Even before news broke of the Equifax credit bureau cybersecurity breach that compromised confidential data of 143 million people, aerospace and defense contractors knew they must step up their efforts to protect digitized information. Dec. 31, 2017, is the deadline for compliance with Defense Federal Acquisition Regulations Supplement (DFARS) (https://goo.gl/eoyMEs) that specifies safeguarding covered defense information (CDI) and reporting cyber incidents (computer network, data breaches).
CDI is the unclassified but controlled technical information a contractor collects, develops, receives, transmits, uses, or stores in support of Department of Defense (DOD) contracts. Any document, data, or computer program for describing or manufacturing a part for a defense contract must have controls on its dissemination and protection from unauthorized access.
Information systems must meet the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 1, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” It defines 14 categories listing 110 security requirements for protecting controlled unclassified information (CUI) – information not officially classified, but still legally requiring safeguarding (https://goo.gl/sP9eZX). The requirements describe access control, training, audits, identification and authentication, incident response, system maintenance, media and communications protection, and more.
I sense that many smaller defense subcontractors are scrambling to meet the year-end deadline, evidenced by recent webinars devoted to NIST SP 800-171. The good news is that experts say the government doesn’t expect companies to have every one of the requirements in place, but companies must have plans and documentation showing they will be compliant when entering into contracts in the new year.
The bad news is that all suppliers in a defense contract must implement the 110 security controls.
Bruce Parkman, CEO of defense cybersecurity firm MainNerve (www.mainnerve.com), says that to minimize the cost of compliance, companies should segregate and limit access to information – ideally to one, non-networked computer and only two people.
It’s no great stretch to imagine NIST requirements being expanded beyond defense contracts. With widely dispersed intellectual property (IP) at risk, having an in-depth cybersecurity action plan spelling out CUI protection makes sense for commercial aerospace contractors, too. I expect to see more upper-tier companies require NIST 800-171 compliance as proof that their suppliers are adequately addressing cybersecurity. – Eric