Department of Defense (DoD) may seek to outsource it’s supply chain cybersecurity audits by allowing organizations to verify DFARS 7012/NIST SP 800-171 compliance.  During a Jan. 29th  Senate Armed Services Cybersecurity Subcommittee hearing on DoD's policies and threats, DoD's CIO Dana Deasy said contractors were "an extension of what we do" and must be treated as a part of the DoD’s own networks.

To help with these challenges, DoD is looking at a model where an Agency or Prime Contractor will leverage a commercial certification process to validate a contractors' security posture against the NIST SP 800-171 standard.  The DoD's goal is to find a better way to enforce compliance and move away from solely relaying on a self-certification process and move to a process that will evaluate and validate the self-assessments, then assign confidence scores. To take it a step further the DoD "is identifying and possibly even certifying companies that can play the role, that can follow the NIST standard, and actually go in and look at a second- or third-tier supplier," Deasy said.

There is precedence for this type of certification, GSA developed the Federal Risk and Authorization Management Program (FedRAMP) to provide a marketplace for cloud-based solutions that Federal Agencies need and other commercial Cloud Services Providers must leverage. The FedRAMP marketplace promotes reusability to save money and time for Agencies and Industries.

“A lot of the problems that have occurred," Deasy said, "it does come back many times to basic hygiene." One point of interest in the meeting was the cyber intrusion protection challenge, the time it takes to;

• Detect,
• Analyze,
• Contain,
• Eradicate, and
• Recover from a breach. 

InfusionPoints, leverages a proven monitoring and detection methodology to rapidly identify and eradicate breaches as they occur with our Virtual Network and Security Operations Center 360° (VNSOC360°)

We are seeing the DoD taking action to move a DoD supply chain audit forward as we wrote about last week in the blog "DFARS Compliance Audits are Coming...Are You Prepared?"

What we are seeing in the DoD supply chain

We are seeing fundamental cybersecurity issues at all levels of the supply chain.  We have work with many organizations in the DoD supply chain and we find many organizations are missing basic cybersecurity controls, including:

• Policies and procedures
• Firewall management
• Monitoring and detection
• Incident response
• Access controls
• Two factor authentications

So what do YOU need to do?

Contractors who own or operate information systems that process, store, or transmit Covered Defense Information (CDI), need to do the following:

• Review the security controls outlined in NIST SP 800-171 to ensure their security implementation provides sufficient protection against a range of cyberattacks.
• Conduct a gap assessment to understand what requirements they do not meet.
• Develop a SSP and POA&M to remediate identified gaps.
• Develop a plan to track flow down requirements for CDI.
• Develop a plan to assess the compliance of your suppliers.

Implementing these security controls is a first step to becoming compliant and can be quite a big undertaking for any business. Luckily, InfusionPoints cybersecurity practice can ease this burden. Our proven DFARS/NIST Cyber Security Framework can aid you in meeting requirements and ensuring the cybersecurity postures of your information systems. For more information on protecting CDI, or to learn how InfusionPoints’ consultants can help you and your team, please contact our team.

References:

• DFARS Compliance Audits are Coming...Are You Prepared?
• Right on Schedule -- DoD continues to provide additional guidance for Assessing Compliance Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
• InfusionPoints Blog on the Draft DoD Guidance for reviewing NIST SP 800-171 SSP and POA -- Do you want to compete in the Federal Market Space?
• Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
• DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented,
• Guidance for Assessing Compliance of and Enhancing Protections for a Contractor's Internal Unclassified Information System,
• Contractor’s Systems Security Plan And Associated Plans Of Action to Implement NIST SP 800-171 on a Contractor's Internal Unclassified Information System

This is not a legal or contract opinion, if you have contract or legal questions please reach out to your contracting officer or legal counsel for further clarification.