Contractor information systems that store government data, referred to as Controlled Unclassified Information (CUI) and/or Covered Defense Information (CDI), will soon have to meet the security standards of the Cybersecurity Maturity Model Certification (CMMC). In January, version 1.0 of the CMMC was released. This is a crucial step in DoD’s efforts to ensure that the supply chain is more secure. All contractors that do business with the DoD will be subject to this compliance.
The CMMC will fortify the requirements of the Defense Federal Acquisition Regulation Supplement (DFARS) clause that specifies the NIST security controls (SP 800-171) implementation. The CMMC model contains five levels of cybersecurity maturity, which will be certified by a third party auditor. If CUI and/or CDI is stored on the contractor’s system, “level 3” will be required. More information on CMMC can be found at, https://www.acq.osd.mil/cmmc/draft.html.
Last October, a brief history of Cybersecurity Awareness Month was featured on our website, along with that year’s theme, “Stop. Think. Connect.” This year’s overarching theme is “OWN IT. SECURE IT. PROTECT IT.” This is intended to emphasize the role everyone plays in online safety. Cybersecurity requires that deliberate measures be taken to ensure security at home and in the workplace.
- OWN IT – Understand your digital profile.
- SECURE IT – Secure your digital profile.
- PROTECT IT – Protect your digital profile.
Cybersecurity safety is everyone’s responsibility, at home, in the workplace, and in our communities. You can read more about this year’s campaign at, https://niccs.us-cert.gov/national-cybersecurity-awareness-month-2019.
September 2019 has been designated “Insider Threat Awareness Month.” The insider threat continues to be a major concern to most organizations, public and private, and especially affects those companies in the National Industrial Base due to the nature of their business associated with Department of Defense contracts. Whether facilitated through cyber activity or not, insider incidents cause damage to national security and may result in the loss of life or the loss or compromise of classified information. These incidents are responsible for the loss of billions of dollars annually, through trade secret theft, fraud, sabotage, etc.
Most insider threats display concerning behaviors prior to initiating a malicious act. A well-established Insider Threat Program provides awareness to employees so that this type of information can be reported without compromising an employee’s privacy and civil liberties. Reporting enables an organization to take proactive measures that can result in a favorable outcome for the individual and the organization.
“If you see something, say something”
The focus on cybersecurity in the supply chain remains a priority in order to deliver “uncompromised” within the Department of Defense. Ensuring that contractors and subcontractors adhere to the requirements of the DFARS clause that specifies the details of this cybersecurity should be a priority for any company that does business with the DoD. Earlier this year, the Undersecretary of Defense, Ellen Lord, drafted correspondence directing DCMA to research ways to determine industry cybersecurity readiness. In March, she stated that cybersecurity standards for contractors are being derived from the NIST security controls, which will include metrics that will be utilized by third party auditors. Acting Defense Secretary Patrick Shanahan has previously stated that cybersecurity would become a key measurement for DoD to evaluate companies.
Small and medium companies have expressed concerns with the proposed standards, citing the challenges of creating a cybersecurity program. Despite concerns, it appears certain that in some manner, contractor cybersecurity will be a factor of “suitability” for the defense industrial base within the next 18 months.
On October 18, 2018, the National Institute of Standards and Technology (NIST) hosted a day-long workshop to educate industry and government representatives about the security requirements applicable to Controlled Unclassified Information (CUI). Hundreds of attendees, in person and via webcast, learned about the implementation and assessment of CUI. Defense contractors are familiar with these security requirements through various DFARS clauses, which mandate protective measures for CUI and the ability to respond to a cyber incident involving this information. Additionally, a heightened focus on supply chain vulnerability (reference MITRE’s August 2018 report, “Deliver Uncompromised”) has amplified the need for strict security controls on contractor IT systems, as well as a more robust oversight by DoD of these systems.
Because of this, we can expect, in the not-too-distant future, that contractor IT systems will be assessed for cybersecurity compliance by a responsible entity, yet to be determined. The resultant “rating” may be relevant in the contract bidding process, and/or the ability to continue working on existing DoD contracts.
Protecting all contractual information remains a critical factor in protecting the warfighter. As more and more emphasis is placed on supply chain vulnerability, maintaining strong cybersecurity practices is essential for all contractors that do business with DoD.
For about 15 years, the month of October has been designated Cybersecurity Awareness Month. The initiative began as a concept to help all Americans stay safe online. When it began, this meant updating your antivirus software twice per year. Oh how cybersecurity has changed since then! The amount of personal information that is housed on information systems these days is practically unfathomable. We’ve heard so much about security breaches and the disclosure of personal information, that the numbers almost have no meaning anymore. Many individuals accept the fact that their personal information has probably been compromised “somehow.”
We are all concerned about the security of our personal information, but this month emphasizes the entire cyber environment from cyber safety for children to cybersecurity for small businesses. The Department of Homeland Security (DHS) campaign, “Stop. Think. Connect.” is a national public awareness campaign aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online. Their toolkit webpage contains numerous resources that every family can use to be safer while online. These resources can be found at: https://www.dhs.gov/stopthinkconnect-toolkit.
Cybersecurity safety is everyone’s responsibility, at home, in the workplace, and in our communities.
Information Technology (IT) is a foundational component of modern business infrastructure because it brings functionality, accessibility, and efficiency to employees and customers. The common definition of Cybersecurity, “protecting your electronic data and systems from unauthorized access or attack,” is simple enough to understand. Many of the attributes that make it useful also make it vulnerable. Failing to incorporate Cybersecurity into the IT infrastructure leaves a company at risk to attacks that, at a minimum, undermine the benefits to the workforce and could become a significant financial liability or risk to the continued existence of the company.Read More