NVTC’s newest guest blog post from Exostar explains why new government regulations are giving organizations a fresh concern when it comes to cybersecurity. Exostar’s Senior Vice President of Product Development Vijay Takanti will be part of the panel discussion, NIST 800-171: Is the Government Paving the Way for Commercial Security? at the 2017 Capital Cybersecurity Summit November 14-15.
Cybercrime is on the rise, and could cost businesses over $2 trillion by 2019. These losses could be the result of outright theft, lost productivity, impact to customer confidence or costs associated with repairing breaches. But a new, equally ominous risk associated with cybersecurity is emerging for both government contractors and downstream commercial businesses—the risk of losing current and future contracts due to non-compliance with new government standards.
Department of Defense contracts now include a clause, DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” The new clause requires contractors (and their extended supply chains) to implement NIST SP 800-171 cyber safeguards by December 31, 2017 – or at least have a coherent plan for doing so.
NIST SP 800-171 is a set of 110 security controls regulating the handling of sensitive (but not classified) data. Most organizations in the aerospace and defense industry are well aware of these standards and their application to the DFARS mandate by now. However, other organizations, who don’t work directly with the government, may get pulled into NIST 800-171 compliance because of the global, multi-tiered nature of prime contractors’ supply chains.
Keep in mind that the supply chain on any given project can include hundreds or even thousands of suppliers who are privy to controlled defense information (CDI). As the volume of suppliers and the information they exchange rises, the more vulnerable they are to cyber-attack and CDI compromise. Even small pieces of information need to be protected at all times.
The NIST 800-171 rules are designed to best protect this sensitive information as it moves across every level of the supply chain. If even one link in the chain is insecure, it could spell trouble for all parties participating on a government program. Officially, the government can start including NIST 800-171 compliance as a requirement for contracts once the rules are in effect. If organizations are not compliant, they will not be able to bid on those contracts, and existing contracts could be in jeopardy.
Organizations that are not compliant with these new cybersecurity controls run the risk of losing out on business, as primes and larger suppliers select preferred vendors who can demonstrate proper cybersecurity hygiene.
The deadline is looming. Mitigate the latest cybersecurity risk by understanding and implementing the NIST 800-171 security controls now, or find a qualified partner to help you do so.