3 Challenges to Meeting Supply Chain Cybersecurity Requirements

By Richard Brechwald • October 16, 2018

More than two years ago, the Department of Defense (DoD) sounded the alarm for increased cybersecurity with a new set of controls designed to raise the level of safeguarding standards across the industry.
The requirements specified in Defense Federal Acquisition Regulation Supplement (DFARS) provision 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting”, were gleaned from Special Publication (SP) 800-171, authored by the National Institute of Standards and Technology (NIST).
A non-regulatory government agency designed to promote U.S. innovation and industrial competitiveness, NIST identified a set of 110 security control requirements, appropriate for non-government organizations, to be implemented by December 31st of 2017. But even with the deadline long since passed, many contractors are still struggling to meet these standards. Here are the three main reasons why…

Lack of Resources

NIST’s daunting to-do list has left many small to medium companies wondering how they’ll close the gap between what is required and what they can afford to implement.
Put at a disadvantage by budget and workforce limitations, companies find themselves falling behind due to a lack of cost-effective solutions and an inability to dedicate the manpower to keep their cybersecurity standards up-to-date.
Companies must report any shortcomings or gaps in their compliance to the DoD’s Chief Information Officer (CIO) within 30 days of any contract award. That means that the time and resource constraints are only exacerbated if the people in charge don’t have an intimate understanding of the NIST SP 800-171 security controls.
These companies need help but don’t know where to turn. As a result, they’ve found themselves exposed to increasingly advanced cybersecurity threats and will continue to accrue non-compliance penalties until they can find the assistance they need.


In an attempt to provide flexibility, make the controls technology-neutral, and allow for contractors to implement whatever solutions best fit their company, NIST has inadvertently made it difficult to know whether your company has actually achieved compliance or not.
The first challenge contractors face is assessing whether or not an information system is processing covered defense information (CDI). CDI is defined by the registry maintained by the National Archives and Records Administration and includes Controlled Technical Information (CTI) and Controlled Unclassified Information (CUI).
If these information systems are precisely specified in the awarded contract, the process is simplified. But DFARS has also included CUI that is “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”
This opens the door for large chunks of information that have been created or are received by contractors, but not marked, to also be considered CDI, making the process of identifying which systems process this information much more difficult.
On top of this, the DoD does not currently have any system in place to certify compliance and has not authorized any third-party certification process, leaving it up to you to accurately assess where you stand at any given moment. 

Being Human

As with any complex set of rules, the risk for human error also enters the mix. In the midst of wrapping their heads around a barrage of complicated regulations, many people simply drop the ball.
In companies that are already struggling to dedicate the necessary human resources to compliance, the overwhelm of adjusting to a whole new world of security requirements can lead to small errors that pave the way for much bigger problems.
In cases like these, it’s essential to have an extra set of eyes on the details to make sure problems don’t snowball and create an avalanche down the line.

Rising to the Challenge

If you’re a defense contractor struggling to keep up with NIST 800-171 requirements, performing a compliance assessment should be your top priority. CyberSheath’s Managed Security Services can help you identify the roadblocks on your path to NIST compliance and find cost-effective solutions to overcome them. Contact us today for a free consultation to find out more.

CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO