Last week the Washington Post reported that in January and February of this year Chinese government hackers stole 614 gigabytes of material relating to a closely held project known as Sea Dragon from a Navy contractor’s unclassified network. Stolen data included signals and sensor data, information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library. Officials said the material, when aggregated, could be considered classified and this should come as no surprise to anyone familiar with unclassified defense contractor networks.
Unclassified contractor networks often contain a wealth of important information related to the important work they do in support of the Department of Defense DOD and other government entities. This reality is one of the many reasons that the DOD made compliance with DFARs clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and implementation of NIST 800-171 mandatory no later than December 31, 2017. Unfortunately, many companies are still struggling with implementing the NIST 800-171 requirements or worse, writing the required System Security Plans (SSP) and Program of Action and Milestones (POA&M) and never getting around to implementing the security requirements.
The delay in implementing the NIST 800-171 requirements is likely in part why on April 24th, 2018 the DOD released its draft “Guidance for Reviewing System Security Plans and the NIST SP-800-171 Security Requirements Not Yet Implemented.” The extensive document contains more stringent guidelines on exactly how the DOD will enforce and assess the implementation of security controls for awarding contracts and evaluating proposals. It also provides detailed recommendations for properly assessing System Security Plans (SSPs) and Plans of Action and Milestones (POA&M).
The DOD Guidance provides additional information on how they might penalize business partners who fail to adhere to new security rules, including penalties and not being awarded new contracts. Aside from the obvious competitive business reasons to immediately implement the NIST 800-171 security requirements this latest theft of project Sea Dragon data is a reminder of the implications to national security. Most of NIST 800-171 is just good cybersecurity hygiene that at a minimum will make contractors harder targets for hostile nation-states.
In February, Director of National Intelligence Daniel Coats testified that most of the detected Chinese cyberoperations against U.S. industry focus on defense contractors or tech firms supporting government networks. During his April nomination hearing to lead U.S. Indo-Pacific Command, Adm. Philip S. Davidson, told the Senate Armed Services Committee “One of the main concerns that we have, is cyber and penetration of the dot-com networks, exploiting technology from our defense contractors, in some instances.” These comments along with the new DOD guidance are a clear indication that compliance isn’t going away.
Attention and focus on contractor networks started in earnest at least ten years ago when industry and the DOD started working together, voluntarily, to select NIST 800-53 base security requirements for implementation and defining cyber incident and information sharing processes. That effort has now evolved into the mandatory implementation of DFARs clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and implementation of NIST 800-171. The deadline for achieving compliance has come and gone.
At CyberSheath, we know that successfully implementing these new security controls can be a daunting undertaking for your organization. We’ve successfully assessed and implemented the required NIST 800-171 controls for organizations large and small in the defense industrial base supply chain. We’ll ensure your System Security Plan (SSP) and associated Plans of Action & Milestones (POA&M) are documented and fully implemented. Our cybersecurity experts will take care of all identified gaps in your information systems, schedule implementation of any outstanding items and ensure your organization is compliant with all of the latest requirements. We follow all DOD guidance to ensure review of SSPs and POA&Ms and “assist in prioritizing the implementation of security requirements not yet implemented.” After we have delivered a fully compliant solution we offer managed services to maintain your compliance and incorporate any updates from the DOD.