With the renewed emphasis within the U.S. Department of Defense (DOD) on trustworthy information systems and supply chain security, it is essential for companies in the DOD vendor supply chain to have the capability to express their information security policies and procedures with clarity and specificity.\u00a0 This will demonstrate compliance with, at a minimum:<\/p>\n
These regulations are authorized by the 2002 Federal Information Security Management Act (FISMA) information technology requirements and emphasize, among other things, the supply chain protection elements DOD must consider when procuring systems, components, and services necessary for mission success. To ensure to DOD that a company has such capabilities a demonstration of the security controls that a company in the supply chain currently has in place must be made.\u00a0 And, according to regulations issued in November, 2013, and updated December, 2014, this demonstration must be made in accordance with best practices as outlined in the National Institute for Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4, Appendices F & G.\u00a0 If such controls are found to be insufficient in an initial assessment, a step-by-step remediation plan should be outlined and implemented according to a systematic schedule.<\/p>\n
Background<\/strong><\/p>\n Vendors in the DOD supply chain have a responsibility to meet the requirements of DFARS Subpart 204.73 (added November 18, 2013) for safeguarding \u201cunclassified controlled technical information<\/em>\u201d residing on or transiting through unclassified information systems. DOD vendors are also responsible for reporting an incident to DOD within 72 hours of discovery in accordance with criteria set forth in FAR Subpart 252.204-7012. A cyber incident would include exfiltration, manipulation or other loss or compromise of data or any other activity that constitutes a breach of authorized access.\u00a0 Incident data that must be reported includes:<\/p>\n Summary of Controls<\/strong><\/p>\n The key controls that a company must ensure are divided into 14 major categories<\/p>\n Specific controls that map back to NIST SP 800-53 are called out in the DFARS.\u00a0 From 12 to 3 specific controls have been specified within each of the 14 categories and, when combined and fully operational, the control set is aimed at building a defense-in-depth cybersecurity strategy.<\/p>\n Compliance Challenges<\/strong><\/p>\n According to several interviews with DOD prime contractors that purchase goods and services from specialty firms, many of their suppliers are smaller firms without the in-house information technology capabilities to implement FAR 204.\u00a0 These small and medium-sized enterprises (SMEs) must first perform a baseline assessment of their current conditions in each of these categories.\u00a0 They must then map their current implementation to applicable regulatory controls and assign priorities to each.\u00a0 They must then begin a systematic process for upgrading their administrative, technical and operational controls to meet the NIST 800-53 Standard.\u00a0 This is an expensive and time-consuming process that will take these SME personnel away from their core responsibilities, and divert them toward a regulatory and compliance activity that will not help their bottom line.\u00a0 However, given the uptick in cyber-attacks on US targets, this is likely to be a time-consuming, but necessary process.<\/p>\n The Defense Industrial Base – Information Sharing and Analysis Center (DIB – ISAC) has developed a program for verifying compliance in accordance with these rules; CyberVerify. \u00a0CTIN is currently developing a SaaS-based software application to make the compliance process less painful for the small companies subject to these rules; VendorCET. Contact us at: rjg (at) ctin.us for more information.<\/p>\n","protected":false},"excerpt":{"rendered":" Small and medium-sized enterprises in the DOD supply chain have some work cut out for them to come into compliance with recent FAR regulation changes.<\/p>\n","protected":false},"author":2,"featured_media":3697,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"elementor_theme","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[27,122],"tags":[264,265,266,267,218,268,269],"class_list":["post-251","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-policy","category-regulations","tag-defense-industry","tag-dfars-204-73","tag-federal-acquisition-regulations","tag-fips","tag-nist","tag-nist-sp-800-53","tag-policy"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n
\n\n
\n \n \n
\n <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n