Many defense contractors outsource their IT to a Managed Service Provider (MSP), who generally deliver the IT required and allows a business to focus on their core competency. IT managed services through MSP’s have been around for a long time now and rarely include service or commitments to meet compliance requirements like the Cybersecurity Maturity Model Certification (CMMC). It has only been in the last several years that MSPs have moved into the cybersecurity space to expand on their IT service offerings. At best, the MSP market for defense contractors offers IT and cybersecurity in one provider but completely ignores CMMC compliance requirements. This is a big problem, and Department of Defense (DoD) contractors, as their future revenue opportunities are dependent upon achieving compliance.
Most MSP’s are brand new to CMMC but unfortunately for their customers’ asset management, patching, and media sanitization stand in the way of CMMC compliance and DoD revenue opportunities. Defense contractors who have an MSP, or are looking at an MSP, are putting their revenue opportunities in the hands of a third party. It is time to rethink your MSP relationship and possibly start searching for alternatives.
The Role of IT in achieving CMMC
Much of the thinking to date around MSP’s and CMMC gets into nuanced legal issues around the MSP’s access to Controlled Unclassified Information (CUI). Still, the real problem is much more fundamental and easy to understand. Your MSP is responsible for many of the requirements tied to your eventual CMMC objective. If your MSP is not delivering their services in a way that produces evidence of compliance with CMMC you won’t achieve certification; it is truly that simple. Many of the requirements of CMMC fall into the information technology category when it comes to delivering them on a day-to-day basis. All of the attention so far has been focused on the cybersecurity requirements of CMMC. Still, as anybody in an operational role knows, much of CMMC falls to the IT delivery organization. If your IT delivery organization is an MSP, are you comfortable trusting them with your future revenue opportunities? Will they learn about the CMMC on your dime? Do they even mention CMMC services on their current website?
You need an MSP that can marry the delivery of IT, cybersecurity, and governance in one comprehensive, measurable package to ensure compliance. CMMC stands in the way of all future revenue opportunities with the DoD; it is too important to be an add-on to your existing MSP services.
A potentially worse scenario is having one vendor do your IT services delivery as an MSP, and another vendor responsible for cybersecurity as your MSSP, with you, stuck in the middle playing referee. There is no way around it; achieving CMMC is difficult, costs money, and requires the coordination of IT, cybersecurity, and governance activities. Most small to medium businesses don’t have the resources to coordinate or even know how to evaluate vendor claims around CMMC. Asking an MSP to unpack the nuances and complexities of NIST 800-171, SPRS submission, and CMMC is generally a bridge too far for any MSP that wasn’t created exclusively to service the defense industrial base and their unique regulatory requirements.
So, what should small and mid-sized defense contractors do?
At our upcoming webinar, we will talk about bringing order to the chaos of achieving NIST 800-171 and CMMC compliance. We discuss strategies through the lens of working with an MSP because few are equipped to meet all NIST 800-171 and CMMC requirements on their own. We will detail solutions to key pain points felt by defense contractors contractually obligated to meet DoD requirements giving you insights into implementing these solutions with internal resources or through your MSP.
No matter where you are on your path to compliance – calculating your assessment scores, navigating SPRS, implementing the controls, or shopping for an MSP – this webinar will accelerate your journey. Register Now.
CyberSheath is excited to announce the availability of a new service offering specifically designed for Defense Contractors required to ensure compliance from their managed IT providers. This new Managed IT Services for Defense Contractors future-proofs your environment to changes in regulatory scope, interpretation and / or increased scrutiny of your compliance to DoD contracting in the long-term. It is clear that the US Government is becoming less patient with lapses in the Defense Industrial Base (DIB) regulatory compliance of IT management and, paradoxically, cyberthreats are increasing at the same time. Legacy IT delivery models are failing every day as the lines between IT and security have permanently blurred as to who is accountable for specific requirements.
With big picture strategic challenges like avoiding nation-state cyber-attacks and industrial espionage sorting out roles and responsibilities between IT and security is the last thing defense contractors need to worry about.
CyberSheath has long recognized that a large part of IT delivery, things like patching and asset management, are foundational to NIST 800-171 and CMMC compliance, which is why we are offering a force-multiplying solution for Managed IT services. This offering is only available to defense contractors and uniquely built to make CMMC and NIST 800-171 compliance a natural outcome of day-to-day operations.
