Following rules of engagement is a common concept, but knowing the rules — and whether they really apply to one’s own business — is not always a common condition. The federal market can be especially confusing for smaller companies that may be delivering similar products or services to both civilian and military/defense/aerospace agencies.

If you know enough to ask about DFARS 252.204-7012 compliance, hold grants or contract awards subject to the provisions, or are contemplating entering the Department of Defense (DoD) market, you should at least be on the path to Defense Federal Acquisition Regulation Supplement (DFARS) compliance. By September 2020, meeting the required security level contained in a DoD solicitation will be the basis for a go/no-go decision on further consideration of an offeror’s cost, schedule, and performance qualifications.

Announced changes to federal procurement practices, particularly for DoD-related contracts, put into play provisions for supply chain security and resiliency based, in part, on the 2018 “Deliver Uncompromised” study from MITRE Corporation. Widely publicized leaks of government-funded intellectual property and other proprietary information have intensified concerns about the vulnerability of the defense industrial base (DIB), one of the 16 industry sectors defined by the Department of Homeland Security (DHS) as “critical infrastructure.” The Office of the Under Secretary of Defense for Acquisition & Sustainment notes on its website that DoD is “planning a series of engagements across the United States in order to solicit inputs and feedback from the [DIB] sector.”

Starting this year, the compliance model will begin to move from self-attestation (i.e., the current NIST SP 800-171 compliance model) to third-party validation in accordance with the new, five-level Cybersecurity Maturity Model Certification (CMMC). Presentations and discussions of the CMMC process and expectations are scheduled in 12 cities around the U.S. The intention is to release the Defense 5000 acquisitions document with updated RFP Sections L and M this summer, allow some costs related to compliance, and build out a CMCC center for cybersecurity education and training. Meanwhile, NIST SP 800-171 Revision 2 has also been published in draft form.

So how does a manufacturer navigate Uncle Sam’s growing emphasis on DFARS compliance? Here are questions existing and prospective manufacturers involved in DoD supply chains often ask, along with some actionable answers.

My organization is a federal vendor. Do I need to worry about cybersecurity?

Yes. The federal acquisition regulation (FAR) governs all federal government acquisitions and contracting procedures; DFARS is the special supplement for DoD-related contracts. The FAR Final Rule 52.204-21 on “Basic Safeguarding of Contractor Information Systems,” which became effective 15 June 2016, contains 15 controls that are considered the minimal baseline for federal contractors. These controls resonate with basic security objectives contained in NIST SP 800-171 Revision 2.

My organization is a Tier 3 supplier to the DoD, and the prime contractor is compliant with NIST SP 800-171. Does that mean my organization is covered?

No. NIST SP 800-171 requires that prime contractors “flow down” security control objectives to organizations within their supply chains. Primes must clearly mark information identified as Covered Defense Information (CDI) or Controlled Unclassified Information (CUI) that is passed through their supply chain, and may provide secure project or work order communications platforms as well as training for their vendors. At present, organizations can self-attest to compliance.

How will compliance be verified?

DoD will develop an automated tool to assist in gathering data, simplify reporting requirements, and deploy DoD-accredited third-party auditors to verify a vendor’s appropriate security based on the data it handles. Cybersecurity will become an allowable expense in DoD contracts, meaning that the DoD may pay for cybersecurity in some instances.

What are the consequences of being out of compliance with DFARS?

Misrepresenting compliance with DFARS may result in work order termination, liability under the False Claims Act, and/or a contract action report (CAR) against your organization or the upstream prime.

Where can my organization go for additional information?

The NIST MEP Cybersecurity Self-Assessment Handbook explains the current NIST SP 800-171 security requirements. You can also use the MEP National Network online Cybersecurity Self-Assessment tool. Plus, your local MEP Center can offer further assistance in navigating the FAR and DFARS requirements and compliance process.

Rather than characterize the FAR and DFARS rules of engagement as unwelcome costs of doing federal business, organizations should consider them proactive measures to guard against a much broader range of risks that businesses face regardless of customer market. Such risks include the loss (or unintentional sharing) of intellectual property, vulnerability to ransomware, exposure of confidential employee information, and financial issues associated with business email compromise (e.g., fake invoices and fraudulent wire transfer requests). Cybersecurity simply helps control business risk!

CREDIT: Jennifer Kurtz, IndustryWeek

Defense contractors will face big changes and tight timelines over the next year as the Department of Defense rolls out its new Cybersecurity Maturity Model Certification framework, experts say.

