Guest post by Brian Berger – Executive Vice President of Cytellix Cybersecurity
The deadline for supply chain compliance with NIST SP 800-171 under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 was December 31, 2017, but the enforcement of this deadline was deferred until NOW. By August 2018, all contractors who have been awarded contracts to provide products or services which requires the use of Controlled Unclassified Information (CUI), have been put on notice that enforcement will begin this fall. The obligation of proof of compliance is placed upon the supplier and their subsequent supply chain.
What does this mean for the aerospace & defense supply chain under these contracts? The “grace period” for compliance has come to an end as well as all requests for waivers. When auditing begins on October 1, 2018 for proof of compliance, the two forms of remedies for failing the audits include a Corrective Action Reports (CAR) and/or loss of contract as mentioned by the Pentagon.
The audit will go beyond a documentation exercise. Many consultants provide support that includes preparing documentation and policies; however, this does not fulfill the full cyber requirements under these contracts. The complete cybersecurity assessment is an aggregation of technology, networking, security, situational awareness, vulnerability awareness, policies, procedures, and the cyber event reporting obligation.
Below are the minimum requirements:
- Self-Attestation of the contract obligations for compliance – Attesting to compliance
- System Security Plan with the following provable elements (updated periodically)
- System Boundaries – Identify the network map, connections and segmentations initially and through the life of the contract
- System Environments of Operations – Operating Environment where CUI is stored.
- How are the security requirements implemented – Both policy, actual evidence and proof of the security requirements are active in real-time.
- Relationships with or connections to other systems – Real-time situational awareness of connections and system profile information.
- Plan of Action & Milestones – the detailed plan of cyber gaps and remediations necessary and updated to show continuous improvements.
- Incident Response Plan – An approved process defined by the DoD for reporting incidents within 72-hours of the event. The 72-hour time limit is Not
- Be prepared to prove your cyber resiliency with implemented “adequate” cybersecurity controls, cyber event monitoring and processes. If you cannot, your business is at risk from cyber criminals and loss of federal contracts.
The time to prepare for compliance and being cyber prepared is now. If you are part of the aerospace & defense supply chain, your company is listed in multiple database directories indicating that you potentially hold CUI, raising your company’s risk of being attacked. Ensure you are compliant and ready for the October 1, 2018 audits – protect the nation, your business and your employees.
*Register for the upcoming AMP SoCal Bi-Annual Meeting to learn more.
Cytellix, the cybersecurity division of Information Management Resources, Inc. (IMRI), is an industry-standards-based, managed cybersecurity service provider, specializing in proactive behavioral analytics and situational awareness of an organization’s cyber posture. Cytellix has created an affordable outsourced solution for small and medium-sized businesses (SMBs) – which have become one of the largest targets of cyber-attacks in recent years – and its solutions have monitored over 7 million devices thus far. Its best-in-class, turnkey service was designed to help SMBs in government, manufacturing, finance, banking, law, healthcare and higher education sectors take a proactive, low-friction approach to securing their environment. The managed service includes assessments, gap analysis, continuous monitoring, practical plans of action, and customized best practices for remediation and implementation. Cytellix has not only successfully secured the network perimeters for the U.S. Army, Missile Defense Agency and municipal organizations such as the City of Irvine, but its proactive solution has also been deployed at leading corporations, including PricewaterhouseCoopers, Kaiser Permanente and the Walt Disney Company. Cytellix, recipient of the 2018 Gold American Business Award for Most Innovative Company of the year, helps businesses stay in business. For more information, visit