Electro Soft closed out May by attending an event called Cybersecurity: Protecting Your Business.
Co-sponsored by the NDIA Delaware Valley, Philadelphia Works, and The Southeastern Pennsylvania Manufacturing Alliance, the daylong event focused on threats to national security that occur through the defense manufacturing industry.
The highlight of the event was a breakdown of a relatively new requirement: NIST Special Publication DFARS/800-171 (aka the Defense Federal Acquisition Regulation Supplement).
DFARS states: All Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by Dec. 31, 2017 or risk losing their DoD contracts.
NIST (National Institute of Standards and Technology) is a non-regulatory body within the Department of Commerce. The NIST Framework development project was initiated upon the execution of Executive Order 13636, which states, “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”
As an electronics contract manufacturer that builds for the Department of Defense, we wanted to ensure that Electro Soft is in compliance with the NIST update. Throughout the course of the day, we learned that 60% of businesses that face cyber attacks go out of business within 6 months. A whopping two-thirds of cyber attacks are on small businesses.
We also saw numerous examples of how other governments had penetrated systems, then replicated U.S. fighter jets and military helicopters.
Like everyone else there, our question was, “Just what is the minimum security standard?” Ted Bujewski, Associate Director at the Department of Defense Office of Small Business Programs, helped the attendees understand exactly what small businesses need to know in order to comply with the DFARS/800-171 minimum security standard.
Here are some of the FAQs he covered:
Q: What does the requirement simply state?
A: 1. Provide adequate security to protect covered defense information
2. Report hacks and give access to the DoD to investigate.
Q: What is covered defense information?
A: “Covered defense information” needs to be defined by the issuing government agency or the PRIME. Ask if it is not defined in the documentation or stated.
Q: How do I provide adequate security?
A: At this point, you should have a security plan in place. Follow the NIST Framework for guidance.
Q: What if I have a cyber incident? Am I then in breach or default?
A: No. You must report the incident immediately.
Q: Is there a certifying body or contractor that will check to see if my company is compliant?
A: No. The DoD will not/has not certified a contractor to check compliance. There is NO 3rd party to determine compliance. Anyone who claims to do so is lying.
Q: Where do I report cyber incidents?
Q: How do I know if the NIST clause is in my contract?
A: The clause is in all new DoD PRIME contracts.