What is the DIB Managed Service Provider Compliance Problem?
Defense contractors have a special responsibility to the DoD in ensuring supply chain integrity and trustworthiness and as a result must adhere to cybersecurity requirements outlined across variety of Federal Regulations including:
FAR: 52.204.21 (calls for 15 cybersecurity controls inclusive of specific verbatim pass through / down verbiage to subcontractors and service providers handling Federal Contracting Information (FCI)-Type data)
DFARS: 252.204-7012 (calls for 110 cybersecurity controls inclusive of specific verbatim l pass through / down verbiage to subcontractors and service providers handling Controlled Unclassified Information (CUI)-type data)
DFARS: 252.204-7019-21 directs the DIB to the newly created CMMC Advisory Board for guidance on third-party-providers (TPPs). For refence, the latest guidance from the CMMC AB is as follows:
OSC’s who use cloud services must meet requirements that differ from C3PAO’s.
1) Companies under the current DFARS 7012 using cloud services or products that receive, transmit, store, and secure CUI on or behalf of the contractor must meet requirements as described in the DoD Procurement Toolbox, Cybersecurity FAQ (Below in part in comments). Remember-The DoD prime/subcontractor is responsible to ensure that the CSP meets the requirements at 252.204-7012 (b)(2)(ii)(D).
2) Organizations Seeking Certification (OSC) for CMMC L3 using external service providers/cloud services involving CUI must apply the DOD FAQ and consider the impact/evidence required for inherited practice or process objectives as discussed in the v1.10 CMMC L3 Assessment Guide, “A practice or process objective that is inherited is met because adequate evidence is provided that the enterprise or another entity, such as an External Service Provider (ESP), performs the practice or process objective.” See CMMCab.org for official policy/guidance.
Introducing CyberSheath’s New Managed IT for Defense Contractor Service!
CyberSheath’s Managed IT Services for Defense Contractors delivers world-class IT service delivery, integrated with cybersecurity and enabling the documented evidence required to successfully pass a compliance audit or prove certifiable to the next government RFP / RFI. Andy Shooman, CyberSheath’s COO opines, “We’ve been future proofing our customers from policy and technology changes related to CMMC since our managed services debuted in 2015 and our managed IT services eliminates the finger pointing between IT and security giving our customers one vendor to hold accountable. The fact is 60% or more of cyber security requirements touch IT in some way and that has to be accounted for Part of an overall compliance posture.”
Our Managed IT Services for Defense Contractors solution transforms the disconnected IT and security functions into a compliant, integrated, and auditable.
Base Service Offering: Manage the following in a compliant cost-effective manner for a US Defense Contractor:
- Endpoint Management/Support Remote Access via VPN
- Identity & Access Management
- Firewall & Network Management
- Operating System and Network Device Patch Management
- Infrastructure Configuration Management
Provide 24/7/365 Support for the following:
- Support Ticket Management
- Help Desk / Problem Resolution
- End User Support Requests
- Change Management
- Asset/Configuration Management
- System Availability / Outages
Our Premium Service, in addition to the services above, is to manage the following in a compliant manner for a US Defense Contractor:
- VOIP Telephony
- Data Storage
- System Backups
- O/M365 Office Suite (beyond Mail)
Benefits of the Managed IT Service for Defense Contractors include the following:
It is easy to deploy and maintain (fully outsourced) and You are COMPLIANT!
- With CyberSheath’s Assured Compliance Commitment. We commit to having our infrastructure and managed IT services continuously assessed and certified as compliant with DFARS.
- It is comprehensive technology, security, and governance to DFARS:
- The Managed IT for Defense Contractors is a solution that is designed from the ground up to comply with DFARS cybersecurity requirements holistically.
- End-to-end deployment.
- You can combine this service with a world class MSSP / SECURITY!! Leveraging CyberSheath’s 24x7x365 Security Operations Center means someone is always watching the client’s network – freeing up resources so they can get on with other important business. Its Effective Risk Management Traditional information security / antivirus solutions will not stop polymorphic and zero-day threats. We also understand that providing defenses against nation-state’s unique offensive capabilities requires strong security programs. CyberSheath deploys best of breed, compliance technology baselines, SIEM, Phishing Defense, cloud workload protections, threat and endpoint detection and response (EDR), continuous monitoring and cyber threat intelligence (CTI) solutions coupled with our experts in threat analysis and intelligence (i.e., you) that deliver actionable information to mitigate risks to a client’s organization.