The framework, which aims to certify a company’s compliance with federal cybersecurity regulations around controlled unclassified information (CUI), was announced by DOD officials in June. It will be used to evaluate and rate contractors’ ability to protect sensitive data on a 1-5 scale starting next year.

The initial version of the framework is scheduled to go public in January 2020. By June 2020, its requirements will start appearing in requests for information, and will become a regular feature of defense procurement by September 2020. That means defense contractors will have less than eight months to implement changes for compliance with the Defense Federal Acquisition Regulation Supplement and National Institute of Standards and Technology guidance on protecting CUI.

“Any timeline would seem ambitious. One that looks to have this in operation by 2020, it’s going to be difficult,” said Robert Metzger, a lawyer specializing in government contracts and commercial litigation and a consultant for MITRE focusing on supply chain security issues. “Naturally industry has a lot of questions about the mechanics…. Companies are understandably uncertain as to how these changes will affect what they’re doing, how they will demonstrate eligibility for contracts and what the costs might be upon their operations.”

High costs, confusing guidance and low return on investment have all been cited as reasons for compliance challenges among defense contractors. Traditionally, DOD has declined to cover the costs associated with implementing acquisition regulations related to cybersecurity for CUI, but that has slowly changed over the past 12 months as military contractors have faced unprecedented attacks from foreign-sponsored hackers.

Last year, then-Deputy Secretary of Defense Patrick Shanahan expressed reluctance of the part of DOD to help contractors cover added costs for cybersecurity, saying security should be a baseline expectation in contracts. However, at a Professional Services Council event earlier this month, Katie Arrington, special assistant to the assistant secretary of defense for acquisition, announced that the department would allow contractors to write off a portion of their cybersecurity spending for government contracts, including implementing NIST guidance.

Alan Chvotkin, executive vice president and counsel for the Professional Services Council, welcomed the shift, telling FCW that it would be contradictory for DOD to refuse to provide financial incentives around cybersecurity at the same time it has expressed a desire to expand the number businesses that make up the defense industrial base.

Allowing contractors to write off a portion of their cybersecurity compliance activity is “an acknowledgement by the department that cybersecurity is not free,” he said.

“To be a smart businessman, let alone a contractor, you ought to undertake this [level of security], because our adversaries are stealing everything,” Chvotkin said. “On the other hand, [DOD] is trying to entice nontraditional companies and small companies who otherwise … might not see the need to incur such significant costs to reach the level that is expected as a contractor or subcontractor.”

Still, it’s not clear how DOD’s reimbursement policy will work, which contracts it would apply to or what percentage of a company’s costs would be covered. DOD is using the summer to conduct “roadshow” outreach sessions, sending officials across the country to meet with contractors, explain the new maturity model and take feedback from industry on the best way to structure the framework.

James Goepel, CEO and general counsel for the cybersecurity consulting firm Fathom Cyber, told FCW he has serious doubts as to whether many defense contractors will be ready by September 2020. For most companies, the associated costs are less about assets and technology and more about human resources, training employees and allocating the personnel to map out and formalize internal IT policies. Still, the potential for an initial shock to the federal contracting system is real.

“I do think that it’s going to hurt us in the short term from a product-availability perspective,” said Goepel, who also teaches cybersecurity at Drexel University’s Law and Business schools. “The government is going to miss out on stuff, and there are going to be companies that go out of business because of this. But in the end, I think that it may actually be a better thing for country, unfortunately.”

Metzger doesn’t go that far, but said he does believe one short-term effect of the framework could be that a certain percentage of companies end up exiting the federal contracting space. In particular, the impact might be hardest on small and medium-sized businesses — both subcontractors and primes — with fewer financial resources that have traditionally evaded the same level of scrutiny directed towards prime contractors. Still, Metzger said he expects most companies will shoot for a middle ground that balances cost with business opportunity.

“I think the short-term impact is that companies of all sizes are going to be looking at affordable, effective ways to improve their cybersecurity. Nobody knows exactly today what you will need to do to get a security rating score of [1-5],” Metzger said. “Very few companies are going to strive for a 5 … but very few are going to want to have only a 1. I’m thinking that many companies will be targeting their investments and actions to be sure that when the scoring method comes into place that they will get at least a 3.

