Category: Compliance Readiness

Defense contractors often deal with Classified and Controlled Unclassified Information (CUI) which is vital information that should be protected from access by unauthorized parties to safeguard the United States’ interests in national security.

The U.S. government has recognized this need, leading to the standardized Controlled Unclassified Information (CUI) program implemented by the National Archives and Records Administration (NARA) in 2010. NARA’s responsibilities include defining CUI categories, maintaining a CUI registry, establishing handling procedures, providing training, and overseeing compliance.

Government data breaches can have significant consequences such as compromised national security, privacy violations, loss of public trust, financial loss, and operational disruptions. To mitigate these risks, robust cybersecurity practices are necessary, including risk assessment, training, access controls, encryption, incident response planning, continuous monitoring, and transparent communication.

Supplier Performance Risk Scoring (SPRS) is interconnected with cybersecurity. It involves assessing suppliers on their financial stability, reputation, past performance, security practices, and compliance. Cybersecurity considerations include threat detection, data protection, employee training, and incident response planning.

The number 110 in SPRS for the DoD Self-Assessment according to NIST 800-171 and 171A relates to a company processing CUI and contracting with the DoD. This score indicates the overall cybersecurity stance and is calculated based on 110 evaluation topics, including 42 controls worth 5 points, 14 controls worth 3 points, and 54 controls worth 1 point. A System Security Plan (SSP) is required, and points are deducted for each unmet control, with a minimum possible score of -203.

The detailed evaluation ensures that the company adheres to security standards such as FAR 52.204.21 and various levels of Cybersecurity Maturity Model Certification (CMMC). The resulting score reflects the organization’s overall cybersecurity risk and compliance and must be reported to the DoD as part of contractual obligations.

Defense contractors often deal with Classified and Controlled Unclassified Information (CUI) which is vital information that should be protected from access by unauthorized parties to safeguard the United States’ interests in national security.

Because the disclosure of said information has a high potential to put the nation’s security at risk, it is critical that defense contractors follow the highest of standards in defending it against cyber-threats. Having a strong cyber defense is more important than ever today, as attackers are constantly exploring newer, faster, and cheaper ways to exploit cyber vulnerabilities within the Defense Sector. There are various trends within this field occurring right now that are changing the very nature of cyber warfare. The cyber landscape has never experienced change as fast as it is today, which is why learning about the newest threats and vulnerabilities is a sure way to ensure your business is prepared for the worst…

This article will introduce you to some current important trends within the cyber landscape that are especially prevalent within the Defense Sector and provide recommendations that your business can employ to be equipped to efficiently secure restricted information and continue to win contracts with the government. 

Current Direction

We have entered the “Machine vs. machine era.” What does that mean exactly? Obviously, AI in its youth has already rapidly changed the fabric of how people do things and has no signs of slowing down. Similar to the way everyday people use AI as a tool to quickly perform tasks like research and generating quick solutions, cyber attackers are using it to develop better methods of exploiting businesses’ data and sensitive information. Think about it… the number of connected Internet of Things (IoT) devices is increasing rapidly and constantly, which results in the amount of data produced also increasing rapidly and constantly. It’s at the point where it impossible for humans to analyze all of this data without the assistance of technology. Enter AI. 

Unfortunately, the benefits of AI are just as appealing to attackers as they are to the good guys. Attackers use machine learning models to create malicious code that can be spread throughout various enterprises. In addition, they also create more realistic phishing schemes by using AI to construct highly professional emails that are seemingly authentic and harmless. These are just a couple examples of the wide range of methods that AI can be weaponized. 

Fortunately, it can be argued (at least right now) that the pros of AI outweigh the cons with regards to cybersecurity for defense contractors. Businesses can employ machine learning models to essentially do the job of cybersecurity analysts that work to prevent and detect cyber risks and attacks. Because AI does not get tired, it can be used to continuously monitor a business’s IT infrastructure and recognize patterns of fraudulent activity both externally and internally. For example, AI has the capability to point out malicious code, phishing attempts, and other threats by comparing it to vast amounts of data and accounts of past cyber events. It can also detect when an employee is not following best practices like setting weak passwords and using unprotected networks. The approach of spotting external threats and alerting management of internal weak points are what makes AI very attractive. Defense contractors who are responsible for the protection of highly sensitive information can benefit greatly from utilizing this growing technology. 

The Dangerous Cloud

The Department of Defense (DoD) has awarded contracts with four major cloud service providers, including Amazon Web Services, Google, Microsoft, and Oracle. In addition to that, many medium to large sized government contractors are served by cloud service vendors like Cloudfare, Akamai, and Slack to name a few. Cloud computing infrastructure has skyrocketed in the recent years and is continuing to do so. Businesses are attracted to the cloud because it offers a flexible and cost-effective way to sustainably handle data and provide valuable business insight. There is no denying that cloud computing has changed the way businesses operate for the better, but there are still some disadvantages that come with it and require awareness. 

Cloud services have a high dependence on internet connectivity. If you lose that connection, there could be downtime in which a business may be unable to access data. Cloud services also entails many users active over the same network, which could make it harder to identify when is an actor is committing malpractice. Basically, because businesses are letting important data be stored in the cloud instead of on local servers, they are letting go of some of the control they once had and are relying more on cloud service vendors, thus adding more pieces to what was already a convoluted puzzle. This is not necessarily a bad thing; it just means that all the players (the vendor and the customer) must comply with strict security standards. 

