Helping Defense Contractors Implement U.S. Government Cybersecurity Requirements
12 April 2017
I recently had the opportunity to moderate an extremely enlightening panel discussion on the cybersecurity requirements now in place for contractors, subcontractors and suppliers to the U.S. Department of Defense (DoD) for safeguarding and controlling the dissemination of sensitive, unclassified defense information. In fact, contractors and other nonfederal organizations with contracts, grants or other agreements in place with any department or agency across the entire U.S. government will be required to comply with similar cybersecurity requirements by the end of this year. If they have not already begun, organizations that do business with the U.S. federal government must start implementing the security requirements of NIST Special Publication 800-171 now or face serious risk to that business.
- One of the most challenging NIST SP 800-171 security requirements for contractors to implement is enabling network-level multi-factor authentication (MFA) of users to all systems used to store, process or transmit sensitive defense information. However, Dr. Ross pointed out that MFA has also been a challenge for many federal civilian government agencies. In his view, dedication and persistence – starting with leadership and spanning all users – are the key ingredients for organizations to successfully implement MFA across their IT networks and systems.
- NIST SP 800-171 should not be viewed as “just another regulatory or contractual obligation” with which to comply. Instead, it is a portfolio of best-practice security requirements that combine to guide nonfederal organizations in implementing a defense-in-depth security strategy. NIST SP 800-171 is intended to help companies protect intellectual property, which is of course good for business.
- Finally, a NIST SP 800-171 assessment guide is planned for publication later this year. It will provide metrics for assessing NIST SP 800-171 security measures’ impact on reducing risk to sensitive information and systems and for improving the effectiveness of security controls. This guide should be an extremely useful resource for helping contractors determine whether or not their NIST SP 800-171-based security efforts and investments are obtaining the desired outcomes.
Rick Comeau is a Security Advisor for the Intralinks Enterprise-Commercial Sales Team. He previously led the Center for Internet Security (CIS) program that develops consensus-based, secure configuration guidance and automatable assessment and remediation content, which is recognized as authoritative security guidance by leading standards bodies such as the National Institute of Standards and Technology (NIST) and Payment Card Industry (PCI) Security Standards Council.