- We adjust to the changing threats automatically! Through robust managed Compliance we can adjust to a very robust compliance landscape and allow for your program to rest-assured that the proper descriptions, documentations, and adjustments are made as to quickly identify potential threats. We combine the best of human and known toolsets to keep a client’s organization up to date with compliance.
- There are easy procurement options.
- Customize Solutions – Although we have preconceived compliance levels, we know every customer is different. So, in the end, our solutions are Tailored to Every Client’s Needs! We know deeply that different organizations require different levels of security. CyberSheath has packaged offerings, allowing you to easily ramp up your security for greater protection, without having to deal with multiple vendors or security resellers.
- Flexibility – We have been on the ground floor of NIST/DFARS/CMMC for 12 years shaping, interpreting, and implementing DoD policy and requirements in a way that meets our customers where they are and keeps them in the game. There is no one size fits all and ridged implementation and interpretation will cripple your business with excessive cost and best guess interpretations as to what the DoD is looking for.
Why CyberSheath as a Managed IT Services Organization?
CyberSheath has over 8 years of providing information security services for our clients.
Moreover, CyberShealth’s personnel all have military or defense contracting (or both) as their heritage. Threats are global, ever changing, and require a specialized skillset to truly protect organizations. Our managed services staff include experts with previous impressive roles at global defense contracting, managed security services organizations, security software and hardware manufacturers, Military Cyber Operations experience and have multiple security and technical certifications including CISSP.
- Hundreds of successful NIST 800-171 / DFARS 252.204-7012 engagements over the last 8 years
- CyberSheath was founded to deliver this solution and “born” out of a Fortune 500 defense contractors experience influencing and implementing evolving DoD cybersecurity policy and requirements.
- “Skin in the game” – We have been through DoD audits, many, with DoD components validating our approach and the work we do. We will be onsite with your team throughout assessment, remediation, managed services, and your eventual audit.
If you are looking for DFARS compliant Managed IT Services we look forward to providing you a single point of accountability for not only providing the requisite controls, but also for implementing across your IT infrastructure, true one stop shopping.
Who’s Been Playing Solitaire on the Domain Controller?
It’s a classic scene. You’re sorting through the attic and you end up browsing through old memories: photos from a forgotten road trip, souvenirs, and trinkets from your world travels, old board games you bought in a flash of excitement and only played once. Things you once loved, but that now sit unused, gathering dust and taking up space.
In the workplace, computer systems often end up cluttered in the same way. We end up with stacks of unnecessary software sitting around in files and folders where we’ve long stopped looking. But unlike the charming, nostalgic relics laying around the attic, that unused software sitting on your computer might be leaving you open to danger in the form of vicious cyberattacks.
Cybercriminals are constantly looking for ways into your system. Software like browsers (Firefox, Chrome, Edge), plug-ins (Java, Adobe Flash, Silverlight) and random applications (games, messaging apps, etc.) are well-known to be extremely vulnerable to malware and other forms of data hacking, particularly if they’re out of date.
This begs the question: how many useless apps are lying around on your system right now, putting your business at unnecessary risk? Here’s how to find out, and what to do about it…
Inventory Your Software Assets
The first step is to dig through your systems and figure out what’s absolutely necessary — and what’s not. If you have a contract that requires compliance with DFARS 252.204-7012, a software inventory is required, but further, it’s just common sense: You have to know what you have before you can protect it.
Nowadays, there’s an app for everything. Chances are that you and your employees have loaded up on them in an attempt to find more efficient ways to manage time, stay connected, or even have more fun at work.
That schedule management software you downloaded may have seemed useful at the time, but if it’s no longer in use then it’s time to send it to the trash.
Any piece of software not essential to your business should be considered potentially harmful and promptly cleared from your system. Delete software installers, remove unnecessary browser add-ons and extensions, and of course, make sure to update any apps that will be sticking around.
