3 Challenges to Meeting Supply Chain Cybersecurity Requirements
More than two years ago, the Department of Defense (DoD) sounded the alarm for increased cybersecurity with a new set of controls designed to raise the level of safeguarding standards across the industry.
The requirements specified in Defense Federal Acquisition Regulation Supplement (DFARS) provision 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting”, were gleaned from Special Publication (SP) 800-171, authored by the National Institute of Standards and Technology (NIST).
A non-regulatory government agency designed to promote U.S. innovation and industrial competitiveness, NIST identified a set of 110 security control requirements, appropriate for non-government organizations, to be implemented by December 31st of 2017. But even with the deadline long since passed, many contractors are still struggling to meet these standards. Here are the three main reasons why…
Lack of Resources
NIST’s daunting to-do list has left many small to medium companies wondering how they’ll close the gap between what is required and what they can afford to implement.
Put at a disadvantage by budget and workforce limitations, companies find themselves falling behind due to a lack of cost-effective solutions and an inability to dedicate the manpower to keep their cybersecurity standards up-to-date.
Companies must report any shortcomings or gaps in their compliance to the DoD’s Chief Information Officer (CIO) within 30 days of any contract award. That means that the time and resource constraints are only exacerbated if the people in charge don’t have an intimate understanding of the NIST SP 800-171 security controls.
These companies need help but don’t know where to turn. As a result, they’ve found themselves exposed to increasingly advanced cybersecurity threats and will continue to accrue non-compliance penalties until they can find the assistance they need.
In an attempt to provide flexibility, make the controls technology-neutral, and allow for contractors to implement whatever solutions best fit their company, NIST has inadvertently made it difficult to know whether your company has actually achieved compliance or not.
The first challenge contractors face is assessing whether or not an information system is processing covered defense information (CDI). CDI is defined by the registry maintained by the National Archives and Records Administration and includes Controlled Technical Information (CTI) and Controlled Unclassified Information (CUI).
If these information systems are precisely specified in the awarded contract, the process is simplified. But DFARS has also included CUI that is “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”
This opens the door for large chunks of information that have been created or are received by contractors, but not marked, to also be considered CDI, making the process of identifying which systems process this information much more difficult.
On top of this, the DoD does not currently have any system in place to certify compliance and has not authorized any third-party certification process, leaving it up to you to accurately assess where you stand at any given moment.
As with any complex set of rules, the risk for human error also enters the mix. In the midst of wrapping their heads around a barrage of complicated regulations, many people simply drop the ball.
In companies that are already struggling to dedicate the necessary human resources to compliance, the overwhelm of adjusting to a whole new world of security requirements can lead to small errors that pave the way for much bigger problems.
In cases like these, it’s essential to have an extra set of eyes on the details to make sure problems don’t snowball and create an avalanche down the line.
Rising to the Challenge
If you’re a defense contractor struggling to keep up with NIST 800-171 requirements, performing a compliance assessment should be your top priority. CyberSheath’s Managed Security Services can help you identify the roadblocks on your path to NIST compliance and find cost-effective solutions to overcome them. Contact us today for a free consultation to find out more.