This is Part 1 of a 2-part InfusionPoints’ Series based on MITRE’s report that recommended critical changes to the Department of Defense’s (DoD) strategic approach to supply chain security.
MITRE Corporation recently released a report recommending significant changes to cybersecurity for the DoD supply chain, including changes in the role of cybersecurity in the procurement process. The report, “Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War,” is the most recent cybersecurity development for defense contractors, and a sign that change and increased responsibility and accountability for cybersecurity is here to stay.
The report focuses on building a strategy for the DoD to Deliver Uncompromised solutions. The report makes recommendation for sweeping changes for the DoD and supply chain to institute a deliberate, inherent elevation of integrated risk management from concept through retirement of solutions to ensure mission resilience.
Given the evolving threat environment and the direct impact for DoD, this report identifies fifteen strategic courses of action (COAs) to address the cyber and supply chain security challenge. The COAs focus along roughly five major change areas: Governmental Change, Organization Change, Awareness, Independent Assessment, and Supply Chain Change. The cyber and supply chain vulnerability are across the entire U.S. Government and into the private sector supply chain. Building effective deterrence to these threats will require time and deliberate planning.
What do DoD Contractors need to do?
Contractors who own or operate information systems that process, store, or transmit federal contract information, especially those within the DoD Supply Chain, need to do the following:
- Review the 110 security controls outlined in NIST SP 800-171 to ensure their security implementation provides adequate protection against a range of cyberattacks.
- Conduct a gap assessment to understand what requirements they do not partially or fully meet.
- Develop a System Security Plan to document current state based on gap assessment,
- Develop a Plan of Action & Milestones (POA&M) to fully remediate identified gaps.
Implementing these security controls is a key first step to becoming compliant and can be quite a big undertaking for any small, medium, or large business. Luckily, InfusionPoints’ cybersecurity practice can help you ease this burden. Our proven DFARS/NIST Cyber Security Framework can aid you in meeting requirements and ensuring the cybersecurity postures of your information systems meets the DoD requirements. For more information on protecting Controlled Unclassified Information/Covered Defense Information (CUI/CDI), or to learn how InfusionPoints’ consultants can help, please contact our team.
Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War Important Note: this document is marked © 2018 The MITRE Corporation. All rights reserved. Approved for Public Release. 18-2417.