Eliminate Redundant Apps
There are so many solutions available for every problem that you’ll often discover you have several applications doing the same job. Figuring out what pieces of software are currently being used to solve the same problem can help you see where you need to cut the fat.
Do you need three browsers, or would one be sufficient? If you’re using Google Hangouts for video conferencing, do you need to have Skype on your system as well?
It’s also a good idea to take a look at the software that was already installed on your device when you took it out of the box. Known as bloatware, many new computers, tablets, and mobile devices come pre-packaged with lots of this third-party software to increase revenue for the vendor.
If you have bloatware on your systems, you might find that many of these extra apps have sat unused since day one. And some bloatware behaves like spyware, sending information about you and your system to outside agents without your knowledge. If they’re not currently in use, or they’re performing simple functions you can do through more essential applications, consider getting them off of your systems ASAP.
Sometimes system clutter grows out of control simply because we’ve given too many people the green light to do whatever they please. For this reason, it’s probably best to adopt a tougher approach to access privileges.
Keeping your systems clean and organized is undoubtedly easier if you allow fewer people to access and install software. Consider using special permissions to allow only top-level decision-makers to install new software. Carefully monitor who is adding new applications and require that they justify why these programs are needed. And finally, terminate dormant accounts so that hackers can’t use them to infiltrate your system and install harmful malware.
Get Superior Protection Today
If cleaning house feels like a major job, it’s time to call in reinforcements! CyberSheath’s comprehensive managed cybersecurity services can help you to conduct a professional software risk assessment, simplify your systems, and save you from putting your business at unnecessary risk. Contact Us now to find out how.
Companies are becoming increasingly enamored with the advantages offered by cloud computing. However, many mistakenly assume that once you upload your data, it’s up to the cloud service provider (CSP) to keep it all safe and sound. In reality, most CSPs use what’s known as a shared responsibility model for security, meaning that only certain aspects of your cybersecurity plan are their responsibility. Ultimately, YOU are responsible for the security of YOUR data.
With cybercriminals attacking from every direction, it’s your responsibility to prevent misunderstandings that might lead to damaging data breaches. For this reason, having a full picture of the risks associated with your chosen CSP, along with a clear agreement on roles and responsibilities, is paramount if you hope to keep your sensitive data protected.
Review Your Security Documentation
In the excitement of exploring the capabilities of the cloud, it’s easy to be less than thorough in your assessment of your CSP’s security practices.
However, you need to be sure that your CSP is employing industry-leading incident response tools, consistently auditing its security systems, rigorously testing for weaknesses, and protecting against emerging threats. You can do this by taking a look at your provider’s System Security Plan (SSP).
Reviewing an SSP is the most accurate way to assess the security controls your CSP is implementing. As the main document in a security package, an SSP gives you a detailed report on security protocols and highlights any gaps that may need to be addressed.
If you have a contract that requires compliance with DFARS 252.204-7012, then your CSP must meet the standards set by the FedRAMP moderate level of protection, and support government incident response efforts.
Doing your due diligence and insisting on rigorous compliance certifications, such as SOC Type II or PCI DSS, will give you peace of mind that your CSP is following the latest regulatory measures and maintaining the highest levels of data security.
Treat the Cloud like It’s Your Home
Some businesses are under the illusion that, since the cloud is not an on-site system, it doesn’t need to be treated in the same way they’d treat their personal systems. If you’ve made that mistake, then it’s imperative that you start viewing the cloud like the extension of your business it truly is.
It’s critical to be proactive in this regard, as opposed to waiting for a problem to occur and then addressing your security gaps. In the same way that you don’t allow every employee unrestricted access to your in-house systems, it’s essential to manage and control access to the cloud within your company.
Create written guidelines that specify who can use which cloud services, what data can be stored there, and for which purposes the cloud is to be used. Train your staff on the risks of cloud use and make sure they are aware of the latest trends in cybercrime that affect cloud users.
Encrypting the data you move to and from the cloud is also an absolute must. You want to take particular care to ensure that data is encrypted during transit when it is most open to attacks. Also, verify that your CSP encrypts your data at rest and on backup media to prevent data leaks.
In short, make sure you’re treating the cloud-like you would your own home. Lock the doors, turn on the alarms, and train yourself on how to respond to emergencies, so you can sleep easy knowing you’re adequately protected.
