NIST Fleshes out Cyber Guidelines for Contractors
By DANIELLE LUCEY, Editor-in-Chief
NATIONAL HARBOR, Md. — Any contractor working in the defense industry must now comply with the National Institute of Standards and Technology’s (NIST’S) Cybersecurity Framework and its associated contracting standards, the Defense Federal Acquisition Regulation Supplement (DFARS). And from prime contractors to small businesses, these new rules have implications for how all companies must handle data.
The new requirements have 110 different points that speak to policy and processes, hardware and software configurations, and some hardware purchases. While these points detail what results each company must work toward, they do not specifically detail how they should be addressed, leaving companies flexible to meet these requirements without making major investments, according to Vicki Michetti, director of the Defense Industrial Base, Cyber Security Program Office, under the Department of Defense Chief Information Officer.
For smaller businesses, standing up any new hardware may be the biggest challenge, but for large prime contractors, issues may lie in relaying what information is “protected controlled unclassified” and how these data are handled down the subcontractor line.
Nearly every contract that doesn’t ask for commercial, off-the-shelf technology, includes a DFARS clause, according to Mary Thomas, program analyst, director of Defense Procurement and Acquisition Policy in the Office of the Undersecretary of Defense. To comply, companies must be able to transparently display that they are following the cybersecurity framework rules or risk losing their authorization to operate.
“This isn’t about a plan,” said Kenneth Bible, deputy CIO of the Marine Corps. “This is about risk compliance. There is a responsibility to protect the Navy.”