily fall into the wrong hands.

In addition, DoD auditors discovered failures to encrypt BDMS data when it was being transmitted. Some audited organizations also failed to put in place systems to detect attacks on classified networks, which means they could be unaware of threats.

Recommendations of the DoD’s Security Audit

The DoD audit report had four main recommendations to keep data safe at DoD facilities:

• Use multifactor authentication
• Respond quickly to vulnerabilities
• Protect data on removable media
• Implement the ability to detect intrusions, both on computer networks and in physical facilities

Options for DoD Contractors that are Selected for Audit

DoD contractors that are selected for audit must meet the recommendations that the audit report outlines. Contractors can choose to put the responsibility for meeting these requirements onto their in-house IT department, or seek the help of a cyber security consultant who specializes in NIST SP 800-171.

To handle security in house, contractors will need to use the guidelines given in the Self Assessment Handbook – NIST Handbook 162. The National Institute of Standards and Technology (NIST) created this handbook to help DoD contractors comply with all SP 800-171 security requirements. While this handbook is very useful, many contractors still find it difficult to handle all their security needs in house.

For many DoD contractors, working with a third-party Managed Security Service Provider (MSSP) is a better option than trying to handle DFARS compliance in house. Consultants who specialize in DFARS NIST SP 800-171 compliance know exactly how to meet the requirements and are therefore less likely than in-house employees to overlook security holes or make mistakes in the development and implementation of security protocols.

MSSPs can provide the following services to help DoD contractors become compliant:

• Security Assessment: Audit the DoD contractor’s current system against NIST SP 800-171
• System Security Plan: Develop a compliant System Security Plan (SSP) and Plan of Action and Milestones (POAM)
• Remediate: Implement items called out in the POAM
• Compliance Monitoring and Maintenance: Ongoing advanced cybersecurity monitoring and incident response capabilities are required to remain compliant.

For more information, please see our complete Guide to DFARS Compliance developed specifically for DoD Contractors.

Importance of Compliance for DoD Contractors

With the DoD factoring in cyber security into contract awards, it is very important for all DoD contractors to make security a priority. If a DoD audit finds that a contractor is not in compliance, the auditors can issue a stop-work order, which prevents the contractor from carrying out any work on behalf of DoD until they can prove they have put suitable security measures in place. In some extreme cases, the DoD can terminate contracts with contractors who have failed an audit and even bar them from working with the DoD in future.

DoD contractors who need help to comply with DFARS and pass a DoD audit can get in touch with a Managed Security Service Provider (MSSP) who specializes in DFARS/NIST SP 800-171 Compliance Solutions. A compliance consultation from SysArc is free and can help contractors find out whether they are doing enough to keep their Controlled Unclassified Information (CUI) safe.

The U.S. Department of Defense (DoD) has released final guidance on assessing contractor compliance with NIST SP 800-171 during the contract award process. Based on the guidance, this article focuses on what is required of DoD Contractors to prove compliance with DFARS in their pre-award solicitations and post-award contracts with the Department of Defense in accordance with NIST SP 800-171.

Proof of compliance relies heavily on the development and implementation of two documents: A Systems Security Plan (SSP) and a Plan-of-Action and Milestones (POA&M). Guidelines on how these two documents fit in the contract award process with the DoD can be found below.

Pre-Award Guidelines:

1. Admit Compliance: In accordance with DFARS 252.204-7008, the solicitation must include self-attestation of compliance with DFARS 252.204-7012 and implementation of NIST SP 800-171. The DoD interprets “self-attestation” as admission of compliance, and “implementation” of NIST SP 800-171 as having a completed Systems Security Plan (SSP) and a Plan-of-Action and Milestones (POA&M) in accordance with NIST SP 800-171. NIST provides templates for both SSPs and POA&Ms. For DoD prime and subcontractors who do not have the resources or expertise to develop and implement an SSP and POA&M, see our NIST Compliance Services.
2. Detail Enhanced Security Measures (if applicable): In accordance with DFARS 252.204-7008, should the requirements of the requiring activity deem it necessary for the contractor to implement enhance security measures in addition to NIST SP 800-171, the contract must include a Statement of Work (SOW) detailing the implementation of the additional security measures.
3. Support Evaluation Process: The Compliance Guidance reveals how the DoD will conduct the assessment of a contractor’s compliance status. The DoD’s evaluation process is based on four objectives:
• Establish ‘Go/No Go’ evaluation criteria threshold. The Contractors SSP and POA&M will be scrutinized against this criteria and an “acceptable” level of compliance will be established.
• Establish a separate technical evaluation factor, which would also require delivery of the SSP(s) and POA&M(s) with a more detailed description of how compliance would be judged in Section M.
• Conduct on-site assessments of the contractor’s internal information systems using NIST SP 800-171A.
  Identify Tier 1 suppliers and their plans for flowing down the requirements of the DFARS Cyber Rule and for assuring subcontractor compliance.