“I think the short-term impact is that companies of all sizes are going to be looking at affordable, effective ways to improve their cybersecurity. Nobody knows exactly today what you will need to do to get a security rating score of [1-5],” Metzger said. “Very few companies are going to strive for a 5 … but very few are going to want to have only a 1. I’m thinking that many companies will be targeting their investments and actions to be sure that when the scoring method comes into place that they will get at least a 3.”

CREDIT: Derek B. Johnson, FCW

It’s tough for small-to-medium businesses (SMBs) to feel cyber-secure when there are newsworthy breaches that have hit major, household-name companies, affecting millions of customer records. Equifax (148 million customer records), JPMorgan Chase (83 million), Marriott International (500 million), Target (110 million), and Yahoo (3 billion) are just a few examples. The situation for SMBs is even worse: they are inherently limited, by comparison, in the amount of money, the number of employees and the kind of technology they can devote to cybersecurity. But that doesn’t mean SMBs are helpless.

When it comes to seeking protection from emerging cybersecurity threats, there are four key challenges that SMBs often run into:

1. SMBs are very concerned about security but face constraints ranging from a lack of funds to in-house expertise.
2. Because most SMBs lack sufficient cybersecurity staff, they need to rely on simple, but effective, security solutions.
3. Attacks on SMBs continue to escalate, particularly phishing attacks, which often result in malware infecting their networks.
4. Adding to the complexity of cybersecurity is the increased reliance by SMBs on new IT architecture with new services such as cloud computing and software-defined networks.

We dove into this particular topic further with our 2018 SMB IT Security Report. We found that as many as 80 percent of SMB operators we surveyed rank security as a top business concern for them. However, 52 percent of them share cybersecurity responsibilities across several people in their workforce. Only 27 percent have a dedicated security professional on staff, and only 17 percent of them contract with an outside vendor for cybersecurity.

Thankfully, there are several steps SMBs can take now to mitigate future problems and educate their employees on how they can be more cybersecurity aware when it comes to  issues such as hacking, malware, phishing, and other threats. As it’s often said, employee training is the best first line of defense to protect the organization against breaches.

To focus your SMB’s attention on cybersecurity, here are five key steps to secure your organization’s network and future.

Email security

Though email is a critical system for you to communicate with your colleagues, customers, vendors and others, it’s also a key tool of cybercriminals. “Phishing” emails are designed to look legitimate but often contain malicious links or attachments designed to trick you into clicking them. Once you do, the attacker can gain access to your device to obtain your credentials, personal information or other critical information about your business. Further, the hacker can also gain access to any other devices on the same network, causing further damage. A high-profile example of this is the Target breach in 2013 that involved hackers getting into the retailer’s network via a trusted third-party vendor called Fazio Mechanical Services, which, once infiltrated, gave them access to Target’s servers. The hackers targeted the third-party vendor knowing they had a better chance of accessing their systems than Target’s directly.

Companies need to train employees — and others with access to the network — to be on the lookout for suspicious emails and to avoid being tricked into opening them.

Virtual Private Networks (VPN)

VPNs are designed to provide a safe and secure connection when people are communicating with the corporate network from remote locations. While VPNs ensure a secure connection between bilateral traffic on a corporate network, not all employers offer them. When employees use their own or work-provisioned devices over a public Wi-Fi network, such as at a coffee shop or an airport terminal, without a VPN, they can be vulnerable to a range of issues such as packet sniffing or man-in-the-middle attacks. Your employees need to be trained to avoid using public Wi-Fi without a VPN, particularly when it involves sharing sensitive company or personal information. Better yet, seek out VPN solutions to provide a secure connection to a safe network anywhere the device may roam.

Bring Your Own Device (BYOD)

When smartphones and tablets became popular, employees started using devices they bought for personal use in the workplace, causing employers to scramble to protect the network against promiscuous devices that could carry malware payloads.

To accommodate BYOD and secure your network, SMBs should adopt an Acceptable Use Policy (AUP) — just as enterprises do — that provides rules for what individuals can access when connecting to the network. Companies can also create a Captive Portal page, forcing users to agree to certain terms before accessing the network. Once accepted, the IT administrator can enforce rules and have visibility over what those devices are doing.

SMBs should also force all guest devices, and personally owned devices, to connect to a separate network that does not have access to the company’s critical data. This limits the impact in the event one of those devices is breached, protecting company data and minimizing the reach the hacker could have on other devices.

