By Heather Engel, Sera-Brynn Chief Strategy Officer
Deputy Defense Secretary Patrick Shanahan said recently that the Defense Department needs to have a much higher standard of security, including for the Defense Industrial Base and warned that a high bar for cybersecurity will be a condition of doing business.
For the last several years, defense contractors have been working to comply with DFARS 252.204-7012 by the December 31, 2017 deadline. Now that the deadline is past, what changes are still ahead for the government contracting community?
Under NIST SP 800-171, a System Security Plan, Cyber Incident Response Plan, and a Plan of Action and Milestones are required for compliance with acquisition regulations. But many defense contractors have struggled with full implementation because of culture, legacy systems, lack of resources, and lack of trained personnel. Now it’s become clear that difficulties with implementation are no excuse and the consequence is lost business.
All this comes as the Ohio Legislature is considering a bill that would provide safe legal harbor to companies who show “substantial compliance” with the NIST Cybersecurity Framework, or other industry standard. The bill specifically mentions NIST SP 800-171, FedRAMP, ISO 27000, and FISMA. New York State last year implemented its own requirement for financial industries adding additional requirements, and several other states have indicated plans to follow suit.
It makes sense to use a framework when developing cyber programs, but determining the framework that works for the organization and meets mandates is challenging. And, as the business scales, it’s important to plan for growth. Initial steps to develop or improve a cybersecurity program take time and money – you want the results to be well worth it and to scale with the business.
Regulation and crossover compliance can make it difficult to develop and implement a cybersecurity program that supports the business strategy, runs efficiently and actually IMPROVES security rather than just checks boxes. Compliance is not going away, but a little effort upfront will help CIOs sleep better at night.