Post-Award Guidelines:

1. Deliver SSP and POA&M: The contractor must incorporate their Systems Security Plan (SSP) and POA&M in the contract. These two documents become a contractual requirement which means failure to comply with them could result in contract performance issues and/or breach of contract. Additionally, contractors must provide an SSP that meets the requirements of the Data Item Description (DID) which is included in the Compliance Guidance. While there is no prescribed format or specified level of detail for an SSP, NIST provides a template. They also provide a template for the development of a POA&M. For DoD prime and subcontractors who do not have the resources or expertise to develop and implement an SSP and POA&M, see our NIST Compliance Services for more information.
2. Support On-Site Assessments: The contractor must include a Statement of Work requiring the contractor to support an independent on-site government assessment of compliance of NIST SP 800-171 in accordance with NIST SP 800-171A by the Department of Defense.
3. Identify CDI including Tier 1 Suppliers: The Data Item Description (DID) included in the Compliance Guidance requires prime contractors to complete the following for every Tier 1 supplier:
• Provide basic identification information,
• Verify that it has flowed down the substance of DFARS 252.204-7012 to the supplier, as well as any additional security requirements;
• State whether the supplier has done a self-assessment in accordance with NIST SP 800-171A; and
  Provide a copy of the supplier’s SSP and POA&M.

Support and Consultation:

If you are a DoD Prime or Subcontractor and have questions about the DoD’s Compliance Guidance and how to develop the required SSP(s) and POA&M(s), a qualified Managed Security Services Provider who specializes in DFARS Compliance can help you meet compliance. As a DFARS/NIST SP 800-171 consultant who has provided compliance solutions for DoD contractors all over the United States, we’re happy to point you in the right direction. We’re available at 800-481-1984.

In September 2018, the Department of Defense published an update to its 2015 Cyber Security Strategy. The changes made in the previous strategy focuses on the cyber threats that exist from other countries. The update echoes the White House’s National Cyber Security Strategy, which was also release in Septemebr. In the 2018 Department of Defense Cyber Security Strategy, it’s stated that “China is eroding U.S. military overmatch and the Nation’s economic vitality by persistently exfiltrating sensitive information from U.S. public and private sector institutions.” This statement sets the tone for the rest of the publication, which addresses cyber threats the way that the DoD handles other types of threats to the nation.

Summary of the 2018 Cyber Security Strategy

“The Department will work with its interagency and private sector partners to reduce the risk that malicious cyber activity targeting U.S. critical infrastructure could have catastrophic or cascading consequences.”

This goal of the 2018 Cyber Security Strategy emphasizes greater collaboration and transparency to create a landscape with better overall cyber security. It also reflects an environment where public and private sector organizations work with dozens or even hundreds of service providers and other third-parties. Information sharing is an important measure to rapidly respond to emerging cyber threats, limiting the damage that’s possible from a zero-day exploit or large-scale attacks targeting critical infrastructure.

A vulnerability in a partnering business can have the same devastating impact as a security hole in the contractor or federal agency. One of the biggest priorities is defending systems and data connected to the DoD, whether that’s at other government agencies or with DoD contractors. Cooperation between these parties also supports another goal of the 2018 Cyber Security Strategy – improving integration of systems to better assist with military operations and related plans.

The Objectives of the 2018 Cyber Security Strategy

There are five distinct objectives outlined in this publication. Each of these topic areas plays a different role in supporting the overall goals of the DoD.

