A new era of vigilant cybersecurity defense is essential for our internet-dependent nation. As news headlines regularly report on massive cyberattacks that compromise consumers’ personal data and the networks of government agencies, organizations must shift their mindset from prevention to tough-minded attack readiness. This is especially true for U.S. Department of Defense (DOD) contractors.
How sustained and extensive is the onslaught of hackers’ efforts? Consider the following commentary by Washington Technology: “In 2010, for example, the state of Utah, home to some critical data infrastructure utilized by US intelligence, was experiencing between 25,000 and 80,000 attacks each day. By [2020], they were seeing peaks of more than 300 million a day, mostly from botnets searching for signs of weakness in government computer programs. Most were fended off, but not all.”
If you are a DOD contractor (or subcontractor) of any size, you must assume you are a target. New DOD cybersecurity compliance regulations detail what is expected from all businesses doing work for the federal government. But how feasible is it for a small- to medium-size organization to attain compliance?
To assist defense contractors, El Camino College is offering workshops for small- and medium-size companies that will help them understand the steps they need to take to move toward attaining cybersecurity compliance. The curriculum for the workshops — called the Defense Supply Chain Cyber Resilience Labs — was developed with the input of industry experts.
During the workshops, participants gain an understanding of important DOD cybersecurity requirements that will help keep their business in good standing as a contractor with the federal government. Each participant will learn the fundamentals of creating a compliant Systems Security Plan (SSP) and Plan of Action and Milestones (POA&M) that document policies, and will create a projected schedule for implemantation of controls mandated by DOD regulations. The course has been designed to engage participants in hands-on activities, providing them with working time and one-on-one instructor guidance to successfully complete each core segment of the program.
In response to the needs of California’s defense contractors, El Camino College has joined with industry experts to design cybersecurity workshops that help small- to medium-size businesses understand DOD regulations and how to progress toward compliance with them.”
— Jose Anaya, Dean, Community Advancement, El Camino College
To provide more detailed information about the workshops and the regulations that DOD contractors must be in compliance with, we present the following Q&A session with Tony Lopez, Ph.D., one of the instructors for the Defense Supply Chain Cyber Resilience Labs.
Q: What is your background and industry experience?
Tony Lopez, Ph.D.: I graduated from Cal State San Luis Obispo in 1975 with a mechanical engineering degree with a specialization in mechanical engineering and technology. I worked in marketing and business development for several years with various defense contractors here in San Diego. I started to teach and found that I really enjoyed it. After two years of teaching, I decided to get a Ph.D. in business administration with a concentration in computer science. After completing my dissertation, I worked as a contractor program manager for NASA’s Site for Online Learning and Resources (SOLAR) program supporting the development of the system.
For the last 16 years I worked at INDUS Technology, a DOD contractor that specializes in engineering, information technology and cybersecurity. I worked my way up to vice president of business development and information systems. Then, around 2014, I became the chief information security officer for the company. During that time, I was responsible for cybersecurity compliance.
After retiring from INDUS, I formed my own company called Spearhead Training Enterprises. Now I’m basically doing training for El Camino and other organizations. I also support INDUS and other companies with their cybersecurity efforts and defense cyber requirements training and efforts.
Q: When did you start as an instructor with the Business Training Center at El Camino College?
Lopez: El Camino College was looking to expand their online learning programs. The college had received funding from the California Advanced Supply Chain Analysis and Diversification Effort (CASCADE), which is an initiative funded by the DOD to bolster California’s defense supply chain cybersecurity resilience. I worked with Jose Anaya, dean of community advancement at El Camino College, and Ms. Larisa Breton of FullCircle Communications to modify the curriculum for an online version of the Defense Supply Chain Cyber Resilience Labs training class. The initial classroom version of the training was developed for the South County Economic Development Council (SCEDC) and the City of San Diego, under a CASCADE grant. In September 2020, we taught the first cohort online and it was a great success. I enjoyed the interactions with the students.
Q: What are the core learning objectives for that class?
