Following rules of engagement is a common concept, but knowing the rules — and whether they really apply to one’s own business — is not always a common condition. The federal market can be especially confusing for smaller companies that may be delivering similar products or services to both civilian and military/defense/aerospace agencies.

If you know enough to ask about DFARS 252.204-7012 compliance, hold grants or contract awards subject to the provisions, or are contemplating entering the Department of Defense (DoD) market, you should at least be on the path to Defense Federal Acquisition Regulation Supplement (DFARS) compliance. By September 2020, meeting the required security level contained in a DoD solicitation will be the basis for a go/no-go decision on further consideration of an offeror’s cost, schedule, and performance qualifications.

Announced changes to federal procurement practices, particularly for DoD-related contracts, put into play provisions for supply chain security and resiliency based, in part, on the 2018 “Deliver Uncompromised” study from MITRE Corporation. Widely publicized leaks of government-funded intellectual property and other proprietary information have intensified concerns about the vulnerability of the defense industrial base (DIB), one of the 16 industry sectors defined by the Department of Homeland Security (DHS) as “critical infrastructure.” The Office of the Under Secretary of Defense for Acquisition & Sustainment notes on its website that DoD is “planning a series of engagements across the United States in order to solicit inputs and feedback from the [DIB] sector.”

Starting this year, the compliance model will begin to move from self-attestation (i.e., the current NIST SP 800-171 compliance model) to third-party validation in accordance with the new, five-level Cybersecurity Maturity Model Certification (CMMC). Presentations and discussions of the CMMC process and expectations are scheduled in 12 cities around the U.S. The intention is to release the Defense 5000 acquisitions document with updated RFP Sections L and M this summer, allow some costs related to compliance, and build out a CMCC center for cybersecurity education and training. Meanwhile, NIST SP 800-171 Revision 2 has also been published in draft form.

So how does a manufacturer navigate Uncle Sam’s growing emphasis on DFARS compliance? Here are questions existing and prospective manufacturers involved in DoD supply chains often ask, along with some actionable answers.

My organization is a federal vendor. Do I need to worry about cybersecurity?

Yes. The federal acquisition regulation (FAR) governs all federal government acquisitions and contracting procedures; DFARS is the special supplement for DoD-related contracts. The FAR Final Rule 52.204-21 on “Basic Safeguarding of Contractor Information Systems,” which became effective 15 June 2016, contains 15 controls that are considered the minimal baseline for federal contractors. These controls resonate with basic security objectives contained in NIST SP 800-171 Revision 2.

My organization is a Tier 3 supplier to the DoD, and the prime contractor is compliant with NIST SP 800-171. Does that mean my organization is covered?

No. NIST SP 800-171 requires that prime contractors “flow down” security control objectives to organizations within their supply chains. Primes must clearly mark information identified as Covered Defense Information (CDI) or Controlled Unclassified Information (CUI) that is passed through their supply chain, and may provide secure project or work order communications platforms as well as training for their vendors. At present, organizations can self-attest to compliance.

How will compliance be verified?

DoD will develop an automated tool to assist in gathering data, simplify reporting requirements, and deploy DoD-accredited third-party auditors to verify a vendor’s appropriate security based on the data it handles. Cybersecurity will become an allowable expense in DoD contracts, meaning that the DoD may pay for cybersecurity in some instances.

What are the consequences of being out of compliance with DFARS?

Misrepresenting compliance with DFARS may result in work order termination, liability under the False Claims Act, and/or a contract action report (CAR) against your organization or the upstream prime.

Where can my organization go for additional information?

The NIST MEP Cybersecurity Self-Assessment Handbook explains the current NIST SP 800-171 security requirements. You can also use the MEP National Network online Cybersecurity Self-Assessment tool. Plus, your local MEP Center can offer further assistance in navigating the FAR and DFARS requirements and compliance process.

Rather than characterize the FAR and DFARS rules of engagement as unwelcome costs of doing federal business, organizations should consider them proactive measures to guard against a much broader range of risks that businesses face regardless of customer market. Such risks include the loss (or unintentional sharing) of intellectual property, vulnerability to ransomware, exposure of confidential employee information, and financial issues associated with business email compromise (e.g., fake invoices and fraudulent wire transfer requests). Cybersecurity simply helps control business risk!

CREDIT: Jennifer Kurtz, IndustryWeek

Defense contractors will face big changes and tight timelines over the next year as the Department of Defense rolls out its new Cybersecurity Maturity Model Certification framework, experts say.

The framework, which aims to certify a company’s compliance with federal cybersecurity regulations around controlled unclassified information (CUI), was announced by DOD officials in June. It will be used to evaluate and rate contractors’ ability to protect sensitive data on a 1-5 scale starting next year.