• “Ensuring the Joint Force can achieve its missions in a contested cyberspace environment.” Cyber attacks can hinder military operations, from slowing down development to actively interfering with communications.
• “Strengthening the Joint Force by conducting cyberspace operations that enhance U.S. military advantages.” Cyber warfare can make a significant difference in operations and provide new ways to handle conflict. Countering ongoing cyber attacks can disrupt foreign actors and make it more difficult to steal information that’s vital to the security of the United States.
• “Defending U.S. critical infrastructure from malicious cyber activity that alone, or as part of a campaign, could cause a significant cyber incident.” Cybercriminals can disrupt information systems that are critical in many areas. Without protection, these attacks can lead to many negative consequences. This strategy embraces a concept called “Defending Forward,” which is a proactive approach to cyber security that seeks to stop attacks before they have the opportunity to cause damage to information systems.
• “Securing DoD information and systems against malicious cyber activity, including DoD information on non-DoD-owned networks.” DoD data is of great interest to many state actors, as well as private hackers. This valuable information must be protected to avoid unauthorized access.
• “Expanding DoD cyber cooperation with interagency, industry, and international partners.” Improved transparency, information sharing and integration can help agencies harden their defenses against attackers.

How Objectives 4 and 5 Relate to Private DoD Contractors

The two objectives of greatest relevance to private DoD contractors are four and five. They reflect the following statement in the 2018 Cyber Security Strategy publication: “We will hold DoD personnel and our private sector partners accountable for their cybersecurity practices and choices.”

The good news is that DoD contractors already complying with the Defense Federal Acquisition Regulation Supplement in publication NIST 800-171 have these objectives covered. DFARS regulations cover everything related to Controlled Unclassified Information and keeping it protected through cybersecurity measures, procedures and policies.

Objective number five may require some changes, depending on the DoD contractor’s current information systems and the policies that they have in place. Complying with these regulations helps all parties in the DoD ecosystem as attack methods continue to grow in complexity and frequency over time.

Working With an Experienced Compliance Partner

DoD contractors that have insufficient cybersecurity measures in place will find themselves failing to secure new contracts or being able to properly protect sensitive data that resides on their information systems.

As new cyber security strategies get published to address the latest changes in the IT landscape, contractors need an experienced partner on hand to provide the necessary resources to stay up to date. They may have all of their in-house IT staff dedicated to fulfilling the contracts that they have with the DoD and other federal agencies. If they pulled those staff members off of those jobs, it could impact the ability to secure more work in the future.

An IT support company fills in the gaps and brings subject matter knowledge of all relevant regulations, including the latest cyber security strategies. DoD contractors can keep their information systems and data complying with the latest updates to avoid fines and penalties. They also provide a better experience overall for the agencies that they end up working with.

If you’re a DoD Contractos and need help complying with the Department of Defense, see our DFARS/NIST SP 800-171 Compliance Solution. If you would like more information about your options for DFARS Compliance in accordance with NIST SP 800-171, see our Compliance Guide.

Cyber criminals cause a lot of problems for organizations, from locking down critical files through ransomware to using social engineering to get access too sensitive data. You know that you need to minimize your cyber security risks, but choosing the best options for your needs may be challenging. Outsourcing your cyber security may be exactly what you need. Here are five benefits you receive when you have a specialized provider helping your IT department with hardening your defenses against threats.

1. Lower Cost. No Salaries

The salary of cyber security professionals is a major roadblock when it comes to bringing them in-house. They are in-demand and the supply is low, leading to a recruiting environment that is costly and time-consuming. When you work with a cyber security provider, you reduce your costs because you don’t have to worry about salaries. Instead, you have a fixed monthly price that’s not going to suddenly spike when massive enterprises do aggressive recruiting campaigns for their IT security teams.

You also reduce your indirect costs, such as the time and resources that the HR team would otherwise spend on finding and interviewing candidates. The cyber security service provider is the one going through the process of finding experts that are capable of addressing the needs of your organization. Your HR team and hiring managers can focus on recruiting for other parts of the company and building around the fact that you have IT security professionals readily available from the service provider.

2. Immediately Gain a Team of Experts with Knowledge

When you bring in a cyber security provider, you end up with specialists who have spent a lot of time addressing cyber threats in many types of business environments. They take educational opportunities to discover the latest cyber security best practices, how to solve the changing needs of modern businesses and the newest solutions on the market.

