NDIA POLICY POINTS CYBERSECURITY
Small Contractors Struggle with Cyber Rules
Clear policy drives effective implementation. Conversely, complex, opaque policy frequently leads to confusion and lack of compliance. Unfortunately, complexity and lack of understanding limit the Defense Department’s efforts to enhance cybersecurity in its supply chain.
Research by the National Defense Industrial Association’s Manufacturing Division finds that the revised Defense Federal Acquisition Regulation Supplement (DFARS) part number 252.204-7012, and the continued evolution of the National Institute of Standards and Technology cybersecurity framework, add more complexity than clarity to the business environment for defense contractors.
Companies are actively opting out and others are simply watching from the sidelines, unconvinced the benefits of compliance are worth the costs. The department needs to streamline the policy, collaborate with industry partners to develop best practices for implementation, and help companies understand the risks to their business to incentivize compliance.
Recognizing the risks of cybercrime and interested in contractor efforts to implement evolving policy, NDIA’s Manufacturing Division worked with experts to examine and explain levels of adherence. The resulting study, “Implementing Cybersecurity in DoD Supply Chains,” released in July highlights findings from a 2017 survey of small- and medium-sized businesses conducted by Michigan State University’s Department of Supply Chain Management, in coordination with NDIA members. The full study is available at ndia.org/divisions/manufacturing/resources.
Findings illustrate how defense suppliers struggle to respond to escalating regulatory pressure for enhanced cybersecurity. The report indicates that most respondents, especially small- to medium-sized suppliers, possess a poor understanding of the DFARS and NIST framework.
Although this finding may not surprise others in industry and outside observers, policymakers and defense officials responsible for crafting these rules and regulations should take the results seriously. Effective reform requires clearly understood rules and strong education efforts to streamline implementation; unfortunately, the department has thus far fallen short in delivering clear policy and effective education.
As the report suggests, when contractors are inadequately educated about the technical implications of new cybersecurity regulations, they make poor implementation decisions. Lack of clear policy and education on strategies to implement the new rules led firms to underestimate the cost of compliance.
Surveyed companies underestimated upfront compliance costs by as much as 10 times the actual costs, the survey indicated. This finding reinforces the need for a more streamlined and user-friendly set of regulations, and also demonstrates the need to identify and share best practices, and to inform companies of the benefits associated with cybersecurity investment.
The report also demonstrates the need for regulators to highlight the benefits of compliance-related investments. Currently, companies don’t view compliance as inherently good for their business, instead they view compliance with the DFARS simply as the “cost of doing business” with the Defense Department.
"Alleviating cybersecurity compliance challenges will require action from both policymakers and industry."
This sentiment indicates a widespread undervaluing of the required cybersecurity protections, leading some firms to attempt minimal levels of compliance to limit impact on their budget. Lack of policy understanding, coupled with misunderstanding about return on investment, prevents companies from viewing cybersecurity as an integrated business process.
Alleviating cybersecurity compliance challenges will require action from both policymakers and industry. For government, the authors encourage a set of procedural reforms, including: the development of processes and tools to increase awareness of the need for a focus on cybersecurity; a simplified process for meeting the new DFARS requirement; and implementation of a certification process like ISO 9001 for cybersecurity across the supply chain.
These steps would clarify policy and regulations and provide tools to streamline compliance encouraging and enabling industry to more easily comply with regulations, more effectively engage in cybersecurity protections, and more accurately predict and lower costs of compliance.
The report encourages prime contractors to adopt a leadership role. Larger firms experience the impact of cybercrime more frequently than smaller firms but it’s only a matter of time before bad actors target smaller companies. By developing compelling business cases for implementing cybersecurity measures and collaborating with their supply chain partners to establish systems to protect information and systems at all levels, these firms are setting an important example for small- and medium-sized businesses.
Prime-level firms are also encouraged to incentivize implementation by rewarding companies who quickly and effectively meet standards. These practices will help to create a top-down forcing mechanism for smaller supply chain firms, requiring and enabling them to take protections seriously if they want to compete successfully in the defense market.
Finally, the report recommends small- and medium-sized companies improve their understanding of risk, recognize cybersecurity is a fundamental part of doing business inside and outside of the Defense Department, and realize they cannot outsource their company’s cybersecurity requirements.
These firms must accept responsibility for their cybersecurity and protection of their intellectual property, and thus prioritize protection throughout their businesses. ND
Corbin L. Evans (firstname.lastname@example.org) is director of regulatory policy at the National Defense Industrial Association.