This is Part 2 of a 2-part InfusionPoints’ Series based on MITRE’s report that recommended critical changes to the Department of Defense’s (DoD) strategic approach to supply chain security.
MITRE Corporation released a report recommending significant changes to cybersecurity in the Department of Defense’s (DoD) supply chain, including changes in the role of cybersecurity in the procurement process. The report, “Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War,” is the most recent cybersecurity development for defense contractors, and a sign that change and increased cybersecurity is here to stay.
The report highlighted several key impact areas and provided additional insight for contractors within the DoD Supply Chain to include:
- Increasing the focus on DFARS 252.204-7012, that currently requires all contractors to have "adequate security" to protect Controlled Unclassified Information (CUI), relying on the 110 safeguards contained within NIST SP 800-171
- Calling out Cyber Security as a differentiator when making acquisitions decisions, and is as important as considering cost, performance and schedule
- Using an independent Security Integrity Score (SIS), much like a "Moody's" rating in the financial world, which rates each potential contractor’ cyber security posture in a unified manner by an independent, unbiased third-party
- Continuing to monitor and assess contractors for the degree of risk they pose
- Requiring a Software Bill of Materials (SBOM) and a documented Secure Software Design Life Cycle (SSDL) for some programs
- Requiring vulnerability monitoring, Coordinating, and Sharing across the Supply Chain
- Amending DFARS to require commercial insurance coverage for cyber and supply chain security
What do DoD Contractors need to do?
Contractors who own or operate information systems that process, store, or transmit federal contract information, especially those within the DoD Supply Chain, need to do the following:
- Review the 110 security controls provided in NIST SP 800-171 to ensure their security implementation provides “adequate” protection against a range of cyberattacks
- Conduct a DFARS/NIST SP 800-171 compliance gap assessment to understand what requirements they do not partially or fully meet
- Develop a System Security Plan (SSP) to document current state based on the gap assessment
- Develop a Plan of Action & Milestones (POA&M) to fully remediate identified compliance gaps.
Implementing these security controls is a key first step to becoming compliant and can be quite a big undertaking for any small, medium, or large business. Luckily, InfusionPoints’ cybersecurity practice can help you ease this burden. Our proven DFARS/NIST Cyber Security Framework can aid you in meeting requirements and ensuring the cybersecurity postures of your information systems meets the DoD requirements. For more information on protecting Controlled Unclassified Information/Covered Defense Information (CUI/CDI), or to learn how InfusionPoints’ consultants can help, please contact our team.
Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War Important Note: this document is marked © 2018 The MITRE Corporation. All rights reserved. Approved for Public Release. 18-2417.