You have access to many experts, rather than relying on a handful of full-time employees. They have more flexibility due to the amount of hands-on experience they have, compared to a single person who may have only worked in one or two environments. This background is particularly useful when it comes to proactively responding to potential breaches and quickly taking action following an intrusion.

3. Gain Outside Perspective

Sometimes it’s difficult to see the forest for the trees. Your in-house IT team knows your infrastructure inside and out, which can sometimes prevent them from seeing potential cyber security issues or identifying solutions that could improve overall protection.

The cyber security managed service provider delivers an outside perspective that’s built with hundreds or thousands of hours of experience with a variety of business environments. They may have innovative solutions that are tried and tested against the latest threats.

The in-house IT team may have its attention divided between user support, development, maintenance and hundreds of other tasks outside of cyber security. They don’t always have the opportunity to go to workshops or read the latest news in the cyber security world. Since a cyber security service provider is entirely focused on this part of the technology world, they have the time to keep up with cutting-edge developments.

4. Full Proof Gap Analysis and Remediation Plans

Do you know exactly what’s missing with your company’s cybersecurity measures? Outsourced cyber security can find the vulnerabilities that put you at risk of an attack, whether you’re missing a critical piece of defense or your policies fail to address cyber security. They work with you to develop a remediation plan that meets NIST cyber security standards so that you can minimize your risk profile.

This process is not one-and-done. Security standards and regulations frequently change, especially as new technology comes out. When you’re proactive about working with a security team to identify the gaps in your defenses, you stay ahead of potential attackers and keep your infrastructure protected.

5. Scale Your IT Security Team on Demand

The amount of risk that your organization faces varies based on many factors. For example, if you’re gearing up for a large expansion, you may be more vulnerable to opportunistic attacks. Another situation that could create a weaker environment is immediately following a data breach. Until you know how the hackers got in, you don’t have a way to fix the exploit to prevent a repeat attack.

Outsourced cyber security streamlines the process of scaling your IT security team as needed. You don’t always need an increased number of specialists on hand, but they’re invaluable during riskier situations. Once this period has passed, you can ramp back down to the level of service you used previously. That’s a lot easier than hiring and firing a bunch of in-house employees every time you think you’re going to have increased cyber security needs.

Your IT department has to deal with a constantly changing cyber security landscape, where new threats are waiting just around the corner. They don’t always have the resources required to respond appropriately. By augmenting your in-house IT team with outsourced cyber security services, you give them exactly what they need to keep things secure.

If you’re interested in how a Managed Security Service Provider (MSSP) can help your current IT department, give us a call or schedule a consultation. We help companies all over the United States protect their assets and comply with cyber security regulations.

SysArc is committed to helping Department of Defense contractors comply with the government’s DFARS mandate in accordance with NIST 800-171 and 800-171A. Our IT Risk Management and Compliance services give contractors the expert resources they need to stay in compliance without overwhelming their in-house teams.

In accordance with this commitment, we’re attending the NIST Cyber Security Workshop to continue offering cutting-edge cyber security compliance services to Department of Defense Contractors throughout the United States.

The Controlled Unclassified Information Security Requirements Workshop is an informational session with Federal Government representatives. The topics discussed include the expectations of evaluating evidence, advice on how to implement the necessary CUI security requirements, best practices for this process, and the lessons that experts have learned along the way.

By going to these sessions, SysArc has the opportunity to get detailed information and updates on DFARS compliance directly from the people and agencies responsible for it. This first-hand knowledge is key to helping our clients prepare for changes to the regulations and to have the best possible implementation available.

The sessions that are scheduled to take place during this workshop are:

• Overview of Controlled Unclassified Information, the CUI Registry and the CUI Rule
• Overview of the Defense Acquisition Regulations System (DFARS) Safeguarding Covered Defense Information and Cyber Incident Reporting Clause
• Overview of NIST Special Publication (SP) 800-171, Protecting CUI in Nonfederal Systems and Organizations
• Overview of NIST Special Publication (SP) 800-171A, Assessing Security Requirements for Controlled Unclassified Information
• Government Panel: Expectations for Evaluating the Implementation of CUI Security Requirements in NIST SP 800-171
• Industry Implementation of CUI Security Requirements: Best Practices and Lessons Learned

The speakers at the NIST Cyber Security Workshop come from many federal agencies, including NIST, the National Archives and Records Administration, the Department of Defense, as well as companies such as Leidos, Stackarmor, and Exostar. Dr. Ron Ross, a NIST Fellow at the Information Technology Laboratory, is the keynote speaker for this workshop.

