Foreign hackers are targeting U.S. contractors, and widespread security breaches have resulted in the theft of economic, military, and technological secrets.
Now, the government is drawing a line in the sand.
Contractors not complying with cybersecurity guidelines set forth in the National Institute of Standards and Technology Special Publication 800-171 and the Defense Federal Acquisition Regulation Supplement (DFARS) are on a ticking clock. Vendors should begin seeing changes within the year. Third party conducted audits are on the horizon, and contractors hoping to win government contracts will need to fall in line.
Earlier this year, the NIST released a supplement for nonfederal systems and organizations handling Controlled Unclassified Information (CUI). SP 800-171B offered more than 30 recommendations for contractors to tighten their security protocols to protect against advanced persistent threats (APT).
Among them:
- Implementing dual-authorization access controls for critical or sensitive operations
- Employing network segmentation
- Deploying deception technologies
- Establishing or employing threat-hunting teams
- Enlisting a security operations center to continuously monitor system and network activity.
DFARS was released in 2015 by the DoD, laying out minimum cybersecurity standards for government contractors. In 2018, less than 60 percent of small and medium-sized defense contractors surveyed said they had read them. Of those that did, half cited difficulty deciphering the complex document. Approximately 45 percent had read the NIST special publication guidelines, for similar reasons.
The new framework, known as the Cybersecurity Maturity Model Certification (CMMC), is expected to take effect by January, and will expand upon the already existing National Institute of Standards and Technology Special Publication 800-171. The CMMC will evaluate contractors’ ability to protect sensitive data, rating them on a 1-5 scale.
Noncompliance with these new standards could not only put the kibosh on a contractor’s work order but could potentially result in other penalties.
Of course, adherence to new cybersecurity guidelines does require significantly more resources and respective costs from contractors, which could prove debilitative for small companies.
But the DoD sees this as a small price to pay for the protection of top secrets.
Not only are contractors being put on notice, but those in their supply chain are being watched, as well.
Fortunately, Secom has your security plan in place.
Our Security Operations Centers in Columbia, MD and Virginia Beach work around the clock to detect and prevent security events from happening in real-time.
Our managed detection and response team can monitor, track, and actively respond to any and all threats facing your networks, 24 hours a day, 7 days a week, 365 days a year.
We offer:
- Active threat hunting and response
- Monthly reporting
- Endpoint protection
- And much more!
Contact us today. We can help you raise your standards, meet your deadlines, and protect your client’s sensitive data.