Are You Ready for DOD's New Mandate?
U.S. defense contractors must prepare to meet a first-of-its-kind mandate.
There’s a new National Institute of Standards and Technology (NIST) cybersecurity framework that’s going against the grain. The Department of Defense has mandated that contractors comply with the guidance laid out in NIST special publication 800-171, which aims to strengthen the protection of controlled unclassified information. Why focus contractors’ limited resources on protecting information that is not top secret? Even if information is not top secret it still can be sensitive. For example, social security numbers, contact information, bank account details and other personal information about U.S. citizens, including government employees, fall under this category, and most of us would be hard pressed to argue our private data should not be protected.
The NIST guidance is broken into 14 categories that include controls and processes around access control, risk assessments, identification and authentication, configuration management, audit and accountability, among others. More specifically, contractors are required to patch high-level critical vulnerabilities within 90 days, encrypt high-level data sets, monitor user behavior, implement an insider threat program and put an access control policy in place.
Like the NIST Cybersecurity Framework, NIST 800-171 focuses on risk. It pushes contractors to understand where the most valuable data lives and moves, who accesses it, how users are interacting with it and threats and vulnerabilities that put that data at risk of a compromise. It’s a risk-based methodology that should be adopted by public and private sector organizations alike.
The more challenging requirements fall under reporting and monitoring. On the reporting front, prime contractors must be aware of the compliance status of all the subcontractors on each of their contracts. Many of the subcontractors will need to demonstrate they have implemented the necessary controls and have conducted some level of risk assessment to identify data types. A prime contractor, for example, must show it is encrypting data where appropriate. However, for many large contractors, data is scattered everywhere, sitting in siloes with different levels of protection. That is without even considering the data located with subcontractors.
They have no simple way of bringing the data together into one view, so they can easily see what’s encrypted, what’s not and what should be. Thus, compliance becomes a time-consuming spreadsheet exercise with security teams manually reaching out to different departments, and filling in the necessary information. In a large enterprise environment, that process can take six months to a year, risking the contract being put on hold until they can demonstrate compliance, and allowing critical threats and vulnerabilities to sit unmitigated for even longer. Not to mention even when contractors show compliance, it’s a point in time view that does not support continuous cyber risk management. The data in the spreadsheets may also be massaged as those tasked to fill in the information try to align data sets so it all makes sense.
When it comes to monitoring, many contractors do not have a process for identifying in a dynamic fashion which data is classified, sensitive or publicly available. Without understanding which data, if compromised, would impact the mission the most, how are they supposed to know which users and entities to monitor? The task becomes even harder for large contractors who are managing thousands of employees and subcontractors working on multiple different contracts. Investigating every potential threat for that number of people isn’t practical, which is why a risk-based approach is key. If they know which data sets are most sensitive, then they know to prioritize users who are elevating risk of that data being compromised.
In addition to adopting a risk-based approach, a combination of technologies can help achieve and maintain compliance. Contractors should leverage tools that highlight where sensitive data resides and use tagging technologies to label data sets appropriately. They should also deploy basic security tools like encryption and multi-factor authentication in addition to data loss prevention to detect and stop sensitive data from leaving before it’s too late. User and entity behavior analytics should be integrated to not only detect unusual behavior, but also to prioritize threat alerts based on users’ risk profiles so that analysts only receive the most critical threats, and can act quickly to mitigate. Finally, automating compliance and security processes would save manpower and time, and better protect the organization as a whole because everyone is working off the same set of data and is able to see their security and compliance posture at any point in time.
By January 1, contractors must show they have a plan in place to comply. Considering the special publication came out two years ago, I suspect many are on their way to compliance, or at least I hope so. DOD contractors are handling some of our most sensitive information—your data, my data, our nation’s data. They must step up their cybersecurity game to protect that data and this is a first step along that path.
Thomas Jones is a federal systems engineer at Bay Dynamics, a cyber risk analytics company. With more than 25 years of experience in information technology, Jones has held roles as a federal contractor, sales engineer, solutions architect, system engineer, network engineer and senior consultant working with the federal government.