Contractors are expected to pay closer attention to security in order to do any business with the Pentagon. Katie Arrington, chief information security officer of the Pentagon’s acquisition policy office, is looking for “a change of culture” in the acquisition bureaucracy in the U.S. Department of Defense. The new standards for cybersecurity will require all contractors to have a baseline level of cybersecurity. Companies with more sensitive data will be required to implement higher and more complex security measures. Arrington is confident that changes with contractors will be made but also recognizes that it won’t be fixed overnight. “It’s going to take time,” Arrington said, “it’s going to be painful, and it’s going to cost money.”
This leaves the question- how can contractors be prepared for these new standards? If companies are caught selling insecure products, they will face steep fines from the government. This makes it imperative for contractors to set a baseline of cybersecurity and add necessary layers. But what does this look like?The DoD addresses their plans and requirements in the NIST SP 800-171 Security Requirements. Here’s a brief overview of four important requirements that contractors need to be aware of.
It’s vital to manage and understand who’s working on your network. It’s unnecessary and unwise to give full access to all employees. Each department should only have access to the data that is necessary for them to do their job sufficiently.
Chief information security officers should monitor and keep record of the credentials that users within each department have.If a user gains access to data without authorization, the company must take action to enforce ramifications for compromising network security.
Another way to manage access control is by limiting the number of unsuccessful login attempts. This protects the system from unwanted visitors as well asbrute force attacks. Companies must also protect wireless access by using authentication and encryption. Protecting wireless access also means controlling the connection of mobile devices. The wide variety of mobile devices makes them a large threat to gain unauthorized access if they are not properly contained.
Awareness and Training
Many employees are unaware of the threat they present to protecting sensitive company information. This is simply because most employees lack the proper awareness needed to make them a strong first line of defense for the network. The DoD now requires their contractors to implement a cybersecurity employee training and awareness policy. User awareness and training is necessary for a multitude of reasons. The main being that most cyber breaches are caused by users who are unaware and uneducated on good cyber practices.
Along with training employees, it’s also important for companies to know how secure their network is based on user security. Running phishing simulations and risk assessments can help set a gauge of network vulnerability and which employees put the company at risk.
All systems are subject to a variety of cyber threats. Companies must be prepared at any given time for a cyberattack. This includes establishing proper preparation, detection, analysis, containment and user response activities. Sometimes incidents are unavoidable, but they should never be left unattended. Tracking, documentingand reporting any incident to company management or the proper authorities is the best response. Companies must also run incident response drills to test the capabilities of their policies and procedures. This prevents anyone in the organization from being unprepared in the case of an event.
System and Information Integrity
Integrity provides the assurance to know that system information has not been meddled with or damaged by errors in the system, and users must report system flaws in a timely manner. Companies should take responsibility for system flaws and make necessary changes as quickly as possible. This includes protecting the system from malicious code with antivirus software, as well as monitoring security alerts and system updates.
Arrington and the DoD will continue to crack down on contractors until their standard is met. Access control, awareness and training, incident responseand system and information integrity are the areas where contractors who intend to keep doing business with the Pentagon should focus. Arrington has acknowledged the lack of cybersecurity awareness among defense companies and the struggle of implementing network security. Arrington is right saying that implementing these standards will be a painful task. If your company needs assistance with these areas, NXTsoft’s ThreatAdvice vCISO can help.