Antivirus and Anti-malware Solutions

It’s critical for your SMB to deploy technology on your network that protects against spam, malware and computer viruses. But this is not a set-it-and-forget-it solution. Cybercriminals are constantly changing their plan of attack and revising their formulae to outsmart security solutions. You may have heard the term “zero-day attacks,” which are cyberattacks that don’t match existing signatures. To keep up with these constant attacks, your malware or antivirus solution must be constantly monitored and upgraded as the threats change.

General Security Awareness

Besides all the specific policies and strategies we’ve mentioned so far, it’s important for your SMB to adopt cybersecurity as a core function of your organization just like sales, marketing, finance, product development and the like. You should consider conducting cybersecurity training and continuous testing to keep employees aware of the evolving tactics hackers are using. Adding basic cybersecurity hygiene and awareness training will pay dividends.

No organization is too small to risk being a target for cybercriminals. When it comes to cybersecurity, an ounce of prevention is worth a pound of cure. Start conversations early and often about what you can do to protect your business-critical systems and data. Otherwise, you risk losing not only time and money, but also the trust of your customers.

CREDIT: Dirk Morris, Smallbizdaily

For large organizations with deep pockets, an information security breach is an expensive and embarrassing debacle whose ramifications can last years. But for small and medium-sized businesses (SMBs), a severe incident could mean the end of their business entirely. Centered around people, processes and technology, there are steps organizations of any size can and should take to protect themselves and their clients.

According to Global Market Insights (registration required), the cybersecurity industry was worth over $120 billion at the start of 2017, and it grows by the minute as more frequent and more sophisticated attacks are reported. With data breaches in large corporations and government agencies getting the most attention in the press, it would be easy to think that a smaller company doesn’t have much to worry about. Unfortunately for many SMBs, the growing number of security attacks says something very different.

In 2018, SMBs were the target of 43% of cyber attacks, according to the small business mentor group SCORE. Often, hackers use smaller, more vulnerable companies as a way into larger targets that they do business with. This can ruin the smaller organization’s reputation and its ability to partner with other businesses in the future.

It’s not all bad news, though. Most attempted security breaches can be thwarted with some planning, vigilance and basic precautions. Here are some tips that you can follow as a business owner to get the most out of your information security efforts:

1. Bake security into your systems and software.

Security shouldn’t be an add-on or an afterthought, but rather a fundamental part of your organization’s information assets from the outset. It should be part of the foundation of both end-user product design and internal system architecture. Whenever feasible, your systems should be secure by design, following (among other practices) the “principle of least privilege,” where system users only have the access rights needed to do their jobs. It’s never too late, though, to beef up your existing systems. From minor tweaks to total redesigns, it’s worth the effort to protect your company’s assets and reputation.

2. Embed cybersecurity in your company’s culture.

Unfortunately, even the most secure systems in the world have one Achilles’ heel: people. People are almost always the weak link in the chain when it comes to cybersecurity. Whether due to a lack of awareness or an unwillingness to follow security practices, one non-compliant employee can potentially render all of your security efforts useless. For SMBs without the capital to recover from a major incident, everyone’s jobs are on the line. Training and frequent refreshers are critical, but you should also strive to embed good cybersecurity into the culture of your organization by setting a good example at the management level, as well as emphasizing best practices in all aspects of your operations. Employees should not only be trained on what to do but also why they are doing it. It’s important to remind them of the consequences of a data breach.

3. Plan your incident and disaster response.

Part of being proactive is being ready in the unfortunate event of a cybersecurity incident, or a disaster (natural or man-made) that compromises your systems. No organization’s information security strategy is complete without formal, in-depth incident management and response plans, as well as a disaster recovery plan (DRP). Although your IT department is not typically your cybersecurity team, it is closest to your systems and often at the tip of the spear in the event of an incident. They should be prepared, both through training and through involvement in response planning, to work closely with cybersecurity experts during response and recovery. Consider including other departments as well in your response and recovery procedures — and hold mock incidents or drills to prepare everyone for their role.

4. Monitor and patch your security.

Hackers can, and do, strike from anywhere at any time. Constant network monitoring is critical for not only detecting and potentially thwarting attacks but also for fast and effective recovery from a breach. Network monitoring software produces event logs that help your security team identify where and how hackers are focusing their efforts. Part of this constant vigilance is to consistently update and maintain the latest versions and security patches of all software on your systems. Software patches shore up known vulnerabilities — servers with out-of-date software become easy prey for opportunistic hackers who are always on the lookout for such an opportunity.

