On Dec.30th, 2015 United States Department of Defense (DoD) issued a new interim rule, Network Penetration Reporting and Contract for Cloud Services (DFARS Case 2103-D018). This interim rule expands the 2013 amendment to the Defense Federal Acquisitions Regulation Supplement (DFARS) Sub part 204.73 and contract clause (DFARS252.204-7012), imposing heightened security safeguards, mandatory reporting requirements and subcontractor flow downs on DoD contractors handling Covered Defense Information (CDI).
This resulted in a cybersecurity review and compliance for all primes and flow down subcontractors that handle Controlled Unclassified Information (CUI). The requiring compliance assessment for commercial entities was specified with a NIST Special Publication SP800-171. With the DoD imposed deadline for implementation of Dec. 31, 2017 for all future contracts, many companies have been working on implementation, but may still need to address basic compliance. Many small businesses have similar mind sets: - They do not understand the full impact of cyber threat - They believe they are fully protected already - Because they have not experienced a problem, they ignore the risk - Too expensive to fix - They do not have the resources to complete the job
Archived NIST Technical Series Publication
The Motivation behind Implementing NIST SP800-171:
At Protomatic we consider this area a “critical business need” for our company. It is important to understand the business motivation for a SP800-171 implementaion. In our case, we had five principle reasons.
1. CUSTOMER DRIVEN - Requested by the Prime Contractor and it is a requirement of the contract terms and conditions.
2. PROTECT YOUR BUSINESS FROM A SLOWDOWN or Shutdown due to Malware or Ransomware. Statistics have shown that data breaches are expensive for many reasons and a good percentage of small businesses may not even survive one year after a breach.
3. PROTECT YOUR CUSTOMERS DATA - Protect the CUI and Intellectual Property of your customers.
4. MARKETING/SALES DIFFERENTIATOR - This is very important aspect. It gives the client confidence in your computer systems and procedures.
5. ISO REQUIREMENT - Quality Management Systems like ISO-9001, ISO-13485 (Medical QMS), AS9100D (Aerospace QMS), require a risk analysis approach to running a business. This approach is quintessential in understanding the many facets of possible cyber security breaches. This method helps IT and management understand the implications prior to an event.
“Protect your Business” was our trigger, but all were equally important. But, the other motivations also needed to be addressed. Since many companies are also upgrading their QMS, and there is a fundamental change in the standard regarding responsibility (The new standard make Management responsible for the QMS technically with no requirement for a Quality Representative ), Additionally, the standard(s) address a Risk/Mitigation decision making philosophy to business decisions. These QMS improvements lead to a Risk/Mitigation approach for cybersecurity for ISO9001, ISO-13485 and AS9100 based companies.
Management Think - ROR
Management sometimes needs to change the business thinking. We use ROI (Return on Investment) thinking for projects and improvement, but additionally we also review on ROR (Return on Risk). This is because; many cyber improvements simply are not high returns on investments. But they are high risks for potential shutdown or slowdown. Look for opportunities to kill two birds with one stone, like an “aging server replacement” is great opportunities to make multiple improvements.
Find your Business Cyber Difference
Every businesses cyber approach can be quite different from the next We operate in a “Private Style”. Limiting access to strictly “need to know” basis. Many employees do not have internet access. If internet access is provided it is restricted, reviewed, and monitored. We do not use cloud computing or allow wireless access behind the firewall. We can test files, software and conditions with virtual servers prior to implementation. It sounds restrictive, but it does not limit the efficiency or effectivity of any employee, or their tasks.
Details of our computer system configuration is highly confidential, but the NIST SP800-171 publication does outline fourteen areas with nearly 150 different cyber requirements to consider. This is in an easy checklist that is relatively easy to answer. To Start, preform an assessment, test your IT staff, and see the how your company measures up to the NIST SP800-171.
Many businesses simply do not understand their cyber systems weaknesses. Over the last two years we have measured our progress, and have made significant progress. In doing so we have observed the following trend:
- Manufacturing Equipment is gaining higher complexity to gain higher efficiency,
- There is more demand and we are more dependent than ever on Computer Systems
- IT department requires more intense Management Oversight
New Risks and Improvements
This area will always be a work in progress, but we continue to make critical improvements. Remember Cyber Security is a critical infrastructure, and never let your guard down.