This event takes place on Thursday, October 18th, 2018 at the NIST Red Auditorium at 100 Bureau Drive, Gaithersburg, MD 20899. It runs from 8:30 AM to 5:00 PM Eastern Standard Time.

A common question that small DoD contractors and subcontractors have is whether they are subject to the requirements of the Defense Federal Acquisition Regulation Supplement. This regulation concerns the way firms manage Controlled Unclassified Information and the minimum level of security practices that they need to adhere to.

DoD Contractors

https://www.nist.gov/mep/cybersecurity-resources-manufacturers/dfars800-171-compliance that any size DoD contractors “that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards.”

DoD Subcontractors

Subcontractors that work with Controlled Unclassified Information are also responsible for following these regulations. NIST.gov states “These security controls must be implemented at both the contractor and subcontractor levels based on the information security guidance in NIST Special Publication 800-171.”

Basically, if a firm is working with DoD Controlled Unclassified Information, they fall under DFARS requirements and should plan accordingly to bring their business into compliance.

Is It Expensive to Comply with DFARS?

The answer to this question is complicated. The areas that influence the total cost of compliance depend on several factors. The DoD contractor’s IT infrastructure complexity and the current state of its cybersecurity measures plays a large role in the expenses associated with compliance. If they already have robust IT security measures in place, it’s possible that they don’t have to change much, if anything, to meet the DFARS requirements.

The next cost-influencing consideration is whether the DoD contractor wants to do the work necessary for compliance in-house, or if they end up hiring a cyber security expert to do it for them.

A good start for small manufacturers is to purchase a gap analysis from a DFARS consultant. This analysis gives them a concrete direction on what they need to do to address the issues with security in their infrastructure. They can choose to remediate themselves or to pay an IT company to do it for them.

DoD contractors should look at the resources that they have available in-house, their current contract load and the opportunity costs associated with tackling compliance themselves. They need more than someone familiar with IT security. They need specialists who are fully acquainted with the DFARS requirements and what that looks like in practice.

The Cost of Non-compliance

Some DoD contractors may balk at the expenses associated with complying with DFARS. However, the costs for not complying with the regulations may end up being more of a resource drain in the long run. You may get a False Claims Act filed against you, be considered in breach of contract, have your existing contracts terminated or end up getting suspended. Your reputation takes a hit and you may find it difficult to get DoD contracts in the future.

The Pentagon is now factoring in cyber security assessments in their contract awards processes. If you don’t follow DFARS requirements, then you may end up losing out to your competitors during the bidding process. It takes a lot of time and effort to build up contacts and trust with the DoD. No one wants to lose that as an attempt to cut cyber security costs, especially when improving security is a best practice for businesses to begin with.

DFARS compliance should result in DoD contractors winning more contracts over time. It should be seen as a competitive advantage, as the business has proven that they’re willing to put the appropriate measures in place to keep CUI protected from unauthorized access and use.

To understand cyber security assessments, think of other checkups such as medical examinations or a vehicle inspection. In each of these cases, the best assessments aren’t simply a case of concluding “pass” or “fail”. To get the most from the exercise you need an assessor who:

• uses a clear set of objectives for what’s required;
  
• identifies shortcomings;
  
• offers practical help and advice to remedy shortcomings; then
  
• lays down guidelines and best practice to make sure you continue to meet the objectives.
  

Running The Risk

According to the Ponemon Institute, you’re now more likely than not to be hit by a cyberattack. Its report ‘State of Endpoint Security Risk’ estimated 54 percent of companies were compromised by at least one successful attack in 2017. Indeed, 70 percent of surveyed companies believe the risks they face increased in 2017.

Why? The main reason is the increasing range of incentives to attackers. Gone are the days when cyberattacks were either the work of bored pranksters trying to cause disruption or criminals trying to access confidential data for financial gain or corporate espionage. Now you also need to worry about ransomware attacks where your compromised network is effectively locked down until you pay up. Some attackers aren’t interested in your data at all and simply want to hijack your resources to help them make money from ‘mining’ virtual cryptocurrencies such as Bitcoin.

