Proactive Cybersecurity for the Manufacturing Sector
Did you hit snooze on the compliance alarm? Time is up – Cyber Audits begin October 1 for all DoD manufacturers
DAU announced Cybersecurity Letters will be sent to all contractors in August 2018 and Cyber Audits will begin October 1, 2018.
All commercial government, supply chain, manufacturing, aerospace, and automotive suppliers must implement the cybersecurity controls, listed in the NIST SP 800-171 guidelines. The deadline for the supply chain to meet compliance with NIST SP 800-171 under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 was December 31, 2017. As we are all aware, the enforcement and teeth of this deadline was deferred until NOW. By the end of August 2018, all contractors who have been awarded contracts to provide products or services which requires the use of Controlled Unclassified Information (CUI), will be put on notice that enforcement will begin with the new government fiscal year starting October 1, 2018. The obligation of proof is placed upon the supplier, their suppliers and their suppliers. Failure to comply will result in a Corrective Action Report (CAR) and/or loss of contract. These requirements for compliance include a gap analysis of organizations’ cyber preparedness and on-going continuous improvement of cyber health.
The Department of Defense has issued a Defense Federal Acquisition Regulation Supplement (DFARS) 252.204.7012 regarding the Safeguarding Covered Defense Information and Cyber Incident Reporting. This requires that contractors implement the security controls defined in NIST SP 800-171. With over 100 controls that must be addressed, the challenge is understanding what it means to be compliant and how to implement and maintain appropriate security safeguards. All suppliers must assess the cyber security posture of their network/system across the 14 security control domains defined in NIST SP 800-171 and be prepared to notify the DoD and the affected supply chain should an incident occur within 72 hours of any cyber security incident.
Most small to medium-sized commercial companies face continuous challenges to simply maintain the everyday information technology and networking needs to support their core businesses. Therefore, for small and medium companies which are part of the U.S. government manufacturing supply chain, these new information security compliance requirements represent a unique challenge directly related to their bottom lines. Commercial supply chain organizations must follow the same guidelines as federal contractors.
Below are the minimum requirements:
1. Self-Attestation of the contract obligations for compliance – Attesting to compliance
2. System Security Plan with the following provable elements (updated periodically)
• System Boundaries – Identify the network map, connections and segmentations initially and through the life of the contract
• System Environments of Operations – Operating Environment where CUI is stored
• How are the security requirements implemented – Both policy, actual evidence and proof of the security requirements are active in real-time.
• Relationships with or connections to other systems – Real-time situational awareness of connections and system profile information.
3. Plan of Action & Milestones – the detailed plan of cyber gaps and remediations necessary and updated to show continuous improvements.
4. Incident Response Plan – An approved process defined by the DoD for reporting incidents within 72-hours of the event. The 72-hour time limit is Not negotiable
5. Be prepared to prove your cyber resiliency with implemented “adequate” cybersecurity controls, cyber event monitoring and processes. If you cannot, your business is at risk from cyber criminals and loss of federal contracts
The time is now to act, and both prepare for compliance and become cyber prepared!