Contractor Cyber Security: Heating Up but a bit Simplified
The Department of Defense has unveiled plans for contractor cybersecurity standards that are scheduled to be implemented by January 2020.
The new standards will have a five-level system, and they will combine guidance currently in place from the National Institute of Standards and Technology with new input from the private sector and academia.
The standards are known as Cybersecurity Maturity Model Certification. Once in place, third-party private sector companies will audit contractors to ensure compliance (opportunity?). The program also will include an education and training center for cybersecurity.
The level of cybersecurity required by the standards will be indicated on all contract solicitations once implemented.
For non-IT companies this may be confusing and encourage an attitude of do nothing, take the risk, and wait until the government figures it all out!
The real message is that a critical threat to national security exists with of all the data that resides with its contractors, and contractors need to do their part to secure this data. For example, through the contractor/government network, potential adversaries have acquired critical data on the Air Force F-35 fighter jet that compromises both its lethality and survivability! Supply chain partners are key cyber targets for our adversaries: Prime Contractors and DLA are ramping up its cyber requirements, so be advised!
Since cybersecurity must be a “team” effort, the government is finalizing a tiered cyber security approach based on the SOW and the sensitivity of the contract information. Especially for smaller businesses, this will clarify specific requirements and facilitate implementing them.
Anticipate the government to publish these standards soon and begin implementation soon thereafter, with mandatory compliance beginning January 2020.
North Carolina companies should get started now and focus on cyber hygiene, reporting procedures, basic security procedures and equipment (firewalls, antivirus, passwords etc).
These basic things will be required by all defense contractors and companies should get on it now. The DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements is a good “non-technical,” understandable guide for basic network security procedures to help you get started.
The NC Military Business Center, the NC Community College System, and the State of North Carolina do not officially endorse events. These items are posted strictly for the information and convenience of NCMBC customers.