I recently had the opportunity to moderate an extremely enlightening panel discussion on the cybersecurity requirements now in place for contractors, subcontractors and suppliers to the U.S. Department of Defense (DoD) for safeguarding and controlling the dissemination of sensitive, unclassified defense information. In fact, contractors and other nonfederal organizations with contracts, grants or other agreements in place with any department or agency across the entire U.S. government will be required to comply with similar cybersecurity requirements by the end of this year. If they have not already begun, organizations that do business with the U.S. federal government must start implementing the security requirements of NIST Special Publication 800-171 now or face serious risk to that business.
Admiral Tom Atkin, a retired U.S. Coast Guard Rear Admiral and former Acting Assistant Secretary of Defense for Homeland Defense and Global Security in the Obama administration, opened the event with his views on the sophisticated cyber threats facing our government and contractor community, based on his direct national security leadership experience. Admiral Atkin’s message was consistent with that which government officials have been sending for some time now, which has, unfortunately, been validated by successful cyber exploitations of our defense industrial base. Foreign adversaries are increasingly targeting the U.S. defense industry with the aim of diminishing or eliminating U.S. military technological superiority, as well as developing countermeasures against U.S. and allied weapons systems. The potential, real-world scenario of an F-35 fighter pilot already being at a disadvantage because of enemy countermeasures developed thru sensitive information stolen during a past cyber exploit of a defense contractor resonated deeply with the audience. This is precisely why the DoD is requiring comprehensive cybersecurity measures, most notably those specified in NIST SP 800-171, for the defense contractor community.
Dr. Ron Ross, Fellow at the National Institute of Standards and Technology (NIST), provided a vast wealth of knowledge to event attendees, as well as practical information they could take back and immediately apply to their NIST SP 800-171 requirements planning and implementation efforts. Dr. Ross is the lead author of many NIST standards and guidelines that not only form the bedrock of U.S. federal government cybersecurity and risk management policy, but also reside at the center of security frameworks leveraged by public and private sector organizations around the world. Just one example of Dr. Ross’ work is NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations. The purpose of NIST SP 800-53 is to provide a comprehensive portfolio of system security controls, tailorable to system and information risk, for enabling U.S. government agencies to comply with the Federal Information Security Modernization Act, or FISMA. Dr. Ross is also the lead author of NIST SP 800-171, which is derived from NIST SP 800-53 but focused squarely on those controls necessary for maintaining confidentiality of sensitive government data held by nonfederal organizations.
The panel also included Matt Mitchell, Vice President, Cyber Resilience at Stroz Friedberg. Mr. Mitchell provided insights based on what he’s seen over nearly 20 years of helping improve cybersecurity resilience of organizations in both industry and government. The DoD’s particular focus and requirements for contractor cyber-incident detection and response is an area for which Mr. Mitchell provided excellent guidance to attendees. He stressed the importance of testing and retesting incident response policies, processes and procedures. Only by thoroughly and continually testing incident response capabilities will any organization and its key personnel be able to respond appropriately during an actual cyber incident, particularly a significant cyber attack or compromise.
The small group that gathered for the event benefitted from unparalleled insights and recommendations for optimizing NIST SP 800-171 implementations. A few noteworthy and valuable points made by Dr. Ross and others on the panel included:
- One of the most challenging NIST SP 800-171 security requirements for contractors to implement is enabling network-level multi-factor authentication (MFA) of users to all systems used to store, process or transmit sensitive defense information. However, Dr. Ross pointed out that MFA has also been a challenge for many federal civilian government agencies. In his view, dedication and persistence – starting with leadership and spanning all users – are the key ingredients for organizations to successfully implement MFA across their IT networks and systems.
- NIST SP 800-171 should not be viewed as “just another regulatory or contractual obligation” with which to comply. Instead, it is a portfolio of best-practice security requirements that combine to guide nonfederal organizations in implementing a defense-in-depth security strategy. NIST SP 800-171 is intended to help companies protect intellectual property, which is of course good for business.
- Finally, a NIST SP 800-171 assessment guide is planned for publication later this year. It will provide metrics for assessing NIST SP 800-171 security measures’ impact on reducing risk to sensitive information and systems and for improving the effectiveness of security controls. This guide should be an extremely useful resource for helping contractors determine whether or not their NIST SP 800-171-based security efforts and investments are obtaining the desired outcomes.