The Secretary of the Navy recently released a Cybersecurity Readiness Review which reports that the Navy and its contractors are “under cyber siege” from Chinese hackers as well as others. This review was also reported by the Wall Street Journal and the Navy Times.
Within the report, the Navy discusses the Defense Industrial Base (DIB) observations and vulnerabilities, saying:
“The Department has relied on long-standing security constructs based on information sharing and self-reporting to inform it of its supplier’s vulnerabilities and breaches. That after the fact system has demonstrably failed.”
The report also references an Assistant Secretary of the Navy (ASN) Memo that directs program managers to change “Contract Data Requirements Lists (CDRL) for new and existing contracts to reinforce DIB compliance and associated security controls.” The memorandum demands aggressive timelines for Covered Defense Contractors (CDC) to meet standards. Yet, despite the ongoing cyberwar, according to the report:
“The timelines have not been enforced, additional auditing requirements for security controls have not been instituted, permissions for naval law enforcement to scan partner networks have not been granted, and the theft of IP from the DIB relentlessly continues.”
DoD CIO issued a similar memorandum that provided guidance for CDRLs that reinforces the requirement for companies to make their System Security Plans (SSP) available and adds a requirement for top-tier companies to track the cybersecurity compliance of their subordinate companies. Yet, there is no accountability for these requirements. The report concludes that “these failures to reform can only be remedied with aggressive action by Secretary and his Chiefs.”
The ASN memo was reported on in our January blog post which clearly signals that enforcement of DFARS 252.204-7012 and NIST 800-171 is coming. (For copies of the report or the ASN memo, contact us at firstname.lastname@example.org.)
With the cybersecurity of the DIB getting increased visibility both within the DoD and the mainstream press, contractors will continue to face a growing need to ensure their systems are not just secured, but also meet the compliance requirements.
In addition to signals that the government will begin auditing compliance, we are also seeing more aggressive enforcement of flow-down clauses from prime contractors as they prepare for eventual audits.
We have dedicated our business to supporting the DIB in securing their environments and meeting their compliance obligations. Starting with Office 365 GCC High and extending that commitment through a full suite of management and monitoring solutions, we can work with you to protect your systems and meet your contractual obligations. For more information on how we can help, contact us at email@example.com.
Bill Wootton is the Founder and President of C3 Integrated Solutions, a full-service IT provider based in Arlington, VA that specializes in securing our nation’s Defense Industrial Base through cloud-based solutions and industry leading partners. Bill is passionate about bringing cyber-awareness, and cyber-maturity to the nation’s Defense Industrial Base, working with clients to help them achieve CMMC and NIST 800-171 compliance by providing MSP, security and Office 365 integration services.