Cyberattacks against the US military aren’t uncommon, but cyberattacks against military contractors worry defense officials the most. While defense contractors may be party to closely-guarded military secrets—such as designs for advanced weaponry, vehicles, and equipment—they may not be able to marshal the same level of cyber defense.
- During the Iran crisis of January 2020, defense officials openly worried that Iranian APT groups would infiltrate smaller U.S. defense contractors as part of their retaliation strategy.
- In March 2020, defense contractor Visser Precision Manufacturing—a supplier to Lockheed Martin, SpaceX, and Boeing—was subject to a ransomware attack. Documents stolen alongside the ransomware attack were posted on the open web.
- In June 2020, a Northrup Grumman subcontractor—in charge of providing maintenance and engineering services for the Minuteman III nuclear-tipped ballistic missile—experienced a cyberattack that saw the theft of confidential payroll and personnel documents.
There’s a clear pattern here, with attackers not engaging with primary defense contractors, but rather the small and medium-sized businesses that support them.
While the Defense Federal Acquisition Regulation Supplement (DFARS) mandates that all defense contractors maintain a certain level of information security, many SMBs with military contracts often scramble to keep up with its requirements. With the consequences of a cyberattack looming on one side and the consequences of violating DFARS regulations looming on the other, how can small to midsize businesses have room to navigate?
What Do DFARS Regulations Entail?
DFARS Regulations are based on an NIST Special Publication known as NIST SP 800-171. It lays out one of the most common scenarios in the world of defense contracting, in which a contractor or contractor has access to what’s known as Controlled Unclassified Information (CUI). While this information isn’t as secret as special forces operations or experimental aircraft designs, only a small number of people should have access to it.
In order to make sure that this information is secure enough, the Defense Federal Acquisition Regulation Supplement requires defense contractors to implement the recommendations of NIST SP 800-171. Even contractors that aren’t necessarily part of a DoD supply chain, but instead service the General Services Administration, NASA, or other government agencies may still have to comply with NIST SP 800-171. This compliance is usually enforced via audits.
Information security audits related to DFARS or NIST SP 800-171 will look for the following:
- Incident Analysis and Reporting
If someone hacks (or tries to hack) your network, will you be aware of it? Will you be able to understand how the attack occurred? Do you have an incident response plan? Who will you report an incident to in the event of a successful breach? - Protocol Adoption
The controls of NIST SP 800-171 aren’t loose. The regulation describes 14 separate areas and 79 specific security protocols to follow. Areas include access control, security awareness training, audits, configuration management, IAM, incident response, maintenance, and more. - Information CoverageYou need to cover all of the CUI that you hold (plus also Controlled Technical Information, OpSec Information, Export Controlled Information, and anything else that your contract asks you to protect. The sticking point is that this information must be protected regardless of its location, which means that you need to keep track of it. Even though some CUI got left in a file on a server you forgot about, for example, you still have an obligation to protect it.
These are all good, commonsense regulations that will provide an excellent foundation for your information security efforts if you follow them. Unfortunately, many SMB military contractors and subcontractors aren’t fully equipped to comply.
Why Is it Difficult for SMBs to Comply with DFARS Regulations?
If you suffer a data breach, you will not be automatically subject to penalties under DFARS—but you might get subjected to a DFARS audit. If this audit finds that something is out of place, you could get hit with any number of consequences:
- You might be asked to stop work on the contract until the DFARS problem is fixed.
- Your business might lose the contract altogether.
- You might be subject to penalties for breach of contract.
- You might be permanently barred from working with government agencies.
All of this could easily destroy your business—so why are DFARS violations allowed to persist in the first place?
While complying with DFARs is important, it’s not the core of anyone’s business, and if you’re an SMB, it’s a cost center that you can ill-afford. For example, you might have only a few full-time IT personnel. Or your IT staff are probably more focused on patching software and setting up computers—they may have little experience with information security.
Meanwhile, hiring an FTE with security experience—or a CIO/Chief Information Security Officer —may be beyond your means. Even if you take this step, the cost of new personnel is the tip of the iceberg in terms of security expenses, because you’ll also need new tools and infrastructure as well. Lastly, there’s the nagging possibility that even if you conduct a completely good-faith effort to secure your CUI and other sensitive data, you might still forget to check a DFARS box and fail your next audit.
If you’re a business leader at an SMB military contractor, you don’t want to get hacked, but you also want to focus on your core business priorities without getting sidetracked by security. So, what do you do?
DFARS Is a Moving Target—Charles IT Can Help You Hit It
Even if you think you’re already prepared for DFARS, you should be aware that it’s about to change again. DFARS itself is about to shift to what’s known as CMMC certification, a third-party certification standard that will prevent businesses from self-certifying. In order to bid on RFPs late 2020, you’ll need to have passed a CMMC audit.
Fortunately, Charles IT can help guide you through the changing shape of DFARS regulations. We offer reliable IT expertise at a lower cost than building a capability from the ground up, and what we offer includes a thorough knowledge of DFARS. We can help you build an information security infrastructure that will pass your next audit and protect your data at the same time. Contact Charles IT and start a DFARS assessment today!
