Greg Tomchick, Author at Valor Cybersecurity

Defense contractors across the U.S., including those in and around the District of Columbia, are facing new and more stringent information security regulations that require companies to pass additional hurdles before engaging in contract work with the Department of Defense and its ancillary agencies.

These regulations, some of which may begin appearing in RFPs as early as this spring, trace their roots back to early 2020 when the DoD, in partnership with Carnegie Mellon and John Hopkins, formed what is known today as the Cybersecurity Maturity Model Certification (CMMC) program, governed by the Cyber Accreditation Body (Cyber AB). The program requires all Defense prime and subcontractors who access, store and/or transmit Controlled Unclassified Information to implement a specified level of cybersecurity.

The upcoming contract requirement known as the DFARS 7021 clause adds a “trust but verify component” to existing federal contract data protection identified under DFARS 252.204-7012, Safeguarding Covered Defense Information & Cyber Incident Reporting. Prior to CMMC’s release, defense contractors were able to self-attest that the businesses were abiding by established contract security standard.

All that is changing now.

While these regulations will undoubtedly mean additional time and effort for defense contractors, they are essential to ensure that sensitive information is kept secure. With more than 500 government contractors in the Hampton Roads, Virginia, area alone, preparing for these new requirements is of utmost importance. Those who do so most efficiently and effectively are likely to come out on top in the highly competitive government contracting landscape.

To prepare for the new regulations, organizations should take proactive action to determine their gaps, prioritize resource allocation to address those gaps, and continually adjust to the moving target of cybersecurity compliance across the DoD contracting landscape.

Here are a few key steps for accomplishing those objectives:

Review any existing (if applicable) or upcoming contracts to identify security requirements/DFARS clauses.
Identify whether the business handles only FCI or more sensitive CUI (Controlled Unclassified Information). As a reference, a company’s contracting officer should be able to assist in determining this.
Review NIST 800-171 controls in preparation for performing a security controls analysis.
Ensure there is an established company-wide cybersecurity training program, to include initial and ongoing cybersecurity awareness and education. Continuous cyber training will empower and enable company personnel to identify threats and mitigate their business impact.
Consider obtaining outside resources, either over the short-term or long-term, to supplement in-house resources to help identify gaps in the organization’s readiness posture, assist with drafting operational security policies, and to help position the organization for continued CMMC compliance.

In today’s world, cybersecurity has become an essential requirement for companies across all industries, and defense contractors are no exception. These organizations handle highly sensitive data and information that, if compromised, could have severe consequences for national security.

Given this, executives in defense contracting must take cybersecurity seriously and make it a top priority for their organizations. In this article, we’ll explore some of the critical cybersecurity requirements that defense contractors must adhere to, and offer some best practices for ensuring their cybersecurity measures are effective.

Understanding the Cybersecurity Threat Landscape

To understand the importance of cybersecurity in defense contracting, it’s essential to first understand the threat landscape. Cyber threats come in many forms, including malware, phishing attacks, ransomware, and social engineering, to name a few. These threats are becoming more sophisticated and complex, and attackers are continually looking for new vulnerabilities to exploit.

The consequences of a successful cyber attack on a defense contractor can be significant, ranging from loss of sensitive information to damage to critical infrastructure, and even the potential for loss of life. Additionally, cyber attacks can result in costly downtime, damage to the organization’s reputation, and potential legal and regulatory consequences.

Cybersecurity Requirements for Defense Contractors

Defense contractors are subject to a variety of cybersecurity requirements to ensure they are adequately protecting their data and systems. These requirements come from a range of sources, including federal regulations and contractual obligations. Here are some of the most critical cybersecurity requirements for defense contractors:

Compliance with the Defense Federal Acquisition Regulation Supplement (DFARS)

The DFARS is a set of regulations that apply to all Department of Defense (DoD) contractors and subcontractors. The regulation requires defense contractors to implement specific cybersecurity controls and safeguards to protect controlled unclassified information (CUI) from unauthorized access, disclosure, and theft.

