Time to Integrate NIST Guidelines Into Enterprise Security Is Now

Leaders on both sides of the aisle appear to agree that cybersecurity is, and must continue to be, a key focus of national security planning and risk assessment.

But there’s a split already apparent under the new Trump administration, involving the National Institute of Standards and Technology. NIST isn’t usually mired in partisan politics, but nor is NIST a regulatory agency— and that is becoming the gist of the issue.

On March 1, a Congressional committee approved a measure that would have NIST “evaluate and audit federal agencies’ adoption of the cybersecurity and technology guidelines,” according to The Hill publication.

NIST first published their cybersecurity guidelines in 2014, a project begun at the behest of the president at the time, and have continually updated them ever since. The goal is “to develop a voluntary framework to help organizations manage cybersecurity risk in the nation’s critical infrastructure, such as bridges and the electric power grid.”

But the mission was never regulatory. Republicans cited the proposed bill as a way to shake up how cybersecurity issues are currently handled. And the bill appears to align with draft guidelines circulating out of the White House, that call for NIST guidelines to form a framework for evaluating the cybersecurity plans of federal agencies.

But Democrats, and along with cyber experts, note that NIST isn’t a regulatory agency. It’s one thing to publish suggestions and guidelines, but a completely different level of engagement and budget to take on the development of security metrics, plus active oversight of a host of federal agencies. Should that not fall under the Office of Management and Budget or the Department of Homeland Security?

The bill’s requirements ”jibe with some elements of a draft cybersecurity executive order that would mandate that agencies adopt the NIST framework,” notes a story in Nextgov. “It would conflict, however, with NISTs general policy that the framework should be an advisory document… rather than a strict set of rules.”

Additionally, some feel that OMB and Homeland Security already do some of the monitoring laid out in the bill — an unnecessary duplication.

The draft federal guidelines would use NIST frameworks specifically for risk assessment, requiring federal agency heads to use that framework and report back to the OMB within 90 days of the passing of the new requirements. Risk assessment remains the first step toward closing any loopholes or strengthening weak spots. But many agencies have already engaged in some of this work. And just as the NIST framework isn’t meant to be a series of benchmarks, it’s also not meant to be a strict set of metrics against with to measure all government risk. That’s not what it was created for.

We applaud the executive office for making this a leadership issue that agency heads will be required to oversee. Doing so recognizes that cybersecurity and risk in the global supply chain are seen as core agency issues, and not just something that can be left to subordinates. NIST has created a great universal standard.

But we agree that NIST conducting audits turns an advisory agency into a compliance one, shifting their viewpoint away from risk management, where their input is sorely needed, and repositioning NIST as a compliance organization. We need to focus on potential risks and how to function in this new inter-connected world, not offer checklists for agency heads that hackers aren’t about to abide by.

Cybersecurity and supply chain threats demand new ways of thinking about enforcement and risk assessments. Forcing this work into old-school models of assessments, on an agency not equipped or funded for the work, could backfire.

Establishing a framework, and holding agency leadership accountable for management of the risks of their organizations, is a  move in the right direction.

Is Being an Early Adopter Putting You At Risk?

IT risks abound when it comes to risk management, especially when outside vendors get thrown into the mix.

The Strategic Sourceror has identified three trends in terms of IT vendor security: integrating new tech too quickly, issues with prioritizing data, and internal threats.

We have addressed internal threats elsewhere, and we acknowledge bulk data processing is an ongoing challenge, but we remain far more concerned about the first issue: integrating new technology. Problems arising with integrating quickly-changing technology and upgrades is a risk management issue we see repeatedly, especially when it comes to vendor management and onboarding new vendors.

A recent report from MAPI, the Manufacturing Alliance, found that “rapid adoption of sensor technology, smart products, and Internet of Things (IoT) strategies” can also rapidly increase the problems of fast adoption, as can “so-called industry 4.0 digital manufacturing opportunities and increased interconnectivity of the industrial ecosystem, offering bad guys a wider target to hack.”

A McKinsey and Company report estimates that IoT’s international economic impact will hit $11 trillion by 2025.

“Nearly 70 percent of the projected economic value will eventually come from the use of sensor technology and swarm intelligence among B2B users,” McKinsey notes.

Whether it’s employees tapping into their personal technology while onsite, or vendors who are increasingly relying on smart systems to bring their services to market, the fast-changing nature of these types of technology realms can also mean the ability to keep track of all potential security risks requires added levels of attention to detail.

Are vendors applying change management best practices, along with risk management best practices, from every overseas fiber-optic connection to every sensor on a package that crosses as ocean? Are they doing so with every systematic software upgrade or shift in service provider?

Annual reviews don’t cut it anymore, not when changes and additions to networks can increase weekly.

“Products, services and suppliers undergo near constant change,” notes our white paper, “The Case for the Vendor Management Office.” “Products are updated, services change with contract modifications and key members of vendor corporations turnover.”

