The Department of Defense recently announced that it will soon start to hold non-government contractors to a higher standard of cybersecurity than ever before.
Information superiority — defined by Strategy& as “the ability to meet the information requirements of supported [military] forces with superior timeliness, relevance, accuracy, and comprehensiveness than can be achieved by an adversary” — has become an essential component of everything the U.S. Department of Defense (DoD) does.
In an attempt to augment its information superiority off the battlefield, the DoD has decided to adopt a set of 110 cybersecurity measures crafted by the National Institute of Standards and Technology (NIST). Non-government contractors are already required to “provide adequate security for covered defense information that is processed, stored, or transmitted on [their] internal information system or network,” but this requirement will be ratcheted up a notch once NIST Special Publication (SP) 800-171 goes into effect later this year.
To comply with this more rigorous approach to cybersecurity, contractors must submit a comprehensive System Security Plan (SSP) detailing exactly how they intend to meet the DoD’s stricter standards.
A Sprawling Set of Cybersecurity Standards
The DoD has published an in-depth series of guidance documents to help its contractors craft sufficiently strong SSPs. These documents list all of the new cybersecurity standards, how they differ from the provisions outlined in the previous set of standards (NIST SP 500-53), and how highly the DoD prioritizes each particular standard.
In its literature, the DoD sorts the NIST’s 110 cybersecurity measures into thirteen categories, each of which must be addressed in a contractor’s SSP: access control, awareness and training, audit and accountability, configuration management, identification and authentication, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.
While creating a plan that attends to every item on this list might be daunting for a cybersecurity novice, many of the specific measures falling under these categories are quite familiar to an expert like Turn-key Technologies (TTI).
For instance, under the “configuration management” category, the DoD advises contractors to “establish and maintain baseline configuration and inventories of organizational systems (including hardware, software, firmware, and documentation),” as well as “control and monitor user-installed software.”
At TTI, we have decades of experience performing thorough network assessments for organizations in industries as diverse as healthcare, education, and petrochemical production. These assessments give our clients a clear understanding of their entire networking architecture, helping them eliminate performance-hampering chokepoints and address critical cybersecurity vulnerabilities.
Similarly, both our network assessments and our managed IT services help organizations contain any and all “shadow IT” while ensuring that employees’ clandestinely installed software doesn’t end up scrapping a high-value DoD contract.
Preparing for Continuous Compliance
Ultimately, the most important thing for current and prospective DoD contractors to remember is that the cybersecurity protocols underlying their SSPs are inherently dynamic. Complying with a sprawling set of standards like NIST SP 800-171 means being willing and able to adapt to new threats and update their best practices to meet the DoD’s directives.
Working for a government agency like the DoD has always come with an added layer of digital accountability, but in an age increasingly defined by the pursuit of information superiority, it has never been more important for organizations to heavily invest in robust cybersecurity systems.