Lopez: The class provides the background and understanding of the DOD cybersecurity compliance requirements and what a small-business contractor needs to do to be able to meet those requirements. We cover the requirements set forth by the National Institute of Standards and Technology (NIST), which is a department under the United States Commerce Department. Specifically, we cover NIST 800-171r2, which are the requirements that any non-federal computer system must follow in order to store, process or transmit Controlled Unclassified Information. We also cover critical Defense Federal Acquisition Regulations (DFARS) including DFARS 7010, 7012, 7019, 7020 and 7021, some of which were issued in November of last year.
We provide students with an understanding of the NIST Assessment Methodology and how to apply it to their organizations. And then we familiarize them with the Cybersecurity Maturity Model Certification (CMMC) process, which is one of the most pressing cybersecurity compliance issues for DOD contractors.
CMMC stands for ‘Cybersecurity Maturity Model Certification’ and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.”
— Office of the Undersecretary of Defense
Related to the CMMC, we teach them about the essential controls they are going to need to put in place to protect their IT infrastructure and organization, and to be ready for a CMMC assessment. It is important to note here that information we provide is not an assessment and it is only general information about the CMMC requirements and controls. We also talk about important concepts such as risk management, configuration management and incident response, which are probably three of the most critical NIST elements and controls that contractors must know and understand.
One of the great benefits of taking the class is we give students the critical resources and information they need so they don’t have to spend untold hours searching for it. There are a lot of documents a contractor needs to read and understand to be able to meet DOD requirements. These documents are typically in excess of 100 pages and are very detailed and complex. We bring it all together for our students.
Q: It sounds like there are a lot of complex regulations surrounding cybersecurity compliance that a defense contractor needs to be aware of and in compliance with.
Lopez: Yes. I worked on a research study for the National Defense Industrial Association (NDIA), San Diego Chapter, which involved producing a study that looked at how all these regulations and requirements were impacting small business. We found that the majority of the small businesses participating in the study — ones that were anywhere from two to 50 employees — were struggling to try to meet the requirements, but more importantly, they were struggling to understand what the requirements were about.
The whole idea for the Defense Supply Chain Cyber Resilience Labs training class developed by El Camino College was to provide small- to medium-size defense contractors with the resources and materials they need to be able to meet the requirements. During the class, we provide students with over 40 essential documents that we’ve compiled so they don’t have to go search for them. We tell them which documents are important and which ones have the highest priority.
We emphasize to our students that the crux of a compliance strategy is having an SSP in place, which includes a POA&M. Right now, under current DOD NIST 800-171r2 requirements, you must demonstrate that you have an SSP and POA&M to demonstrate your company’s compliance with the requirements.
Q: What happens if a contractor is found to be not in compliance? Are they given a period of time to get in compliance, or is there an immediate repercussion?
Lopez: The upshot is that DOD is currently using a “crawl, walk, run” strategy because they realize that having all 110 controls in place is a huge undertaking, especially for small businesses. Therefore, the bottom line is the DOD is willing to give defense contractors the opportunity to achieve compliance. Remember, the DOD does not penalize contractors acting in good faith but does expect progress to be made in meeting NIST 800-171 requirements. The key is to work in partnership with DOD. Make sure you are actively taking steps toward being in compliance.
Q: Can you give examples of what some of those controls are?
Lopez: Controls are part of a strategy or set of actions that need to be put in place to protect the systems, information and data of an organization. For example, personnel security relates to how you’re going to protect personnel within your organization. For that control, you need to develop policies and make them available to the employees so they understand what they can and cannot do.
Another example would be facilities security. Do you have cyber locks on your data center doors? Do you have an alarm system and is it monitored? What kind of badging requirements do you have for your personnel? In other words, how are you protecting your facility?
Incident response is another control, which deals with how you are going to respond to a cybersecurity incident when it occurs. Having an incident response plan is a requirement of DFARS.
Q: What is the composition of a typical class? What are the titles of the students?
Lopez: We have seen everything from the owner of the company to CEOs, presidents, directors and managers. In terms of IT professionals, they range from the people who maintain networks all the way up to CIOs and CISOs — the individuals that are really leading the department. So, it’s been quite a spectrum of people.
Q: Do your students come from a wide range of company sizes?