Ponemon reports that the average attack has a cost impact of $301 per employee. This can include direct financial losses, lost productivity, the costs of repairing or rebuilding hardware and software, and the costs of reputational damage. It’s clear that identifying and fixing security shortfalls before an attack happens makes sound financial sense.

Setting The Standard

While the precise steps a cyber security consultant takes will vary, the procedure will follow a few basic principles. The starting point is to establish the benchmarks for where your business needs to be with your security, coming at it from a couple of perspectives. One is the purely functional: neutralizing likely threats so that you can continue doing business without disruption. The other perspective is external requirements, which can include:

• meeting mandatory standards laid down by potential clients (particularly government agencies);
  
• regulations that affect your specific industry (such as protecting data under HIPAA, DFARS, GDPR, etc…); and
  
• any rules laid down by your insurers as a condition of coverage.
  

The Gap Analysis

The next step is a gap analysis. This involves:

• taking a model of how things would be working if you met the required benchmarks;
  
• inspecting your cyber set-up to see how things are really operating; and
  
• detailing exactly where and how you are falling short.
  

The big benefit of an expert cyber security consultant is that they don’t just have the experience to know exactly what to examine, but they can come at the task with an external perspective. In particular, they’ll look for security shortfalls that aren’t currently presenting any practical problem. That overcomes the limitation of internal inspections where you might be tempted to overlook a sub-optimal practice on the grounds that “it’s never been an issue so far.”

You may be surprised to discover just how much of the gap analysis involves inspecting procedures rather than just the current state of your equipment or network. To see why this is the case, imagine reviewing your home’s security. A basic inspection might show you have suitable locks in full working order. A more sophisticated audit might reveal that your hide-a-key is in an easy-to-locate place.

The Remediation Plan

Following the gap analysis, a cyber security consultant will prepare a remediation plan. This is a detailed list of the steps you must take to plug the security gap. An effective consultant will present clear, actionable steps, often in an order of priority.

Some of these steps will be straightforward such as upgrading a software security tool or reconfiguring a network. Others will be more detailed and wide-ranging, such as changing the way in which your staff authenticate themselves or redesigning your file system so you can more effectively control who can access or alter specific sets of data.

The beauty of using an expert consultant is that they not only know what changes you need to make, but have the experience to help you make them with minimal disruption to your ongoing business. Some consultants can even train your staff in security best practices and deal with any resistance or lack of enthusiasm among employees faced with changes to their work practices.

A Long-Term Cyber Security Solution

The remediation plan isn’t usually the end of the process. A cyber security consultant can return later to make sure you’ve carried out the necessary steps adequately. They could then either formally certify that you meet relevant standards and regulations or give you the assurance you need that everything is in order before you undergo an official audit.

A good consultant will also offer ongoing services to monitor or maintain your security posture. This could be as basic as returning for regular inspections or as sophisticated as installing and operating monitoring tools that can quickly identify any security breaches, spot new vulnerabilities, or highlight if staff aren’t following the procedures you’ve put in place.

If your company is interested in having an expert take a look at your systems and procedures,  get a Cyber Security Assessment from SysArc.

The Washington Post has reported that The Pentagon has developed a new strategy to protect its supply chain from cyber crime and foreign interference. As well as basing how it awards its weapons contracts on the price and performance that each contractor can offer, The Pentagon will now also consider security as an important factor when deciding which contractors to work with. This move marks an important shift in how the Pentagon regards security.

The new strategy is designed to reward DoD contractors who take their security responsibilities seriously. According to Kari Bingen, the deputy undersecretary for intelligence at the Pentagon, “Security should be seen not as a ‘cost burden,’ but as a major factor in their competitiveness for U.S. government business.”

Last year, the Department of Defense implemented a set of cybersecurity regulations that all DoD contractors must follow. These regulations are known collectively as DFARS (the Defense Federal Acquisition Regulation Supplement) and are designed to protect DoD data from cyber theft. To comply with DFARS, DoD contractors must provide adequate security to protect covered defense information that is stored on or transmitted through their systems. Contractors must also report cyber incidents within a specified time period and cooperate with the DoD to investigate and respond to those incidents.