Some of the key requirements of DFARS include implementing security controls based on the NIST SP 800-171 standard, conducting periodic security assessments, and reporting cyber incidents to the DoD.

Compliance with the Cybersecurity Maturity Model Certification (CMMC)

The CMMC is a new cybersecurity standard developed by the DoD to ensure that contractors are adequately protecting sensitive information. The standard includes five levels of cybersecurity maturity, with each level building on the previous one.

To do business with the DoD, defense contractors must achieve a specific CMMC level, depending on the nature of the work they are performing. The CMMC framework requires defense contractors to demonstrate compliance with various cybersecurity controls and practices.

Implementation of a robust cybersecurity program

Defense contractors must have a comprehensive cybersecurity program in place to protect their systems and data. A robust cybersecurity program includes measures such as access controls, network segmentation, data encryption, and incident response planning.

Additionally, organizations must have policies and procedures in place to ensure that all employees understand their roles and responsibilities regarding cybersecurity, and are trained to identify and report potential security threats.

Best Practices for Ensuring Effective Cybersecurity

Given the critical nature of cybersecurity for defense contractors, it’s important to follow best practices to ensure that their cybersecurity measures are effective. Here are some best practices to consider:

Conduct regular security assessments

Security assessments are a critical component of a robust cybersecurity program. Regular assessments help identify vulnerabilities in the organization’s systems and infrastructure, and ensure that all security controls and safeguards are working as intended.

Use a defense-in-depth approach

A defense-in-depth approach involves implementing multiple layers of security controls and safeguards to protect systems and data. This approach includes measures such as firewalls, intrusion detection and prevention systems, endpoint protection, and network segmentation.

Encrypt sensitive data

Encrypting sensitive data is an effective way to ensure that it remains protected, even if it is accessed by unauthorized individuals. Encryption should be applied to all data at rest and in transit, including data stored in the cloud or on portable devices.

Implement access controls

Access controls help ensure that only authorized individuals can access sensitive data and systems. This includes measures such as multi-factor authentication, strong password policies, and role-based access control.

Develop an incident response plan

An incident response plan outlines the steps that an organization should take in the event of a cybersecurity incident. The plan should include procedures for detecting and reporting incidents, as well as guidelines for containing and mitigating the damage caused by the incident.

Train employees on cybersecurity

Employees are often the weakest link in an organization’s cybersecurity defenses. As such, it’s essential to provide regular training to employees on cybersecurity best practices, as well as the organization’s policies and procedures for reporting security incidents.

Stay up-to-date on cybersecurity trends and threats

Cyber threats are constantly evolving, and it’s essential to stay up-to-date on the latest trends and threats. This includes attending industry conferences, participating in cybersecurity information-sharing networks, and regularly reviewing threat intelligence reports.

Ultimately, cybersecurity is a critical requirement for defense contractors, given the sensitive nature of the data and information they handle. To ensure that their cybersecurity measures are effective, defense contractors must comply with relevant regulations and standards, and implement best practices for cybersecurity. By doing so, they can help protect their organization, their customers, and ultimately, national security.

Don’t feel ready for these changes? Don’t worry, we’re here to help!

Getting your organization fully prepared for CMMC requirements could take up to 12 months. But what would you say if you could identify relevant cybersecurity threats and gaps in requirements, on your own time and at your own pace? You’re in luck because we’ve done just that!

The team at Valor Cybersecurity is pleased to offer our Cybersecurity Readiness Assesment today. As a bonus for taking our assessment, we will provide you with recommended guidance for better protecting your business!

Whether the Valor Team can help you now or in the future, we remain poised to support your business’ success and protection.

Authors: Greg Tomchick and Jeff White

If you like our newsletter, please subscribe today and check out our other channels.

The Digital Risk Digest Newsletter: https://www.linkedin.com/newsletters/…

Youtube: https://www.youtube.com/@valor-cybers…

LinkedIn: https://www.linkedin.com/company/valo…

Twitter: https://twitter.com/valorcyber