Defense contractors — and all subcontractors—may be facing a rude awakening if they have not been keeping up with U.S. Department of Defense (DOD) cybersecurity compliance regulations. The department’s lenient “crawl, walk, run” strategy may leave negligent contractors with “run” as the only option. This is because the DOD felt obligated in 2019 to bring out the stick and announce that companies had 18 months to put in place the 110 cybersecurity controls that are intended to help keep contractors’ facilities and data safe from bad actors. Apparently, the DOD was not convinced contractors were taking “compliance by self-verification” seriously.
NIST SP 800-171 controls apply to federal government contractors and sub-contractors. If you or another company you work with has a contract with a federal agency, you must be compliant with this policy.”
Now time is running out for contractors who have been lax in their efforts to meet the regulations set forth in NIST SP 800-171, which provides requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). The standards detailed in those regulations must be met by anyone who processes, stores or transmits CUI for the DOD, General Services Administration (GSA), or NASA. There is no quick fix to meet the new standards. Depending on the size of the company, attaining compliance may take up to a year.
To help DOD contractors understand the many regulations they must be compliant with and learn how to take the initial steps that show good-faith efforts, El Camino College has developed the Defense Supply Chain Cyber Resilience Lab’s class. Taught by industry experts, this workshop provides contractors with all the materials and resources needed to guide them in the implementation of the new cybersecurity standards. For more information about DOD regulations and its expectations of contractors, we present the following Q&A with Larisa Breton, founder of FullCircle Communications and co-instructor of El Camino College’s Defense Supply Chain Cyber Resilience Labs.
Q: What experience do you bring to the Defense Supply Chain Cyber Resilience Labs class at El Camino College?
Larisa Breton: My background and experience in technology security goes back about 10 years. I have worked in program management in the Office of the Secretary of Defense for a national cybersecurity program that was congressionally mandated. I’ve worked on cybersecurity programming, policy development, policy evaluation, and implementation of cybersecurity regulations for Department of Defense services, bases, components and weapon systems.
Q: Why should a defense contractor take this class?
Breton: Defense contractors should take this class to become educated about the DOD’s cybersecurity regulations and what they are required to do to be in compliance. But more importantly, small businesses should take this class so that they learn to protect themselves against frequent and common cybersecurity attacks that can put them out of business.
We add tremendous value for our participants because we have already done the background research and assembled the materials that companies can use to demonstrate compliance with the DOD’s regulation. By using these materials, they are able to start conversations internally, perform some internal education, establish policies, or implement and change policies that they already have in order to tighten their cybersecurity.
We provide these resources to our students because, as small-business owners, we know the perpetual tug-of-war between time and effort, between convenience and better security, between resources and resource constraints. We want to save our students time, and we want to help them make strides toward compliance.
Q: Can you describe some of the cybersecurity events that might put a defense contractor out of business?
Breton: Common cybersecurity problems that can put a DOD contractor out of business include:
- A disgruntled current or former employee who takes action to compromise their organization’s cybersecurity
- Company data, which can include your customers’ information, that is exfiltrated or taken by a bad actor
- A bad actor uses your company’s network as an attack vector, which enables a hacker to exploit your system’s vulnerabilities, including the human element. This kind of attack can cause your company to be used as a landing pad to hop into another company’s system or network.
We teach contractors how to do sensible things inside their business that can help them to be more resilient, to defend themselves against common cybersecurity problems, and at the same time meet the requirements for the Department of Defense.
Q: What does a defense contractor, or a business that wants to become contractor, need to be doing to be in good standing with the DOD?
Breton: If you’re a current DOD contractor, or a company that wants to become one, you need to conduct an assessment of your operations, which needs to be performed against a special publication by NIST called 800 171. There are 110 different controls that you have to evaluate your company against. Then you need to show the DOD what you’re going to fix and have a specific plan to fix it, which is a called a plan of action and milestones (POA&M). When you submit those documents to the DOD, you become prequalified to bid on a DOD contract or to win one if you’ve already qualified.
For new DOD contractors the regulations have raised the bar to entry. It’s now even more challenging to jump through all of the hoops to successfully establish yourself as a DOD contractor. The enormous value we bring to participants is we understand the needs of those who want to become new contractors and the needs of a mature contractor. If a company is facing the double learning curve of how to become a defense contractor and how to be cybersecurity complaint, our class can help you with both.
The class was co-developed by me and Tony Lopez, Ph.D. As co-instructors, we both have deep technical acuity; therefore, we are able to help companies with where to start, how to start and how to approach some of the most common practices and difficulties that they will face as a small business.
Q: What is the urgency for a defense contractor to become compliant with recent DOD regulations?
Breton: Defense contractors should be taking DOD cybersecurity compliance very seriously for a few reasons. The first reason is that defense contractors have a moral obligation to attempt to secure the homeland to our best ability. The second reason is that the original regulations covering cybersecurity for defense contractors were actually implemented in 2018. So, if you haven’t taken any action to date, you’re now three years behind the curve. If your company is audited by the DOD, it will be very important that you are able to show effort and goodwill.