The Pentagon’s new policy will encourage all contractors to take action to ensure their businesses comply with DFARS. If they want to continue to work with the DoD, contractors will need to pay ongoing attention to their security systems and procedures to ensure they meet the required standards.

In summary, the DFARS mandate was just the beginning when it comes to improving the security of DoD contractors. The Pentagon will now have the power to force contractors to comply with the regulations, by recognizing that compliant businesses can offer a competitive advantages over those that do not comply. In simple terms, those businesses that can demonstrate compliance will win, while those that can’t will lose.

A recent report from the Pentagon suggested that businesses in the DoD supply chain should receive incentives, such as tax breaks, to encourage them to improve their security practices. The report also suggested laws to grant businesses immunity from being sued if they share information about holes in their security systems that could help to protect other companies.

If your business has any connections with the defense industry, you need to take action now to become DFARS compliant. In addition to putting in place security policies and procedures that keep all data stored on your systems safe, you also need to be able to show the DoD what measures you are taking to comply with DFARS and protect sensitive defense information.

If you can demonstrate compliance, you will gain a competitive advantage over your competitors in this security-conscious era. Your business will be more likely to secure and keep contracts with the DoD, compared to businesses that overlook the importance of a robust cybersecurity strategy.

For help with becoming DFARS compliant, you can get in touch with SysArc today. We can address your cyber security concerns and help you offer your clients the very best security for their data. If you want to win and keep contracts with the DoD, contact SysArc today to get started on improving your business’s security.

The government mandate of DFARS comes with the power to legally enforce these regulations. The penalties for non-compliance can be costly to the Department of Defense (DoD) contractor. A few of the consequences include adverse actions related to the False Claims Act, poor performance reviews, termination, and debarment. You may also be subject to lawsuits related to these data breaches¹.

DoD contractors frequently seek out an Managed Cyber Security Company to help them bring their systems and procedures into compliance. You should also consider bringing in a legal team to help you navigate the legal side of DFARS compliance.

Why Use a Cybersecurity Legal Team for DFARS Compliance

The DFARS legal document is 350 pages. Your DoD contractors may not have the time or expertise to go through the entire thing and fully understand it. A specialized legal team has learned about these requirements inside and out, from the explicitly stated standards to those that may be more ambiguous.

Your primary role as a DoD contractor does not involve legal matters, so you may not have the in-house staff necessary to field this task. Outsourcing this part of the compliance process to a team of dedicated experts makes perfect sense. You can continue making great products while maintaining and growing your government contracts.

What Do Cybersecurity Attorneys Do

A cybersecurity law firm does more than go over the legal documentation of DFARS for you. Here are a few of the important tasks that they can handle for DoD contractors:

• Draft policies and procedures: Your existing cybersecurity policies and procedures may fall short of what’s required under DFARS and other government regulations. The attorneys’ documentation skills can improve the current policies and ensure that they can accommodate future changes when new security requirements are put in place.
• Prove compliance: Once you bring your systems into compliance with DFARS, you need to prove it. This process involves specialized legal materials that are best left to an experienced team. Cybersecurity attorneys can prepare this documentation and present it to the DoD.
• Defend against lawsuits: Data breaches may lead to lawsuits due to the information that was lost or other related issues. You can have your cybersecurity attorneys handle this, rather than allowing the legal matters to eat up your time and attention.
• Cooperate with DoD investigations: The legal firm will work with the DoD during investigations following a breach or a related incident. If you had to put employees inexperienced with legal matters on this task, you could end up with some significant compliance issues.
• Advise on state data breach laws: DFARS isn’t the only regulation you need to worry about as a DoD contractor. You also need to comply with state data breach laws and may face additional penalties if you fail to take them into account. The legal firm’s job revolves around keeping up with the latest updates and changes to cybersecurity law. You don’t have to pull your resources away from DoD contracts to try and determine whether you need to make adjustments.
• Negotiate with vendors: How many vendors do you work with as a DoD contractor? When you have a lot of companies that you do business with, it’s difficult to sift through the contracts and discover opportunities to get a better deal. Cybersecurity attorneys, on the other hand, are more than happy to help negotiate these arrangements so you get the best terms possible. They can also eliminate redundant contracts that are costing you money.
• Handling False claims allegations: False claims allegations are a serious issue in government contracting. A cybersecurity law firm familiar with DFARS and other government regulations can defend you against such claims. They also improve your documentation quality to decrease the chance that you run into a False claims situation.

