Department of Defense Goal is to Streamline Enforcement for DFARS 7012 Compliance

Author
Department of Defense Goal is to Streamline Enforcement for DFARS 7012 Compliance

Department of Defense (DoD) may seek to outsource it’s supply chain cybersecurity audits by allowing organizations to verify DFARS 7012/NIST SP 800-171 compliance.  During a Jan. 29th  Senate Armed Services Cybersecurity Subcommittee hearing on DoD's policies and threats, DoD's CIO Dana Deasy said contractors were "an extension of what we do" and must be treated as a part of the DoD’s own networks.

To help with these challenges, DoD is looking at a model where an Agency or Prime Contractor will leverage a commercial certification process to validate a contractors' security posture against the NIST SP 800-171 standard.  The DoD's goal is to find a better way to enforce compliance and move away from solely relaying on a self-certification process and move to a process that will evaluate and validate the self-assessments, then assign confidence scores. To take it a step further the DoD "is identifying and possibly even certifying companies that can play the role, that can follow the NIST standard, and actually go in and look at a second- or third-tier supplier," Deasy said.

There is precedence for this type of certification, GSA developed the Federal Risk and Authorization Management Program (FedRAMP) to provide a marketplace for cloud-based solutions that Federal Agencies need and other commercial Cloud Services Providers must leverage. The FedRAMP marketplace promotes reusability to save money and time for Agencies and Industries.

“A lot of the problems that have occurred," Deasy said, "it does come back many times to basic hygiene."   One point of interest in the meeting was the cyber intrusion protection challenge, the time it takes to;

  • Detect,
  • Analyze,
  • Contain,
  • Eradicate, and
  • Recover from a breach. 

InfusionPoints, leverages a proven monitoring and detection methodology to rapidly identify and eradicate breaches as they occur with our Virtual Network and Security Operations Center 360° (VNSOC360°)

We are seeing the DoD taking action to move a DoD supply chain audit forward as we wrote about last week in the blog "DFARS Compliance Audits are Coming...Are You Prepared?"

What we are seeing in the DoD supply chain

We are seeing fundamental cybersecurity issues at all levels of the supply chain.  We have work with many organizations in the DoD supply chain and we find many organizations are missing basic cybersecurity controls, including:

  • Policies and procedures
  • Firewall management
  • Monitoring and detection
  • Incident response
  • Access controls
  • Two factor authentications

So what do YOU need to do?

Contractors who own or operate information systems that process, store, or transmit Covered Defense Information (CDI), need to do the following:

  • Review the security controls outlined in NIST SP 800-171 to ensure their security implementation provides sufficient protection against a range of cyberattacks.
  • Conduct a gap assessment to understand what requirements they do not meet.
  • Develop a SSP and POA&M to remediate identified gaps.
  • Develop a plan to track flow down requirements for CDI.
  • Develop a plan to assess the compliance of your suppliers.

Implementing these security controls is a first step to becoming compliant and can be quite a big undertaking for any business. Luckily, InfusionPoints cybersecurity practice can ease this burden. Our proven DFARS/NIST Cyber Security Framework can aid you in meeting requirements and ensuring the cybersecurity postures of your information systems. For more information on protecting CDI, or to learn how InfusionPoints’ consultants can help you and your team, please contact our team.

References:

This is not a legal or contract opinion, if you have contract or legal questions please reach out to your contracting officer or legal counsel for further clarification.

Let us know how we can help with your CyberSecurity Challenges

Contact Us