5. Think like a bad guy.

Securely designed systems can still have vulnerabilities. Hackers always seem to be a step ahead of both law enforcement and information security professionals, but they also prefer to take the path of least resistance. They are constantly probing their targets for weaknesses and waiting for their moment to strike. You don’t want cybercriminals to be the first to discover a vulnerability that compromises your business, partners or customers. By taking a proactive security approach — with thorough penetration testing — you can use the same tools as malicious hackers, beating them to the punch by finding and closing security gaps in your systems.

6. Get an external view of your current security posture.

Large, prominent companies can afford to throw substantial amounts of money at cybersecurity, often employing a Chief Information Security Officer (CISO) and other support personnel to handle all aspects of cybersecurity. Despite recognizing the importance of information security, not all organizations can afford or even need to have the expertise in-house. Consider getting a third party to assess your cybersecurity needs and help you determine what threats and vulnerability your SMB faces or could face as you grow. With this information, you’ll be best equipped to make decisions regarding how to proceed in protecting yourself.

The bottom line is that smaller organizations can no longer afford to put information security on the back burner — the risks are too real and the stakes are too high.

CREDIT: Jaime Manteiga, Forbes

BALTIMORE — A Maryland congressman said on Friday that the National Security Agency had denied that one of its hacking tools, stolen in 2017, was used in a ransomware attack on Baltimore’s government that had disrupted city services for more than three weeks.

The statement, made by Representative C.A. Dutch Ruppersberger, came in response to an article in The New York Times last weekend. The Times was told by people directly involved in the investigation in Baltimore that the N.S.A. tool, EternalBlue, was found in the city’s network by all four contractors hired to study the attack and restore computer services.

Investigators are still trying to determine the exact chronology of the attack. The leading theory is that hackers broke in through an open server in Baltimore’s network, installed a back door and then used EternalBlue to move across the city’s computers searching for valuable servers to infect, said the people involved in the investigation.

This week, the contractors discovered an additional software tool, called a web shell, on Baltimore’s networks. They believe the web shell may have been used in conjunction with EternalBlue and another hacking technique known as “pass-the-hash,” which uses stolen credentials, to spread the ransomware.

The people involved in the investigation spoke to The Times on the condition of anonymity because they were not authorized to discuss it on the record.

N.S.A. officials are naturally sensitive to reports of continuing damage done by their hacking tools, stolen and released on the internet in 2017 by a still-unidentified group calling itself the Shadow Brokers. EternalBlue and other N.S.A. tools were used in attacks by North Korea and Russia later that year that caused billions of dollars in damage to corporations and governments around the world.

More recently, according to cybersecurity experts, EternalBlue has turned up in attacks on local governments in the United States, which often used aging equipment and fail to keep their software up to date. A patch issued by Microsoft in 2017, but apparently never installed in Baltimore, should have made Windows secure against EternalBlue.

An N.S.A. spokesman declined to comment on the congressman’s statement or the Times article, which was published online on Saturday. A spokesman for Baltimore’s mayor’s office also said he could not comment on the continuing investigation.

Mr. Ruppersberger, a Democrat whose district includes the N.S.A.’s Fort Meade campus south of Baltimore, said in his statement that he had been briefed by “senior leaders” of the N.S.A. They told him that “there is no evidence at this time that EternalBlue played a role in the ransomware attack affecting Baltimore City.”

He added: “I’m told it was not used to gain access nor to propagate further activity within the network.”

The statement did not explain how N.S.A. learned the details of the forensic investigation in Baltimore, which is being carried out by the private contractors. The Federal Bureau of Investigation has also opened an inquiry but has not commented publicly on any findings.

The N.S.A. routinely hunts for security flaws in widely used software and uses them to penetrate foreign computer networks and gather intelligence. It used EternalBlue for such spying for at least five years before the Shadow Brokers stole the tool and posted it on the web to be grabbed and used by foreign states and criminal hackers.

“Our country needs cybertools to counter our enemies, including terrorists, but we also have to protect these tools from leaks,” Mr. Ruppersberger said. “We can’t ignore the damage that past breaches have done to American companies and, possibly, American cities. Now, our focus now should be on Baltimore’s recovery.”

Some former N.S.A. officials have suggested that Baltimore bears some responsibility for the attack, because it evidently had not installed updates to Windows that might have kept its system safe. But Mr. Ruppersberger said “the reality is that patching can be hard and requires resources that many municipalities don’t have.”

He said he thought the federal government “needs to do more to help municipalities better protect their networks.”

CREDIT: Scott Shane and Nicole Perlroth, The New York Times