Stay Alert About Your Cloud Vendor
The world of cybersecurity moves quickly and, in the event that there’s a breach or a threat concerning your specific vendor, it’s best that you know as soon as possible. If your cloud provider has security alerts, make sure you have notifications enabled, and check resources such as the US-CERT for announcements about threats that have been reported.
Looking for Secure Cloud Solutions?
If you want to stay ahead of developing cyber threats and you’re wondering how to implement strong security measures for your cloud services, let the cloud experts help you. CyberSheath’s cloud solutions are second to none, so contact us now and let us give you a helping hand to keep your business secure.
The demand for cybersecurity talent far outstrips the supply at present, something which will likely continue for the foreseeable future. This insatiable demand has created more and more opportunities than ever before for those interested in a career in cybersecurity.
That said, many aspiring cybersecurity professionals are left wondering how to make the transition. Where do I start? What should I read? Should I get certified? What qualifications do I need? These are just some of the questions I’m frequently asked by Uber drivers, waiters, and a host of other people looking to make the jump.
The good news is that, if you’re willing to put in the sweat equity and spend your free time working hard to learn what you need to know, there is a clear and rewarding path to your goal.
I’ve helped dozens of people get into cybersecurity over the years, largely by sharing my own personal experience of career transition. I’ve introduced people to potential mentors, pointed them towards self-paced educational tools and, many times, allowed them to use CyberSheath training resources at no cost.
In fact, one of the greatest joys of working at CyberSheath for me is being able to give smart, motivated people the opportunity and the tools to make career transitions, and then watching them go on great success in their new field. We have dozens of these success stories, so read on if you’d like to be one of them…
First, you must have initiative and drive. If you need to be spoon-fed instructions, you make excuses, or you’re too busy with work, life, school, kids, etc., then you’re simply not going to be able to put in the blood, sweat and tears needed to make this transition. If, on the other hand, you can think for yourself and you’re willing to do whatever it takes to make it work, you’ll likely find yourself reaping the rewards in no time.
Read incessantly and voraciously. If you’re looking for the magical reading list that will transform you into a cybersecurity pro, well…there isn’t one. Just take the initiative, pick up a book, and then pick up another, and read everything you can about cybersecurity.
You’ll have a slew of acronyms to learn, along with vendor jargon and security concepts, so any reading material that helps you to become familiar with these basics will give you a good foundation on which to build your cybersecurity knowledge. Vendor marketing materials, product installation manuals, blogs, research reports, and security frameworks are a great place to start.
You can’t become a security practitioner without practice. Set up a lab with whatever resources you can cobble together and do something, anything — it doesn’t matter what at this stage. If you’re stuck for ideas, there are endless online resources to help you get started.
I personally started in cybersecurity by approaching a company owner and convincing him that if he trained me, I could be a great employee. He provided the training, including the lab equipment and training materials, and I provided the sweat equity.
That was almost 20 years ago and nothing has changed. CEOs and company executives are still willing to invest in motivated people who are taking the initiative to better themselves. In fact, just like me, many of them will be happy to help if asked.
If you’re willing to take the steps outlined above, then you have the ingredients required for a successful career transition. If you’d like help making that transition, contact us today to learn about CyberSheath’s cybersecurity training and education resources.
On December 31, 2017, the deadline passed for defense suppliers to comply with NIST 800-171, a requirement specified in Defense Federal Acquisition Regulation Supplement 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting.”
This mandate attempted to ensure a higher standard of security controls surrounding the processes and procedures for protecting controlled unclassified information (CUI). As defined by the National Archives, CUI is “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”
Confused? You’re not alone! Assessing what is and what isn’t CUI, as well as navigating the complex and potentially costly road to compliance, has left many contractors struggling to stay on schedule. Although the deadline has passed, a large number of companies are still standing around scratching their heads, wondering how to proceed.
Consequences of Non-compliance
Non-compliance is not going to be acceptable for much longer. Clause 3.12.4 of NIST 800-171 allows for the submission of a Security System Plan (SSP) and a Plan of Actions and Milestones (POA&M) to help companies define how they will bridge the gap, but it is also reasonable to expect that the U.S. Government will soon begin to terminate contracts that fail to meet the accepted requirements. Defense prime contractors will also begin to terminate non-compliant subcontractors and suppliers to avoid having to report themselves as non-compliant.
