DOD Manufacturers Must Be Compliant with their cybersecurity by December 31, 2017
Aliso Viejo, CA (October 3, 2017) – Cytellix (cytellix.com), the cybersecurity division of Information Management Resources, Inc. (IMRI), today announces its managed cybersecurity framework for compliance with NIST SP 800-171 to support DOD manufacturers. “With only 90 days left in the year and the manufacturing requirement looming, many small to medium-sized manufacturers who are suppliers under a prime contractor for the Department of Defense (DOD) have yet to start their compliance work,” said, Brian Berger, Cytellix executive vice president of commercial cybersecurity.
All DOD prime contractors have either included the DFAR 252.204-7012 (Safeguarding Unclassified Technical Information) in contract flow-downs or have mailed letters to the supply chain that this DFAR is required under their current and future contracts. The requirements include:
- Compliance by 12/31/2017
- Compliance within 30 days of contract award or notification
- Cyber-attack notification within 72 hours of event
Many manufacturers have not become compliant because of past regulatory rules that get adjusted and delayed over time. That is not expected to happen this time because it is critical to the agencies involved and the security of the US. The DOD manufacturing contracts represent Controlled Unclassified Information (CUI) that is vital to national security and commerce in the US. Hence the involvement of the DOD, Department of Homeland Security (DHS) and Department of Commerce (DOC) through NIST. There is no indication of a policy change for implementation of what is considered “adequate security” for this information. Reference “Defining CUI – Controlled Unclassified Information for the Manufacturing Segment” for additional information.
Action should be taken for several reasons. On the most basic level of cybersecurity, if an organization follows the Cybersecurity Framework they’re reducing their risk profile for attack. Secondly, new contract awards and continuation of existing contracts are dependent on compliance with the framework. And lastly, any business should make the effort to reduce their risk for a cyber-attack as the statistics have shown that 2/3s of small to medium-sized businesses (SMBs) that are attacked are out of business within six months.
The Cytellix managed cybersecurity framework walks an organization through the steps of evaluation, understanding, planning, implementing and monitoring. The framework defines five categories for compliance: Identify, Protect, Detect, Respond and Recover. These categories make up a set of critical systems, management, policies, planning and technology solutions. Compliance requires familiarity with a number of acronyms: SSP, POAM, CSET, NIST, DFARS. These are not simple but can be simplified into deliverables:
- Assessment – A critical review of the organizations cyber posture (the truth as of a point in time)
- Gap Analysis – Understand and identify the cyber gaps and vulnerabilities (SSP -System Security Plan)
- Plan of Action – The plan to remediate the cyber gaps (POAM)
- Cyber Breach Detection – Monitoring of the infrastructure cyber events that meet the Cyber-attack notification requirements
“Ok, let’s look at reality. Most organizations that I have been involved with in regard to helping them through cyber compliance are graded using tools from DHS. They typically average between the high 20s to mid-30s out of 100% compliant,” added Berger. “The gap between these low scores and compliance is knowledge and a plan. Cyber skills are scarce. IT has a full-time role keeping systems operational and cyber has come with a new set of responsibilities that take time, skills, and focus to implement.”
Berger continued, “One organization that I met with did not have a firewall, had a flat network, and recently had three ransomware attacks. Does this sound familiar? There are some very reasonable and fast solutions to help an organization boost/move their cyber posture from ‘attack me’ to ‘attack someone else.’ The industry has been saying the same thing for a while: You have been, will be, or are under ‘attack.’ There is no option that says, ‘we have been safe and are not important to attackers.’ If you have money, a business, a computer – you are a target. Is it worth the risk?”
Berger concluded, “There is good news, it’s not too late and the ability to outsource is a supported model for DOD compliance. Get started regardless of industry or requirements by contracts—the framework applies to all companies and size. Time to get cyber prepared!”
For more information about Cytellix and how they can support companies with becoming NIST SP 800-171 compliant, attend one of the Cytellix NIST 800-171 webinars (cytellix.com/webinarregistration), visit cytellix.com or call 949.215.8889.
Cytellix, the cybersecurity division of Information Management Resources, Inc. (IMRI), is an industry-standards-based, managed cybersecurity service provider, specializing in proactive behavioral analytics and situational awareness of an organization’s cyber posture. Cytellix has created an affordable, outsourced solution for small and medium-sized businesses (SMBs) – which have become one of the largest targets of cyberattacks in recent years – and its solutions have monitored over 7 million devices thus far. Its best-in-class, turnkey service was designed to help SMBs in government, manufacturing, finance, banking, law, healthcare and higher education sectors take a proactive, low-friction approach to securing their environment. The managed service includes assessments, gap analysis, continuous monitoring, practical plans of action, and customized best practices for remediation and implementation. The Company has been recognized with numerous honors such as the 2017 American Business Award, the 2016 Small Business Administration Person of the Year award, the 2015 Patriot Award and the 2014 White House Champion of Change Honor. For more information, please visit cytellix.com.