On October 18, 2018, the National Institute of Standards and Technology (NIST) hosted a day-long workshop to educate industry and government representatives about the security requirements applicable to Controlled Unclassified Information (CUI). Hundreds of attendees, in person and via webcast, learned about the implementation and assessment of CUI. Defense contractors are familiar with these security requirements through various DFARS clauses, which mandate protective measures for CUI and the ability to respond to a cyber incident involving this information. Additionally, a heightened focus on supply chain vulnerability (reference MITRE’s August 2018 report, “Deliver Uncompromised”) has amplified the need for strict security controls on contractor IT systems, as well as a more robust oversight by DoD of these systems.
Because of this, we can expect, in the not-too-distant future, that contractor IT systems will be assessed for cybersecurity compliance by a responsible entity, yet to be determined. The resultant “rating” may be relevant in the contract bidding process, and/or the ability to continue working on existing DoD contracts.
Protecting all contractual information remains a critical factor in protecting the warfighter. As more and more emphasis is placed on supply chain vulnerability, maintaining strong cybersecurity practices is essential for all contractors that do business with DoD.