How Cybersecurity Attorneys Help DoD Contractors Implement Changes

You can put many technical solutions in place for better cybersecurity, but people are always the weakness in the system. Phishing attacks and other forms of social engineering are still effective at giving attackers access to sensitive systems. Cybersecurity attorneys can incorporate data security and privacy policies into your standard employee handbooks and standard operating procedures to improve cybersecurity awareness at your organization.

One way that the attorneys encourage the adoption of these policies is by using role-appropriate education. People outside of the IT department don’t need a lot of details into how phishing works. They need to know about the obvious and subtle signs that could indicate an attack, what they need to do if they suspect phishing, and who they should contact in this situation. When the policies are clear and easy to understand, it’s a lot more likely that employees will follow the new procedures.

A law firm experienced in DFARS compliance is an invaluable asset for DoD contractors. Even if you’re currently compliant, you never know when the regulation or state-level laws may change the security standards. When cybersecurity attorneys are handling the legal aspects of DFARS compliance, the rest of your staff can work on current DoD contracts and winning bids for new ones.

Sources:

https://www.cov.com/-/media/files/corporate/publications/2018/01/dfars_cyber_rule_considerations_for_contractors_in_2018.pdf

Government contractors deal with many compliance concerns during their work with Federal Government customers. Regulations such as NIST 800-171, called the Defense Federal Acquisition Regulation Supplement (DFARS), and NIST 800-53, part of the Federal Information Security Management Act (FISMA), may be part of the technology standards that a government contractor must follow during their work. To ensure full compliance with DFARS and FISMA requirements, contractors should understand what each regulation covers, the systems that they apply to, and whether overlap occurs between them.

Who Are the Regulations Meant For?

FISMA covers Federal institutions and the information systems that they use. It’s a comprehensive set of guidelines that government institutions must follow when they secure their infrastructure. In some cases, FISMA applies to government contractors if they operate federal systems, such as providing a cloud-based platform. DFARS solely refers to the internal systems of Department of Defense contractors.

How Are the Requirements Different?

FISMA is a massive 462-page document that covers the framework that government institutions use for appropriate levels of security and privacy in their systems. The primary focus of FISMA is assisting government organizations when they’re putting together IT security protocols and strategies. There are 212 controls total in this document, although organizations don’t have to implement all of them to be in compliance.

DFARS is much smaller, with only 125 pages of guidelines. It covers the proper protection of Controlled Unclassified Information (CUI) when a non-federal organization is using that data on their internal systems. Only 109 controls are listed in this document, and all of them are required for compliance.

Where Do DFARS and FISMA Overlap?

Some of the controls of DFARS and FISMA overlap, so government contractors that have to adhere to both regulations may have some areas already covered. These controls fall under the cybersecurity best practices that contractors should already be paying attention to in order to protect against data breaches.

• Access control: Ensure that users only have the permissions they need to do their work.
• Configuration management: Confirm that the configuration is set up to maximize security for CUI.
• Ongoing maintenance: Proactively addressing potential vulnerabilities limits the opportunities for attackers.
• Accountability: Gain access to a paper trail in the event of an audit or another type of review.
• Information integrity: Maintain the integrity of the CUI and other important information on these systems.

Why Were Both Regulations Enacted?

DFARS and FISMA were enacted to provide federal institutions and government contractors with the guidelines they needed to adopt a risk-based cybersecurity approach. With cyber attacks frequently happening across all public and private sectors, it was important to create a standard for government agencies and contractors to follow so an appropriate level of security was in place.

Without this type of regulation, government contractors and institutions would have a greater risk of data breaches and other IT security problems. The controls outlined in these documents act as a set of best practices for organizations to follow.

Keeping government systems and CUI secure and protected are essential tasks, but contractors should pay close attention to see which framework actually applies to the project. In some cases, government agencies will default to requiring contractors to comply with the much broader FISMA, even if DFARS is more suitable for the type of work that they’re doing.

If you are a DoD contractor and need assistance with DFARS or FISMA compliance, contact us about our consulting services:

• DFARS compliance consulting
• FISMA compliance consulting