Because so many companies have fallen behind, those that have achieved this rare milestone will have positioned themselves to receive the lion’s share of future defense contracts. Simply put, if companies want to remain competitive, they must move as quickly as they can to get on track or risk falling behind their competition.
If your company has fallen behind, don’t get discouraged. The path to compliance is a confusing one, but it’s possible to find your way. Start by taking the following steps…
1. Define CUI
CUI is situation-specific and can be tricky to assess. In some cases, the information that needs to be protected are specified in the awarded contract. However, most of the time the definition is unclear.
In their own definition, DFARS has included CUI that is “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.” Information that has been created or received by contractors, but not marked, may also need to be appropriately safeguarded. Identifying what needs to be protected is the first step.
2. Identify where it lives
The next step is to figure out exactly where the CUI is being stored, processed, or transmitted from so that you know which systems need to be secured.
Creating a Data Flow Diagram (DFD) is a helpful way to begin figuring out how CUI is traveling through your network. It could also be useful to create a network diagram to identify what controls you already have in place that are effectively safeguarding your CUI. Together, these tools can help you identify the weak points you’ll need to address to close the gaps in your systems.
3. Document your progress
Having identified CUI and where it lives, you should now begin the process of referring back to NIST 800-171 to figure out the controls you will need to put into place.
As you forge ahead in making these updates, it’s critical to document what you’ve changed, how it will improve security, what controls are not applicable to your current situation, and why they won’t be needed.
This process will create a record demonstrating your ability to assess and safeguard sensitive information, moving you closer to your ultimate goal of declaring full compliance with the DFARS/NIST 800-171 mandate.
Your Competitors are Working on Compliance — Are You?
If you’re not currently working towards meeting the DFARS/NIST requirements, rest assured your competitors are! The window for implementing this essential security update is closing rapidly, so don’t lose your competitive edge — contact us now for a free consultation on achieving your compliance goals.
As cyber-attacks become more frequent and sophisticated, addressing tighter security needs has become a priority for the federal government. Enforcement of “Controlled Unclassified Information” (CUI) protection continues to intensify as private contractors and organizations are now required to upgrade their cybersecurity systems and overall procedures to keep up with these increasing threats. On April 24, 2018, the Department of Defense (DoD) issued draft guidance for assessing contractors’ System Security Plans (SSPs) and the implementation of security controls in NIST Special Publication (SP) 800-171. If you’re a defense contractor, you’re required to comply with these regulations and provide “adequate security” for networks where covered defense information (CDI) is processed, stored, or transmitted. DoD issued two draft guidance documents. The first, “Assessing the State of a Contractor’s Information System,” provides guidance on four different objectives. They include what must be in an RFP, how the source selection authority would evaluate the requirement, what resources are available for that evaluation, and the contract provisions that will be needed to implement the requirement during performance. The second draft guidance document, “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented,” was developed by DoD to determine the risks that an unimplemented security control has on an information system, and which of the unmet controls need to be prioritized. What does “adequate security” mean? At a minimum, defense contractors must implement the requirements in NIST SP 800-171 to become compliant. Contractors need to provide an SSP to prove the implementation of the security requirements, and also develop plans of action and milestones (POA&M) that describe how any unimplemented security requirements will be met.
Unimplemented Controls Receive a Value Rating
NIST 800-171 is comprised of 110 technical controls to ensure the best security policies and procedures. DoD has decided to assess the risk of unimplemented controls by assigning a “DoD Value” for each security requirement ranging from 5 (highest impact on the cybersecurity system) to 1 (lowest impact on the cybersecurity system). These priority codes are used for priority rankings that NIST assigns to the NIST SP 800-53 Revision 4 security controls that are used for government information systems and which form the basis for NIST SP 800-171.
Non-Compliance is Not an Option
In 2018, proposed DOD guidance is already moving to full enforcement of compliance. Compliance failures can lead to more serious consequences than a data breach. Failure to comply with DFARS can lead contractors to incur penalties either by the United States Government (civil, criminal, contractual actions in law and administrative), or by individuals and private organizations that were damaged by lack of compliance (actions for damages).
