Due to increased concerns about cyberattacks, any manufacturer, either an OEM or tiered supplier, contractually doing business with the Department of Defense (DoD), General Services Administration (GSA) or NASA must be compliant with defined cybersecurity requirements no later than December 31, 2017. The regulations apply to Controlled Unclassified Information (“CUI”) and are spelled out in the DFARS NIST Special Publication 800-171Rev 1 (https://doi.org/10.6028/NIST.SP.800-171r1).
The cybersecurity requirements fall into 14 categories:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection and Security
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
While this can all seem a bit overwhelming, it is manageable by using a well-thought out approach of assessing where an organization is in terms of compliance and then addressing gaps either via remediation or the addition of compensating controls.
If you’re looking for a partner to help you work towards compliance, we’d be happy to discuss Risk and Security Assessments, User Security Awareness Training, Vulnerability Scans, Penetration Testing and technology solutions that make the secure administration, monitoring and auditing of the CUI environment more manageable.