Small Contractors Struggle with Cyber Rules

By Corbin Evans

Photo: iStock

Clear policy drives effective implementation. Conversely, complex, opaque policy frequently leads to confusion and lack of compliance. Unfortunately, complexity and lack of understanding limit the Defense Department’s efforts to enhance cybersecurity in its supply chain.

Research by the National Defense Industrial Association’s Manufacturing Division finds that the revised Defense Federal Acquisition Regulation Supplement (DFARS) part number 252.204-7012, and the continued evolution of the National Institute of Standards and Technology cybersecurity framework, add more complexity than clarity to the business environment for defense contractors.
Companies are actively opting out and others are simply watching from the sidelines, unconvinced the benefits of compliance are worth the costs. The department needs to streamline the policy, collaborate with industry partners to develop best practices for implementation, and help companies understand the risks to their business to incentivize compliance.

Recognizing the risks of cybercrime and interested in contractor efforts to implement evolving policy, NDIA’s Manufacturing Division worked with experts to examine and explain levels of adherence. The resulting study, “Implementing Cybersecurity in DoD Supply Chains,” released in July highlights findings from a 2017 survey of small- and medium-sized businesses conducted by Michigan State University’s Department of Supply Chain Management, in coordination with NDIA members. The full study is available at ndia.org/divisions/manufacturing/resources.

Findings illustrate how defense suppliers struggle to respond to escalating regulatory pressure for enhanced cybersecurity. The report indicates that most respondents, especially small- to medium-sized suppliers, possess a poor understanding of the DFARS and NIST framework.

Although this finding may not surprise others in industry and outside observers, policymakers and defense officials responsible for crafting these rules and regulations should take the results seriously. Effective reform requires clearly understood rules and strong education efforts to streamline implementation; unfortunately, the department has thus far fallen short in delivering clear policy and effective education.

As the report suggests, when contractors are inadequately educated about the technical implications of new cybersecurity regulations, they make poor implementation decisions. Lack of clear policy and education on strategies to implement the new rules led firms to underestimate the cost of compliance.

Surveyed companies underestimated upfront compliance costs by as much as 10 times the actual costs, the survey indicated. This finding reinforces the need for a more streamlined and user-friendly set of regulations, and also demonstrates the need to identify and share best practices, and to inform companies of the benefits associated with cybersecurity investment.

The report also demonstrates the need for regulators to highlight the benefits of compliance-related investments. Currently, companies don’t view compliance as inherently good for their business, instead they view compliance with the DFARS simply as the “cost of doing business” with the Defense Department.

"Alleviating cybersecurity compliance challenges will require action from both policymakers and industry."

This sentiment indicates a widespread undervaluing of the required cybersecurity protections, leading some firms to attempt minimal levels of compliance to limit impact on their budget. Lack of policy understanding, coupled with misunderstanding about return on investment, prevents companies from viewing cybersecurity as an integrated business process.

Alleviating cybersecurity compliance challenges will require action from both policymakers and industry. For government, the authors encourage a set of procedural reforms, including: the development of processes and tools to increase awareness of the need for a focus on cybersecurity; a simplified process for meeting the new DFARS requirement; and implementation of a certification process like ISO 9001 for cybersecurity across the supply chain.

These steps would clarify policy and regulations and provide tools to streamline compliance encouraging and enabling industry to more easily comply with regulations, more effectively engage in cybersecurity protections, and more accurately predict and lower costs of compliance.

The report encourages prime contractors to adopt a leadership role. Larger firms experience the impact of cybercrime more frequently than smaller firms but it’s only a matter of time before bad actors target smaller companies. By developing compelling business cases for implementing cybersecurity measures and collaborating with their supply chain partners to establish systems to protect information and systems at all levels, these firms are setting an important example for small- and medium-sized businesses.

Prime-level firms are also encouraged to incentivize implementation by rewarding companies who quickly and effectively meet standards. These practices will help to create a top-down forcing mechanism for smaller supply chain firms, requiring and enabling them to take protections seriously if they want to compete successfully in the defense market.

Finally, the report recommends small- and medium-sized companies improve their understanding of risk, recognize cybersecurity is a fundamental part of doing business inside and outside of the Defense Department, and realize they cannot outsource their company’s cybersecurity requirements.

These firms must accept responsibility for their cybersecurity and protection of their intellectual property, and thus prioritize protection throughout their businesses. ND

Corbin L. Evans (cevans@ndia.org) is director of regulatory policy at the National Defense Industrial Association.

Topics: Cyber, Cybersecurity, Defense Contracting, Government Policy, Infotech, Information Technology

Comments (1)

Re: NDIA Policy Points: Small Contractors Struggle with Cyber Rules

Taken from NIST SP800-171A-"The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations".
The normative artifacts once compiled into a package within a boundary defined by diagram designed to portray a cybersecurity posture helps define vulnerabilities and the method in which to remediate and continue to monitor over the span of the life cycle of the system. The assignment of responsibility for the various aspects from the Information System Owner to the System Engineer and Authorizing Official are key aspects of successfully obtaining continued compliance. Therefore the education, training and experience levels are equally vital of the individuals charged with these responsibilities. The cost of in house personnel VS outsourcing prohibits an acceptance of the responsibility most company's allow them self's to obtain compliance due to the ongoing nature of continuous monitoring once accreditation is achieved if enough effort is spent to accomplish this to begin with.
There is no way to simplify the seriousness of threat and therefore no way to simplify the complexity of assessment and consequent remediation requirement and documentation to correspond with the process providing verification of not only the analysis but subsequent work performed to remediate or at least explain why a risk is acceptable in an instance where remediation will adversely affect the operation of specific aspects of a program.
Steps to clarify policy would have to include flexibility accommodating the entire range of systems which contain, produce, process or deliver CUI.
It is this flexibility with complex opaque policy that inherently creates confusion and lack of compliance. Since the 90's, those responsible for creating policy have struggled with a coherent methodology, constantly changing and updating the regulations and requirements yet have increased the number of artifacts and level of difficulty with each update to the assessment methods, the object, procedure and basic security requirements.
Where is the give and take in order to more easily comply? The threats are vast and real. The methods used to secure systems from the development phase to decommissioning are complex and vary from one system to another. SCADA is vastly different than a Database in the way you protect data and access to that data. The list is virtually endless of how diverse information systems have become and the environments in which they are used, and infiltrated by those who pose the threat. I would like to say "so in conclusion" but this is an ongoing marathon of research, policy and standards development along with the procedural methods not to mention the automation diversity/capabilities in the process of the assessment and accreditation process.
There are numerous organizations attempting to streamline the cybersecurity process from principle based assessment architecture and tools researched and developed by universities and professional organizations to appliances that claim to handle the scanning and reporting artifacts.
The only proven successful method is assigning the areas of responsibility to educated and experienced personnel who have access to complex assessment automation products spending their time with data entry and documentation resulting in compliance and accreditation.

Tim Steidel at 9:46 AM
Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.