The third reason is that a defense contractor that has not implemented robust cybersecurity measures is at risk of having a cataclysmic security event that is so damaging operationally that they cannot continue to do business. Even if you can recover from such an incident, it’s likely there’s going to be action taken against your company by the DOD because you have had a period of three years to get your house in order.
Q: Even if you recover from a cybersecurity incident, can your reputation as a DOD contractor be ruined?
Breton: Anyone in the defense contractor ecosystem needs to be extremely careful. If you are awarded a contract and you’ve checked the box that asks if you are in compliance, but you have not implemented an appropriate cybersecurity program, you are putting your company at great risk. If you do have an incident and your operations manage to recover, your reputation will likely be ruined. It’s very difficult to put a dollar figure on what your reputation is worth, but in the aerospace and defense industries, your reputation is extraordinarily important for your ability to continue to win contracts and to perform in high-trust supply chains.
Q: Is there a lag time from when the DOD cybersecurity regulations go into effect until enforcement begins?
Breton: Frequently regulations are issued and then there’s a lag until enforcement begins. This allows contractors to take action and implement all the controls they can. Defense contractors should expect the DOD to go into enforcement mode over the next 24 months. That timeframe is noteworthy because it will take any size company between 12 and 24 months to establish its DOD-compliant cybersecurity program.
Q: How does the DOD enforce compliance?
Breton: The DOD uses audits to ensure that the defense industrial base is in compliance with cybersecurity regulations. But many services, such as the Navy, have already begun to implement more stringent regulations. An individual program office may choose to audit a contractor at any time for any reason. Therefore, contractors should not have a false sense of security that it’s going to be 24 months before a CMMC auditor comes their way; any company could get audited tomorrow by the Defense Security Service or by an individual component of the DOD.
Q: What would be a red flag that would alert the DOD to conduct an audit of a company?
Breton: Red flags include a major incident that you did not report to DOD and maybe reaches the news. Contractors are required to report any cybersecurity incident to the DOD and to individual customers. Failing to report an incident could be a red flag. If you are involved in a supply chain–related incident that hits the news, that’s a red flag. If you became a vector for an attack that occurs somewhere else in your supply chain you will be audited.
Q: What makes the Defense Supply Chain Cyber Resilience Labs class unique?
Breton: This class is unique because we, the instructors, run small businesses and we are also mature defense contractors. We know how to approach audits, and we know how to approach inspections and investigations. The way that we have laid out the resources we provide to our students will also help them approach their customers in a collaborative, constructive and cooperative fashion that is going to ultimately be more positive and more successful for them than if they wait and are defensive and try to hide or obfuscate what they’ve been doing.
Our class is unique because it’s a combination of a boot camp and a learning laboratory. We learn from each other, and you get the most recent and cutting-edge resources that are available to contractors, you get breaking information that can affect what your requirements are, and we do this in a small-class learning environment that was intentionally designed to work for adult learners. This isn’t a traditional classroom, desk, book and chalkboard kind of learning experience. We built it specifically for very busy, time-pressed business owners.
Q: Does the DOD consider taking a training class like the Defense Supply Chain Cyber Resilience Labs class as an act of goodwill toward cybersecurity compliance?
Breton: Yes. Every piece of training that you give to your company, that you take for your company, including our class, is a developed artifact that you can use to show the Department of Defense goodwill and good intentions. Other artifacts that you can develop are the resources that we provide you in class. We give you enough information and the road map that you need to create a successful system security plan.
Everything else that you do, all the articles that you forward to your employees or to your community, all of the classes that you take, all of the training that you may provide to your employees goes toward goodwill education and being a good partner to the Department of Defense.
For more information about the Defense Supply Chain Cyber Resilience Labs training classes at El Camino College, please contact:
Eldon R. Davidson
Director, Center for Customized Training
El Camino College – Business Training Center
13430 Hawthorne Blvd.
Hawthorne, CA 90250
Register now for the next Defense Supply Chain Cyber Resilience Labs training class that runs from August 9 to September 8, 2021.
California manufacturers may receive a $500 discount for this class if they qualify for the California Employment Training Program (ETP). To see if you qualify for ETP funding, go to https://elcaminobtc.com/workforce-development/, scroll down the page and click on the orange “ETP Program Info” button.
“ETP is proud to partner with El Camino College in support of their cybersecurity training for California’s businesses and its workforce. ETP sees investment in cyber training as critically needed as more and more businesses adopt Industry 4.0 technologies to drive productivity, efficiencies and competitiveness. Technological advances such as this, in a wider range of industry sectors, make a greater segment of our economy increasingly vulnerable to more advanced forms of cyber-attacks placing our nation and our economy at extreme risk. I cannot offer a stronger endorsement for the effectiveness of the cyber training provided through our long-standing partnership with El Camino College as they provide California workers and companies greater security in the face of global threats.”
Director of Economic Development
Employment Training Panel