Lopez: Very much so. We’ve had one-person consulting companies and we’ve had large companies. In one workshop we had the chief technology officer from a company with 5,000 employees at locations throughout the country. We have had people who are tremendously knowledgeable about IT and security but don’t fully know DOD cybersecurity compliance requirements, which is the reason they were taking the class.
Q: What are the levels of employees within a company that need to be participating in maintaining cybersecurity compliance?
Lopez: Everybody from the owner and CEO to administration support staff. Really, anybody in the company who opens and sends email. They need to be trained and have an understanding of what to open and what not to open, because you could proliferate a virus that could shut your company down.
Executives have to make the critical decisions related to risk. Understanding the requirements and the various NIST 800-171 controls helps them make better decisions about how much risk the organization is willing to tolerate and how much money they want to invest to meet those requirements.
Managers need to understand the entire range of cybersecurity protocols because they need to make sure their employees are following all the policies and procedures required to stay secure. And then finally, most critical to the whole process, of course, are your IT personnel and those that are responsible for making sure that the systems are protected. They are the ones responsible for physically implementing the controls.
Q: Is creating an SSP a big undertaking for a defense contractor?
Lopez: Yes. It tends to be a lengthy document because you have to have a clear understanding of your systems, then create policies and other documentation to meet the 110 controls. In addition, you have to document how you’re going to meet those specific controls within the plan. So, it’s not a simple document to write and it’s one that requires involvement of a lot of different departments and executives within the organization.
Q: Does the Defense Supply Chain Cyber Resilience Labs training class help students lay the foundation to create the SSP?
Lopez: Very much so. As a matter of fact, we have what we call a pre-lab assignment, which is a three-page document that takes students through the process of conducting a preliminary self-evaluation. As a part of that assignment, students create a description of the systems within their organization. That description becomes the first part of their SSP. We then talk about how their policies are related to meeting the 110 controls that eventually must be in place. The class gives students an initial start on developing an SSP and a POA&M, which are critical to their company’s role as a DOD contractor.
Q: Why should a defense contractor consider taking the Defense Supply Chain Cyber Resilience Labs class at the Business Training Center?
Lopez: I would tell any DOD contractor that if you want to continue doing work with DOD, it’s critical that you have a good understanding of the various cybersecurity requirements and regulations. This class will provide you with the resources, the background information, the documentation and the general information needed to help you get on the right path to meet those requirements. And that, to me, is really the crux of it.
I will tell you that I have met DOD contractors who were not even aware that a NIST assessment was due last November. Additionally, they were not aware of the methodology to complete that assessment. I tell these contractors they need to show the DOD they are taking steps to complete the assessment. If you are overwhelmed by it all, we recommend taking this class. It will help get you on track to keep your good standing with the DOD. Your business and its reputation depend on it.
For more information about the Defense Supply Chain Cyber Resilience Labs training classes at El Camino College, please contact:
Eldon R. Davidson
Director, Center for Customized Training
El Camino College – Business Training Center
13430 Hawthorne Blvd.
Hawthorne, CA 90250
[email protected]
Register now for the next Defense Supply Chain Cyber Resilience Labs training class that runs from August 9 to September 8, 2021.
California manufacturers may receive a $500 discount for this class if they qualify for the California Employment Training Program (ETP). To see if you qualify for ETP funding, go to https://elcaminobtc.com/workforce-development/, scroll down the page and click on the orange “ETP Program Info” button.
“ETP is proud to partner with El Camino College in support of their cybersecurity training for California’s businesses and its workforce. ETP sees investment in cyber training as critically needed as more and more businesses adopt Industry 4.0 technologies to drive productivity, efficiencies and competitiveness. Technological advances such as this, in a wider range of industry sectors, make a greater segment of our economy increasingly vulnerable to more advanced forms of cyber-attacks placing our nation and our economy at extreme risk. I cannot offer a stronger endorsement for the effectiveness of the cyber training provided through our long-standing partnership with El Camino College as they provide California workers and companies greater security in the face of global threats.”
Robert Meyer
Director of Economic Development
Employment Training Panel