The initial version of the framework is scheduled to go public in January 2020. By June 2020, its requirements will start appearing in requests for information, and will become a regular feature of defense procurement by September 2020. That means defense contractors will have less than eight months to implement changes for compliance with the Defense Federal Acquisition Regulation Supplement and National Institute of Standards and Technology guidance on protecting CUI.

“Any timeline would seem ambitious. One that looks to have this in operation by 2020, it’s going to be difficult,” said Robert Metzger, a lawyer specializing in government contracts and commercial litigation and a consultant for MITRE focusing on supply chain security issues. “Naturally industry has a lot of questions about the mechanics…. Companies are understandably uncertain as to how these changes will affect what they’re doing, how they will demonstrate eligibility for contracts and what the costs might be upon their operations.”

High costs, confusing guidance and low return on investment have all been cited as reasons for compliance challenges among defense contractors. Traditionally, DOD has declined to cover the costs associated with implementing acquisition regulations related to cybersecurity for CUI, but that has slowly changed over the past 12 months as military contractors have faced unprecedented attacks from foreign-sponsored hackers.

Last year, then-Deputy Secretary of Defense Patrick Shanahan expressed reluctance of the part of DOD to help contractors cover added costs for cybersecurity, saying security should be a baseline expectation in contracts. However, at a Professional Services Council event earlier this month, Katie Arrington, special assistant to the assistant secretary of defense for acquisition, announced that the department would allow contractors to write off a portion of their cybersecurity spending for government contracts, including implementing NIST guidance.

Alan Chvotkin, executive vice president and counsel for the Professional Services Council, welcomed the shift, telling FCW that it would be contradictory for DOD to refuse to provide financial incentives around cybersecurity at the same time it has expressed a desire to expand the number businesses that make up the defense industrial base.

Allowing contractors to write off a portion of their cybersecurity compliance activity is “an acknowledgement by the department that cybersecurity is not free,” he said.

“To be a smart businessman, let alone a contractor, you ought to undertake this [level of security], because our adversaries are stealing everything,” Chvotkin said. “On the other hand, [DOD] is trying to entice nontraditional companies and small companies who otherwise … might not see the need to incur such significant costs to reach the level that is expected as a contractor or subcontractor.”

Still, it’s not clear how DOD’s reimbursement policy will work, which contracts it would apply to or what percentage of a company’s costs would be covered. DOD is using the summer to conduct “roadshow” outreach sessions, sending officials across the country to meet with contractors, explain the new maturity model and take feedback from industry on the best way to structure the framework.

James Goepel, CEO and general counsel for the cybersecurity consulting firm Fathom Cyber, told FCW he has serious doubts as to whether many defense contractors will be ready by September 2020. For most companies, the associated costs are less about assets and technology and more about human resources, training employees and allocating the personnel to map out and formalize internal IT policies. Still, the potential for an initial shock to the federal contracting system is real.

“I do think that it’s going to hurt us in the short term from a product-availability perspective,” said Goepel, who also teaches cybersecurity at Drexel University’s Law and Business schools. “The government is going to miss out on stuff, and there are going to be companies that go out of business because of this. But in the end, I think that it may actually be a better thing for country, unfortunately.”

Metzger doesn’t go that far, but said he does believe one short-term effect of the framework could be that a certain percentage of companies end up exiting the federal contracting space. In particular, the impact might be hardest on small and medium-sized businesses — both subcontractors and primes — with fewer financial resources that have traditionally evaded the same level of scrutiny directed towards prime contractors. Still, Metzger said he expects most companies will shoot for a middle ground that balances cost with business opportunity.

“I think the short-term impact is that companies of all sizes are going to be looking at affordable, effective ways to improve their cybersecurity. Nobody knows exactly today what you will need to do to get a security rating score of [1-5],” Metzger said. “Very few companies are going to strive for a 5 … but very few are going to want to have only a 1. I’m thinking that many companies will be targeting their investments and actions to be sure that when the scoring method comes into place that they will get at least a 3.

“I think the short-term impact is that companies of all sizes are going to be looking at affordable, effective ways to improve their cybersecurity. Nobody knows exactly today what you will need to do to get a security rating score of [1-5],” Metzger said. “Very few companies are going to strive for a 5 … but very few are going to want to have only a 1. I’m thinking that many companies will be targeting their investments and actions to be sure that when the scoring method comes into place that they will get at least a 3.”

CREDIT: Derek B. Johnson, FCW

It’s tough for small-to-medium businesses (SMBs) to feel cyber-secure when there are newsworthy breaches that have hit major, household-name companies, affecting millions of customer records. Equifax (148 million customer records), JPMorgan Chase (83 million), Marriott International (500 million), Target (110 million), and Yahoo (3 billion) are just a few examples. The situation for SMBs is even worse: they are inherently limited, by comparison, in the amount of money, the number of employees and the kind of technology they can devote to cybersecurity. But that doesn’t mean SMBs are helpless.