But that’s just one part of the risk management challenge when it comes to vendors.

“As vendors make deals with their suppliers or undergo mergers, acquisitions and divestitures, the risk profile they bring to your agency changes,” the paper notes.

We’ve found that creating a Vendor Management Office (VMO) to serve as a traffic cop for vetting and managing outside vendors can go a long way in mitigating this risk. A dedicated office can not only vet potential vendors, but keep a close eye on their changes through continuous monitoring, and keep active lines of communication open.

A VMO can vet vendor applications, with a focus on the risk side of supply change management, as well as monitoring any changes with current vendors at every stage of the process. This takes the pressure off the Chief Information Security Officer (CISO), Chief Risk Officer (CRO) or other C-suite offices, and places it in the hands of experts who understand the challenges and can vet, track, update and manage these convoluted systems, as well as their myriad system changes.

Cyber Threat Intelligence, More Than Just Cybersecurity

Secure network with several green spheres and shields as protected nodes and one red hacked connection 3d illustration cybersecurity concept

The response was overwhelming. Of scores of companies surveyed last year that suffered a cybersecurity breach, 80 percent of respondents said that cyber threat intelligence could have prevented or minimized the attack.

The report,  “Importance of Cyber Threat Intelligence to a Strong Security Posture,” covered more than 600 IT professionals in the U.S., and was released in 2015.

“The study highlights the need for highly accurate and timely threat intelligence to help organizations assess the risk of incoming data, reduce the volume of security incidents, and accelerate response to successful attacks,” says a vice president of Webroot, which sponsored the survey.

Cyber threat intelligence, or CTI, remains new and evolving discipline, but one that is increasing in importance when it comes to assessing a supply chain and potential weaknesses.

“Organizations must also understand [the cyber security] risk in the context of their supply chains — whether they rely on suppliers spread across the globe to manufacture products, or whether they use IT services from a cloud provider,” notes a study by Aspen Insurance, in conjunction with the Columbia School of Business.

But what exactly is CTI, and how can it assist a supply chain analysis?

A CTI Definition

This field is still relatively new, and so definitions can still differ by provider.

“Cyber security goes far beyond being an IT issue: business activities, such as new product launches, mergers and acquisitions and market expansion, now have a cyberdimension,” notes a report by EY, a financial risk assessment and advisory company. “We all live and operate in an ecosystem of digitally connected entities, people and data.”

Understanding that ecosystem in a comprehensive manner forms the nexus of CTI, and also the reward for businesses whose leadership understands the strengths and weaknesses of their supply chain – where breaches may be most likely to occur, why, and how to prevent them.

As the security firm RSA notes, “The goal is to better understand the motives, capabilities and objectives of threat actors that might seek to target the organization so that adequate countermeasures could be implemented.”

The goal is enough foreknowledge that when an attack occurs, everyone is prepared to turn it away, or mitigate the damage, from the board room to the IT service desk, no matter where that threat happens across the company supply chain.

CTI Components

CTI is the strategic understanding of where that protection fits into the larger business model, how it works with other defenses, and what to do when it comes under attack, or if it fails, that elevates IT’s actions to fitting in with a more comprehensive CTI analysis.

In one example, an IT department purchases malware protection. That IT company is now part of the supply chain, as is the software it provides. Is one type of malware protection able to protect against enough potential encroachers? Is redundancy, in the form of another malware program, a better bet? Does the program adequately meet the needs of the entire supply chain, or does it cover just one section, and if so, where do the cyber security weaknesses lie outside of that software?

Another way to define what goes into CTI is to consider what Security Week calls the “squishy” parts – the analysis of what can go wrong, where, and when, which can be harder to pin down. That includes things like motives, capabilities, and objectives behind attacks, which means considering internal strengths and weakness throughout a supply chain, and how those strengths and weakness appear across a company’s functionality.

This is why an off-the-shelf CTI program often don’t work , and a detailed, top-down understanding on a business-by-business basis becomes key. The combination of supply chain, IT service and personnel needs doesn’t stay the same from one firm to another, and neither do the threat matrices they face throughout their supply chain.

When the Internet of Things Takes Down the Internet

The Internet tools that slowed some of the world’s largest sites for hours on a recent Friday morning weren’t just server farms or hacked key fobs.

Baby monitors helped take down Twitter.

Security cameras helped halt Amazon.

This nightmare scenario became a reality on October 21 when hackers used the Internet of Things (IoT) in a distributed denial-of-service (DDoS) attack that brought down major sites from PayPal to Spotify. While the attack was described as an Internet security issue, that’s not the whole story. It is a supply chain issue. The attack also represents a Doomsday scenario that security and supply chain experts have been predicting for years. Their focus is not high-level international villains, but low-level embedded technology.

