1, April 2019
5 Frequently Asked Questions Among Manufacturers about Government Cybersecurity Requirements
This article originally appeared on Industry Today. Guest blog post by Jennifer Kurtz, the Cyber Program Director at Manufacturer’s Edge, an NIST MEP Center in Colorado and a representative of the MEP National NetworkTM.
According to the U.S. Department of Homeland Security, manufacturing is the second most targeted industry based on the number of reported cyberattacks. Further, cyber criminals view small and medium-sized manufacturers (SMMs) as prime targets because many of these companies don’t have adequate preventative measures in place.
For Department of Defense (DoD), contractors and subcontractors, business as usual is no more. The federal government, which is increasingly reliant on external service providers to conduct business, has upped the ante when it comes to protecting controlled unclassified information (CUI) in nonfederal information systems and organizations. As of December 31, 2017, all federal government contractors were obligated to meet the Defense Acquisition Regulation Supplement (DFARS) minimum cybersecurity requirements or risk losing their contracts. Despite this past due deadline, many SMMs lack the knowledge and resources to upgrade their systems and are at a loss on how to meet these 110 new security requirements. Of important note, the Federal Acquisition Regulation, which applies to government contractors working on behalf of the General Services Administration (GSA) and the National Aeronautics and Space Administration (NASA), will soon include similar cybersecurity requirements.
The MEP National Network, a public-private partnership that delivers comprehensive, proven solutions to U.S. manufacturers, has been actively providing awareness and assistance to help U.S. manufacturers protect their information assets from the risks of cyberattacks. The organization and its partners also serve as a national resource to U.S. manufacturers seeking to implement adequate security to safeguard stored, processed and transmitted Controlled Unclassified Information.
Following are five of the most frequently asked questions I hear from SMMs about the federal government’s DFARS security guidelines.
Q: What is Controlled Unclassified information (CUI) and how do I know if I am handling this type of information as part of my contract?
A: Controlled unclassified information (CUI) is data that is government-proprietary. It is information the government wants held secure, but is not vital to national security. The DFARS clause 252.204.7012 may appear in your contract, but it is only enacted if you process, store or transmit CUI. CUI may include: research and engineering data, engineering drawings, specifications, manuals, technical reports, studies and analyses, and computer software executable code and source code. CUI will have special marking and handling instructions such as FOUO (For Official Use Only). For more information on CUI markings see the CUI registry.
Q: Is DFARS compliance required by law?
A: Any contractor or subcontractor that has a DFARS clause in their contract is lawfully required to comply. If you falsely claim to be compliant, you risk losing your government contract and all associated earnings and will likely be ineligible for future government contracts.
Q: I own a small business and my government contracts are small in scale. Does DFARS compliance apply to me?
A: Regardless of the size of your company or your contract, if you are a federal government contractor or subcontractor that processes, stores or transmits CUI you must comply. Cyber criminals target smaller companies since they typically have fewer security measures in place. Companies at lower tiers of the supply chain may be easier to penetrate than trying to break into the networks of its primary target. A supply chain attack may be an easier route to controlled unclassified government information than trying to access government networks directly.
Q: How do I know whether my company is currently DFARS compliant?
A: Consult the NIST Handbook 162. This handbook provides a step-by-step guide to assessing a manufacturer’s information systems against the DFARS security requirements.
Q: My organization does not meet the minimum DFARS guidelines but I don’t know where to begin the compliance process?
A: Implementing a government-approved cybersecurity plan can be a daunting task. You can get started by reviewing the NIST SP 800-171 publication which outlines the DFARS requirements. You can also reach out to the MEP National Network to connect you with your local MEP Center. Local MEP Centers offer a wide range of free or affordable services and initiatives to guide manufacturers through the compliance process. These services include connections to cybersecurity experts who can develop a detailed gap analysis of protocols and procedures and create an action plan that addresses vulnerabilities and other compliance issues.
Q: My company is not a government contractor, but I’d like to enhance our cybersecurity protocols. Can I use the DFARS guidelines?
A: Absolutely. Manufacturers operating in commercial supply chains should seriously consider implementing the DFARS security requirements as an integral aspect of managing their organizational risks.
As the manufacturing sector becomes increasingly digitized, the need to understand, mitigate and respond to increasingly complex cyber threats has become the cost of doing business.
About the Author Jennifer Kurtz.