By: Dave Stewart, Director of Governance, Risk, & Compliance (GRC), MAD Security | July 9, 2019
For several years, the DFARS regulation and the associated NIST SP 800-171 security controls have been a bane of existence for many DoD contractors. From not having a clear understanding of the regulation and how it is enforced; to many project offices not knowing or defining what CUI is on contracts. Cultural and discipline changes within an organization, to making all of this a “cost of doing business”. Now, with an announced forthcoming maturity model and changes to allowable costs, there might be a light at the end of the tunnel.
The landscape of Cybersecurity in the world of DoD contractors is about to change again.
Up until now, companies and organizations have had to “self-certify” their implementation and compliance with DFARS and the NIST 800-171 security controls. Considered to be a cost of doing business, the vast majority of contractors have not implemented NIST 800-171 within their information systems, or rather many have done the absolute bare minimum in order to try and get where they need to be with as minimal cost as possible as to not increase their competitive rates.
Which is understandable as small and medium sized organizations have difficulty with resources maintaining a full-time cybersecurity staff.
Two major items were announced by Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, that the DoD is creating a cybersecurity assessment maturity and certification program and that cybersecurity is now an allowable cost on certain types of contracts.
If the Pentagon follows through on the ability to make cybersecurity an allowable cost this could be a huge turning point for procurements. Definitely need to take a wait and see approach for this particular development.
The other big announcement is that Ms. Arrington is leading the effort within DoD to develop and institutionalize the new Cybersecurity Maturity Model Certification (CMMC) standard for vendors.
While details are yet to be confirmed, it is possible that we can start seeing the accreditation process beginning in the latter half of 2020.
The NIST SP 800-171 will still be the basis for the controls and grading criteria, however, a framework for determining the maturity level of an organization is being developed. There are several good frameworks already out there that it will most likely be based on: For example, NIST Cybersecurity Framework, FFIEC, Risk Management Framework, just to name a few. What it will come down to ultimately is the level of maturity that an organization is will determine what types of contracts they can bid on, contracts they can maintain, and also winning new business based on having a higher CMMC level than your competitor.
What can you do now?
As said earlier, a vast majority of DoD contractors still have not implemented NIST SP 800-171 within their information systems. Based on this new information, the thought would be to wait it out and see what happens next. This would not be wise. More and more project offices are continuing to add DFARS and 800-171 requirements on contracts. CUI still has to be protected no matter if the CMMC comes out and/or if costs are allowable on contracts. Do not continue to wait.
If you waited until the compliance maturity model is implemented, if you wait to do anything until that point, that will only make it more difficult and take longer to qualify to bid on new contracts and possibly maintain current contracts.
Continue to get out in front of it now. Get your security posture to its highest level. Give your clients and customers the peace of mind that you are protecting their data.
MAD Security is here to help you with solving the cybersecurity puzzle for your organization.
First, you need to know where you are before you create the roadmap of where you need to be. We will assess your current environment, provide a detailed report of the gaps within and create an actionable Plan of Actions & Milestones (POA&M) and help you develop your System Security Plan (SSP).
Many organizations might have created an SSP and POA&M, however, because of a lack of resources available have been unable to take steps to work on the POA&M and improve their security posture. Our Virtual Compliance Manager (VCM) will help you manage your compliance and implementation activities to ensure they meet the requirements of the 110 controls from the NIST SP 800-171. The VCM is your “right-hand man”, so to speak, in helping to keep the projects updated and ensuring that they are completed and to increase the cybersecurity maturity of your organization.
A key component of increasing your security posture and cybersecurity maturity is having a Continuous Monitoring Strategy in place. One part of that is our Managed Security Service (MSS) will help you continuously monitor your environment 24/7 for the peace of mind of meeting many of the 110 controls. This is important in that it validates controls that are in place to ensure that they are functioning properly. It provides a deeper visibility into your infrastructure with continuous monitoring.
In addition, a new revision of the NIST SP 800-171 and a supplement 800-171B will be coming out soon. Organizations will need to review these controls for any changes that may impact their posture. The VCM will help guide you through these changes.
As part of the roadmap developed by the VCM, understanding the maturity of the organization is key. Just putting policies and procedures in place is not enough. They have to be acted upon and used. For example, an Incident Response Plan and Business Continuity procedure may be in place, but if it is never tested, the maturity level of the organization will be low. A maturity model assessment will help you understand the level of maturity you are at now and what needs to be done for the desired state of the company.
Changes are coming. Your organization’s implementation of security controls and its maturity level will matter. Security will be the foundation of acquisition criteria, do not be left behind when this is implemented.