- Bid Protests: While SSPs and POA&Ms are important for determining “adequate security,” it’s still unclear the exact part they’ll play in bid protests and the implementation of NIST SP 800-171. After reviewing the implementation status during the pre-award stage, the DoD can make an unacceptable or acceptable determination, and ultimately decide if the contract should be rewarded. Another option is to evaluate implementation as a “separate technical evaluation factor.” During the pre-award process, contractors may choose to protest terms where a solicitation’s treatment of NIST SP 800-171 implementation fails to be consistent with DoD’s guidance. On the other hand, if a contract was rewarded to another contractor, disappointed offerors may consider challenging the award to another offeror where the assessment of the protester’s or awardee’s implementation of NIST SP 800-171 is inconsistent with the guidance documents. If the DoD notices inconsistencies between the implementation of NIST SP 800-171 and your SSP and POA&M, they could award the contract to another contractor. During 2018, contract protests awarded to higher-priced bidders were based in part on compliance with cybersecurity and employing more than the minimum security requirements in NIST SP-800-171.
- Termination Risk: The accuracy of your SSP and POA&M, along with providing proof that you’re moving toward full compliance, is crucial. For the most accurate evaluation, the draft guidance states that solicitations and contracts must include contract data requirements (CDRLs) to “require delivery of System Security Plan and any Plans of action after contract award.” Now that both SSPs and POA&Ms are a contractual obligation, failure to be in compliance may provide a basis for termination if compliance isn’t completed. Or, if the SSP does not accurately state the implementation status of the contractor’s cybersecurity.
- DCMA Audits: DoD has recently stated that as part of its audit function, DCMA will pull out all the stops to confirm all contractors have an SSP and POA&M. However, DCMA will not be providing an analysis if the SSP fully complies with the NIST 800-171 security requirements. It’s unknown at this point if the DCMA would leverage any of DoD’s guidance in its review.
- False Claims Act: If a contractor is audited by DoD and found not to have implemented DFARS/NIST 800-171, the contractor can be on the receiving end of numerous penalties. For example, if your SSP misrepresents your actual cybersecurity status, DoD can bring an action based on fraud, which is a False Claims Act violation. DoD may also be able to prove that the original SSP was key to the Department’s award decision. If DoD’s argument is successful, your earnings under the original contract are at risk, along with the reputation of your organization.
Make Compliance a Priority Before it’s Too Late!
At CyberSheath, we know that implementing these new security controls can seem like a daunting undertaking. We’ve successfully assessed and implemented the required NIST 800-171 controls for leading organizations in the defense industrial base supply chain.
Do a search for video games and information security and you will find countless comparisons to how these two seemingly disparate fields go hand-in-hand. I really like this article from last summer, as it examined not just video games, but organized sports and their influence on information security experts. In today’s world, video gaming is a billion-dollar industry, there are professional video gamers, amateur video gamers who record their reviews, critiques, and tips and put them on YouTube, and then there are the professionals (like me) who unwind from their day by playing a few rounds of Turning Point in Star Wars Battlefront.
While video games may heavily influence the world we live in, there are two specific video games that I think will help make your security program stronger. I will now explore how these can relate to your organization.
First: The Games
There are two specific games that I am going to be referencing. If these aren’t your cup of tea, no problem; they follow the same basic elements of many of the first-person shooter multiplayer games. Substitute your favorite.
EA/DICE’s Star Wars Battlefront
This game, released last November is a major hit wit 13 million units sold worldwide by the end of the 2015 quarter, allows players to play as rebel soldiers or storm troopers who square off against each other in a massive Star Wars environment.
EA/DICE’s Battlefield 4
This game, released in 2013, is one of the more popular military simulation first-person shooter games. Players assume the role of a soldier and face opponents kitted out with similar equipment. The in-game environment is set in a fictional conflict between China, Russia, and the US in the near future.
Second: How this Relates to Your Security Program
Both of these games, while simple in concept, require quite a bit of strategy and maneuvering of your in-game character to get a better position, a better vantage point, that puts you in control of the board. To do that, you need a roadmap and some general tips. Here are three tips and how they relate to your security program:
Playing the Objective/Security is Everyone’s Responsibility
In multiplayer games, especially Battlefront and Battlefield 4, there is a term that is commonly used: PTFO. PTFO if you haven’t guessed it, is Play the [EXPLETIVE] Objective. What this means is work with your team to take over control points to gain a stronger position within the board.
