The focus on cybersecurity in the supply chain remains a priority in order to deliver “uncompromised” within the Department of Defense. Ensuring that contractors and subcontractors adhere to the requirements of the DFARS clause that specifies the details of this cybersecurity should be a priority for any company that does business with the DoD. Earlier this year, the Undersecretary of Defense, Ellen Lord, drafted correspondence directing DCMA to research ways to determine industry cybersecurity readiness. In March, she stated that cybersecurity standards for contractors are being derived from the NIST security controls, which will include metrics that will be utilized by third party auditors. Acting Defense Secretary Patrick Shanahan has previously stated that cybersecurity would become a key measurement for DoD to evaluate companies.
Small and medium companies have expressed concerns with the proposed standards, citing the challenges of creating a cybersecurity program. Despite concerns, it appears certain that in some manner, contractor cybersecurity will be a factor of “suitability” for the defense industrial base within the next 18 months.
On October 18, 2018, the National Institute of Standards and Technology (NIST) hosted a day-long workshop to educate industry and government representatives about the security requirements applicable to Controlled Unclassified Information (CUI). Hundreds of attendees, in person and via webcast, learned about the implementation and assessment of CUI. Defense contractors are familiar with these security requirements through various DFARS clauses, which mandate protective measures for CUI and the ability to respond to a cyber incident involving this information. Additionally, a heightened focus on supply chain vulnerability (reference MITRE’s August 2018 report, “Deliver Uncompromised”) has amplified the need for strict security controls on contractor IT systems, as well as a more robust oversight by DoD of these systems.
Because of this, we can expect, in the not-too-distant future, that contractor IT systems will be assessed for cybersecurity compliance by a responsible entity, yet to be determined. The resultant “rating” may be relevant in the contract bidding process, and/or the ability to continue working on existing DoD contracts.
Protecting all contractual information remains a critical factor in protecting the warfighter. As more and more emphasis is placed on supply chain vulnerability, maintaining strong cybersecurity practices is essential for all contractors that do business with DoD.
For about 15 years, the month of October has been designated Cybersecurity Awareness Month. The initiative began as a concept to help all Americans stay safe online. When it began, this meant updating your antivirus software twice per year. Oh how cybersecurity has changed since then! The amount of personal information that is housed on information systems these days is practically unfathomable. We’ve heard so much about security breaches and the disclosure of personal information, that the numbers almost have no meaning anymore. Many individuals accept the fact that their personal information has probably been compromised “somehow.”
We are all concerned about the security of our personal information, but this month emphasizes the entire cyber environment from cyber safety for children to cybersecurity for small businesses. The Department of Homeland Security (DHS) campaign, “Stop. Think. Connect.” is a national public awareness campaign aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online. Their toolkit webpage contains numerous resources that every family can use to be safer while online. These resources can be found at: https://www.dhs.gov/stopthinkconnect-toolkit.
Cybersecurity safety is everyone’s responsibility, at home, in the workplace, and in our communities.
Information Technology (IT) is a foundational component of modern business infrastructure because it brings functionality, accessibility, and efficiency to employees and customers. The common definition of Cybersecurity, “protecting your electronic data and systems from unauthorized access or attack,” is simple enough to understand. Many of the attributes that make it useful also make it vulnerable. Failing to incorporate Cybersecurity into the IT infrastructure leaves a company at risk to attacks that, at a minimum, undermine the benefits to the workforce and could become a significant financial liability or risk to the continued existence of the company.Read More