It is estimated that there are around 300,000 companies in the Defense Industrial Base (“DIB”) across the manufacturing and non-manufacturing sectors. Roughly 99% of the DIB is made up of small and medium-sized businesses which are companies with fewer than 500 employees.Since December 2017, all companies in the DIB have had the Defense Federal Acquisition Regulation Supplement (“DFARS”) clause (252.204-7012 - Safeguarding Covered Defense Information & Cyber Incident Reporting) in their contracts. After nearly three years, there appear to be a number of incorrect assumptions in the DIB, two of which bear deeper discussion...
The First Assumption: Self-Attestations Are No Big Deal
As a result of accepting the terms of a contract with the DoD, manufacturers self-attest that they use “adequate cybersecurity” to protect Controlled Unclassified Information (“CUI”). Adequate cybersecurity is defined by the DFARS clause as fully implementing the 110 security requirements outlined in NIST Special Publication 800-171.
Many manufacturers assume that their cybersecurity program is sufficient. Most CMTC clients usually begin their cybersecurity engagement by estimating that they are 70% - 80% compliant. However, the running average after a basic gap analysis is around 34% compliant.
Previous blog posts have covered the often-overlooked legal risks associated with non-compliance with cybersecurity requirements. Ultimately, if a company wants to do business with the Department of Defense (DoD), it must accept the terms of the contract and, therefore, self-attesting to a compliant cybersecurity posture.
The Second Assumption: External IT Providers Alone are the Answer
Many small businesses lack dedicated IT personnel and resources. As a result, many manufacturers utilize third-party IT service providers. In order for these small businesses to operate, external service providers are entrusted with tremendous administrative access to company information systems. Often, manufacturers assume that everything is progressing as planned. Manufacturers need to oversee their Third-party IT Providers in order to understand what is actions are being taken. The manufacturer’s cyber journey with an IT provider is collaborative with the company engaged in the activities and outcomes of a provider’s work.
In addition, in terms of exposure, roughly half of the 110 security requirements are directly related to the technical operations and technological solutions normally provided by a third-party IT provider. Some cybersecurity measures are so fundamental to business operations, the government reasonably assumed that all DoD suppliers would be proactively managing their own risk. It is a must that the manufacturer and the IT Provider work together to gain DoD compliance. The DoD Supplier will carry on the responsibility for compliance on a long term basis.
Taken together, these two key, incorrect assumptions can create tremendous technical and compliance debt.
Government cybersecurity compliance auditing is on the way, so the best path forward is to oversee your IT provider and work collaboratively to contribute to your overall compliance.
Recommended Next Steps
1) Focus on your existing DFARS requirements.
2) Take the time to thoroughly understand the assumptions underlying NIST SP 800-171.
3) Establish a robust third-party vendor management process.
4) Take the time to thoroughly understand contractual flow down obligations.
For a brief overview of the overall regulatory ecosystem, and a more in-depth discussion of the topics outlined in this post, you can view the on-demand CMTC webinar here.