As security professionals, we understand, live, and breathe security. Our teammates in IT, HR, and accounting might not have that same deep understanding. Our desire is for everyone to play the objective, ensuring customer data, corporate data, assets and the network are secure. This is how security programs should be built, with a common objective in mind that all players can strive to capture.
Playing the objective requires teamwork. It is near impossible to be successful in Battlefront and Battlefield without the support of your team. Security for your organization is not possible without cooperation and teamwork. Security is everyone’s responsibility. As such, it is important to have a robust awareness and training program to drive home the concept of security. With security awareness, your teammates in HR, IT and accounting will receive the same basic security knowledge, understand what the threats are to your organization and what to do about it when an attempted intrusion occurs.
Know Your Strengths and Weaknesses
In Battlefield 4, you are given the option to play as an assault class, engineer class, support class or recon class. Each class has its own strengths and weaknesses, but choosing your character should be done for the good of the team. The assault class has the ability to provide revives and medical kits, while the engineer is great at repairing and destroying vehicles. Support players have the ability to supply other teams with ammunition and recon provides the ability to play overwatch and spot enemy targets.
In security, it is essential to know your strengths and weaknesses. Every decision and choice around security has to keep two things in mind: How does it improve security and how does it impact the business? In Battlefield 4, your character class choice should both benefit the team and draw upon its strengths. Are you playing a map with lots of vehicles? Then the engineer is your best choice. Lots of assault class characters on your team? Then support class is the way to go so they don’t run out of ammo. In security, your ability to build a functional security program relies on knowing which tools are weak, who among your personnel are strong in security and how the general corporate populace feels about security initiatives. To help identify the strengths and weaknesses, it is best to utilize an information security assessment. This will identify where you stand against a security framework and give you something to work towards and shore up those weaknesses and begin playing the objective.
Avoid Camping and Tunnel Vision/Avoid Security Complacency
Battlefront and Battlefield 4 are extremely active games. Everyone is moving about. Stand in one place for too long and an enemy sniper will take you out. Stare down your scope and get tunnel vision, you are likely to miss the enemy storm trooper sneaking up on your right. Camping is a term that is used in these games for players who sit in one spot. It can detrimentally affect the game, especially if the camper is sitting near a spawn location. In security, organizations have to avoid camping out and becoming complacent. Complacency is dangerous. Organizations who only check the box and rely on tools, or focus all their efforts only on meeting regulatory requirements are at risk of developing security complacency. For example, all of your attention is focused on meeting PCI needs, but you forgot about these two hundred other non-PCI systems that are just as vulnerable.
I see this quite frequently in a game mode in Star Wars Battlefront called Walker Assault. The premise of the game mode is simple; rebels have to activate uplink stations to call in a bombing run against the AT-AT Imperial Walkers, while the stormtroopers have to shut them down. Typically what happens in game, all the focus and attention is directed at one uplink station, leaving the other unguarded and vulnerable. While it may feel like you are playing the objective, in reality, it is only partially playing the objective. In real life, security should be applied across the board. While there might be critical systems that get addressed first, every system should initially be treated equally at a base level. In Walker Assault, players should really team up and defend or attack the uplink stations equally.
Knowing how and when to apply security across your organization is key to having a strong program. Planning goes a long way, identifying which systems are critical, which tools should be applied and how to implement security tools with minimal impact to business function are issues that security professionals tackle every day. This keeps your security organization moving and active. No camping and no complacency. The security team should be following a daily plan to ensure the success of the program.
Whether you are an active gamer or haven’t picked up a controller, the security principles described in this post apply broadly. Making security relatable, and accessible will drive home the importance of it. As I have said, security is everyone’s responsibility. Your program has to give the teammates the tools to be successful. Whatever state your security program is in, CyberSheath can help you capture the objective and secure your assets.
How Can CyberSheath Help Your Organization?
CyberSheath will work with your organization, large or small, to help secure your valuable assets. CyberSheath offers security assessments to help your organization begin with a clear understanding of where you stand in regards to industry standards and regulations.