Cyber Supply Chain

One of the most prominent difficulties that the DoD faces is dealing with a complicated supply chain for attaining components for defense systems, including the software, hardware, and other important pieces. What’s even more difficult is maintaining these defense systems, as hardware parts quickly become obsolete and difficult to replace, software is constantly in need of patching and debugging, and microelectronic components are highly susceptible to latent vulnerabilities. This topic is always a high priority when discussing the Defense Sector because the navigating the cyber supply chain is the only way that critical weapon systems get built. Unfortunately, the DoD currently lacks a single cohesive program that allows for collaboration and communication between the government and contractors to assist each other in the prevention and detection of cyber-threats. There is no program where contractors can easily find information on the provenance of certain components and the vulnerabilities they may contain. 

There are obviously things that the government is doing to address this problem, and 2023 has so far been a decently promising year for improving the nation’s cybersecurity. This is seen through:

1)  The eventual requirement of Cybersecurity Maturity Model Certification (CMMC) 2.0, which will ensure that contractors are up to the government’s standards before they sign any contracts. 

2)  Defense Federal Acquisition Regulation Supplement (DFARS) 252.204 – 7012, which became effective on June 9, 2023, requires that defense contractors enhance their protection of unclassified Covered Defense Information (CDI) by following the updated guidelines of the National Institute of Standards and Technology (NIST) 800-171 assessment. 

3)  The Department of Homeland Security’s proposed new regulations which could give them authority on providing standards for defense contractors on handling CUI and requiring them to report to the DHS on cyber incidents in a timely manner depending on the severity of the incident. 

How Your Business Can Stay Prepared

Valor has some recommendations for you to ensure that your business is as informed as it can be on the cyber landscape in the Defense Sector. Therefore, you and your business will be ready in the worst-case scenario of a cyber-attack against your important assets. In this world, you can never be too safe. 

CMMC 2.0

Valor recommends that your business becomes compliant with CMMC 2.0 as soon as possible. Reaching this status will show the government that your business is primed to handle CUI and Federal Contract Information (FCI) in a secure manner. It also shows the government that your business is diligent in complying with high standards, which will likely make the road to winning a contract less of a headache. 

DFARS and NIST Requirements

As mentioned earlier, the DFARS and NIST requirements have recently been updated, and will continue to do so. It’s important to stay up to date with these updates to stay familiar with the latest trends in cyber-threats. 

Investing in AI

AI clearly has the potential to serve as a money-saving, highly efficient tool to monitor your business’s infrastructure. Although it may be a bit of an investment at first, adopting a machine learning model to be on the lookout and send alerts for external and internal threats at a much faster rate than humans ever could prove to be a highly valuable asset. Of course, it is crucial to remember that this technology is still young, but as its capabilities become clearer in the years to come, it would be advantageous for your business to already have some skin in the game. 

Addressing Employee Burnout

It’s no secret that working in the Defense Sector can be highly stressful, as employees are dealing with high stakes information that needs to be handled with the utmost attention and care. Employees working for defense contractors may feel burnt out as attackers constantly bombard them with new ways to exploit cyber vulnerabilities. It’s important to constantly teach them about best practices, update them on the latest trends, and encourage them to do their own research on the subject. Also, make sure all employees are aware of the standards of the CMMC, DFARS, and NIST and they should be more than capable to anticipate and react to cyber-attacks.

Closing

Valor has decades of experience working with defense contractors to assist them in finding the gaps between what they are doing right what they need to improve on to be more secure. Well versed in the understandably overwhelming language of government orders, Valor is able to help businesses much faster than they could on their own, and time is money. Valor also possesses a strong understanding of cloud computing and AI, and it can help your business adopt these services safely. 

The main thing to remember is that defense contractors at the end of the day are businesses. Sure, they sell extremely advanced defense systems and products to the DoD instead of soda pop to the locals, but customers are customers. Every business should strive to do everything in their power to make their customer have trust in them and feel assured that their precious data is being handled as safely as possible. Every business should also strive to do so in a manner that is cost-effective, timely, and with high internal morale. Adopting good cybersecurity practices can help address all these things for any business, but especially for those in the Defense Sector. The stakes of national security are simply too high to not stay up to date with the requirements of the DoD.

Don’t feel ready for these changes? Don’t worry, we’re here to help!

Getting your organization fully prepared for CMMC requirements could take up to 12 months. But what would you say if you could identify relevant cybersecurity threats and gaps in requirements, on your own time and at your own pace? You’re in luck because we’ve done just that!

The team at Valor Cybersecurity is pleased to offer our Cybersecurity Readiness Assessment for $1199, for a limited time. As a bonus for taking our assessment, we will provide you with recommended guidance for better protecting your business and a 30-minute consultation with our team of experts!

Whether the Valor Team can help you now or in the future, we remain poised to support your business’ success and protection.

Access our FREE ‘Cybersecurity For Defense Contractors‘ E-Book.

Author(s): Greg Tomchick and Joe Chang