When it comes to seeking protection from emerging cybersecurity threats, there are four key challenges that SMBs often run into:

1. SMBs are very concerned about security but face constraints ranging from a lack of funds to in-house expertise.
2. Because most SMBs lack sufficient cybersecurity staff, they need to rely on simple, but effective, security solutions.
3. Attacks on SMBs continue to escalate, particularly phishing attacks, which often result in malware infecting their networks.
4. Adding to the complexity of cybersecurity is the increased reliance by SMBs on new IT architecture with new services such as cloud computing and software-defined networks.

We dove into this particular topic further with our 2018 SMB IT Security Report. We found that as many as 80 percent of SMB operators we surveyed rank security as a top business concern for them. However, 52 percent of them share cybersecurity responsibilities across several people in their workforce. Only 27 percent have a dedicated security professional on staff, and only 17 percent of them contract with an outside vendor for cybersecurity.

Thankfully, there are several steps SMBs can take now to mitigate future problems and educate their employees on how they can be more cybersecurity aware when it comes to  issues such as hacking, malware, phishing, and other threats. As it’s often said, employee training is the best first line of defense to protect the organization against breaches.

To focus your SMB’s attention on cybersecurity, here are five key steps to secure your organization’s network and future.

Email security

Though email is a critical system for you to communicate with your colleagues, customers, vendors and others, it’s also a key tool of cybercriminals. “Phishing” emails are designed to look legitimate but often contain malicious links or attachments designed to trick you into clicking them. Once you do, the attacker can gain access to your device to obtain your credentials, personal information or other critical information about your business. Further, the hacker can also gain access to any other devices on the same network, causing further damage. A high-profile example of this is the Target breach in 2013 that involved hackers getting into the retailer’s network via a trusted third-party vendor called Fazio Mechanical Services, which, once infiltrated, gave them access to Target’s servers. The hackers targeted the third-party vendor knowing they had a better chance of accessing their systems than Target’s directly.

Companies need to train employees — and others with access to the network — to be on the lookout for suspicious emails and to avoid being tricked into opening them.

Virtual Private Networks (VPN)

VPNs are designed to provide a safe and secure connection when people are communicating with the corporate network from remote locations. While VPNs ensure a secure connection between bilateral traffic on a corporate network, not all employers offer them. When employees use their own or work-provisioned devices over a public Wi-Fi network, such as at a coffee shop or an airport terminal, without a VPN, they can be vulnerable to a range of issues such as packet sniffing or man-in-the-middle attacks. Your employees need to be trained to avoid using public Wi-Fi without a VPN, particularly when it involves sharing sensitive company or personal information. Better yet, seek out VPN solutions to provide a secure connection to a safe network anywhere the device may roam.

Bring Your Own Device (BYOD)

When smartphones and tablets became popular, employees started using devices they bought for personal use in the workplace, causing employers to scramble to protect the network against promiscuous devices that could carry malware payloads.

To accommodate BYOD and secure your network, SMBs should adopt an Acceptable Use Policy (AUP) — just as enterprises do — that provides rules for what individuals can access when connecting to the network. Companies can also create a Captive Portal page, forcing users to agree to certain terms before accessing the network. Once accepted, the IT administrator can enforce rules and have visibility over what those devices are doing.

SMBs should also force all guest devices, and personally owned devices, to connect to a separate network that does not have access to the company’s critical data. This limits the impact in the event one of those devices is breached, protecting company data and minimizing the reach the hacker could have on other devices.

Antivirus and Anti-malware Solutions

It’s critical for your SMB to deploy technology on your network that protects against spam, malware and computer viruses. But this is not a set-it-and-forget-it solution. Cybercriminals are constantly changing their plan of attack and revising their formulae to outsmart security solutions. You may have heard the term “zero-day attacks,” which are cyberattacks that don’t match existing signatures. To keep up with these constant attacks, your malware or antivirus solution must be constantly monitored and upgraded as the threats change.

General Security Awareness

Besides all the specific policies and strategies we’ve mentioned so far, it’s important for your SMB to adopt cybersecurity as a core function of your organization just like sales, marketing, finance, product development and the like. You should consider conducting cybersecurity training and continuous testing to keep employees aware of the evolving tactics hackers are using. Adding basic cybersecurity hygiene and awareness training will pay dividends.

No organization is too small to risk being a target for cybercriminals. When it comes to cybersecurity, an ounce of prevention is worth a pound of cure. Start conversations early and often about what you can do to protect your business-critical systems and data. Otherwise, you risk losing not only time and money, but also the trust of your customers.

CREDIT: Dirk Morris, Smallbizdaily