What Happened

Early in the business day on that October Friday, major web sites started shuddering. The problems were quickly attributed to an attack on Dyn, a major Internet connection hub. Dyn monitors and routes Internet traffic. Their systems were overloaded with millions of access requests from IP addresses, so many that Dyn couldn’t handle the traffic in what’s known as a DDoS attack. Hackers had gained access to IP addresses that they then directed toward Dyn, through baby cameras and surveillance monitors — basically turning the Internet of Things against the Internet.

As Dyn’s leadership notes, businesses that had instituted network redundancy faired better against the attacks, as they could shift their access points to other services. That kind of spreading the wealth is actually encouraged by Dyn, as Dyn’s Chief Strategy Officer Kyle York notes in statements made after the attack. His firm supplies a service, and good supply chain practice for critical parts of a chain is to program redundancy so if one service falters, business can still continue.

“I don’t think you can ever be safe enough or redundant enough,”  he says, in Supply Train 24/7.

But that’s not the only supply chain issue at play.

Hardware, Software, Oops

This kind of attack relies on gaining access to the hardware and the software behind it. Vulnerabilities can arise when parts or software handled by an outside supplier aren’t tested for quality assurance, functionality and security. There are hundreds of parts that are now built into cars, for example, that make them smart, but also make them vulnerable to attack and exploitation.

Scott Montgomery, vice president and chief technical strategist in Intel’s security division, notes that companies inherit every problem in their supply chain, according to The New Stack, which covered a panel in San Francisco where he spoke.

And the problem isn’t just a faulty piece of hardware.

“If you think just because your software is on a chip, that they can’t get it off of there, you are mistaken,” says Billy Rios, a security expert who has worked with the Department of Defense, speaking at the same panel. “If you think that someone will never be able to understand your custom vertical, you are mistaken. If you think no one will ever find that hidden account you have in there to do debugging or to access to certain features that you don’t want your customers to get access to, you are certainly mistaken.”

Some security experts have been warning that lax oversight for parts in things that connect to the Internet pose a serious security risk, some of them saying it’s only a matter of time until a major hack similar to the one seen in October.

“Information security people ‘have been screaming bloody murder about this for years’,” reports the San Francisco Chronicle.

Take this 2011 example, reported in 2014 by the Heritage think tank:

“In October 2011, two people were convicted of selling as many as 59,000 counterfeit circuits from China to the U.S. military, defense contractors, and others for use in U.S. warships, airplanes, missiles, and missile defense systems. Not only were these cheap fakes, but these chips potentially contained serious vulnerabilities that could have disabled, impaired, or stolen information from these important systems.”

For businesses in the IoT market, rushing Internet-accessible products to market sometimes trumps careful vetting of all components in the supply chain. As one expert notes in the Washington Post, this DNS attack should be a “wake up call” to suppliers who aren’t vigilant about the security of their components.

Because no matter their focus, everyone in the security community agrees that while the volume of things used in this recent attack is unusual, it’s not going to be the last.

OPM’s Cyberattack and Lessons Learned

binary-hacker_mdWhat does it say about government agencies if the office in charge of handling information for federal employees suffers a hack deep enough to compromise the private information of more than 4 million people?

That’s the question Congress, as well as the leadership of the Office of Personnel Management (OPM), grappled with in the wake of a data breach that reached back to 2012.

A report released Sept. 7 by the Republican-led House Oversight and Government Reform Committee took the OPM leadership to task for failing to adequately protect their systems. The report was based on a year-long investigation into the breach, according to Federal News Radio.

This being Washington, there’s some partisanship at play here, but ultimately the public discussion of the attack and how OPM plans to ensure this doesn’t happen again has lessons for businesses and leaders beyond the Beltway.

What Happened

From the report:

“In what appears to be a coordinated campaign to collect information on government employees, attackers exfiltrated personnel files of 4.2 million former and current government employees and security clearance background investigation information on 21.5 million individuals,” including fingerprint data from 5.6 million people.

On March 20, 2014, the first alert came — someone was pulling OPM data from deep inside the network, Krebs on Security explains. OPM leadership engaged in a monitoring strategy to learn more about the hacker. But, according to the report, this strategy assumed they had correctly identified the source of the problem. They hadn’t.

In May of that year, someone posing as an employee of an OPM contractor hired to do background research used legitimate credentials to log into the OPM system and install malware that opened a backdoor into the OPM network.

OPM found the first hacker, and thought they had mitigated the threat. But they didn’t find the second one until about a year later. Investigations show the first access may have come as early as 2012, according to the House committee.

By the time both threats were discovered, personnel records, including background investigations for security clearance and fingerprint data, had been swiped.

In just one example of the impact of this attack, the Central Intelligence Agency recalled officers from Beijing for fear the attack, tied back to the Chinese, might expose the identity of spies, according to the Washington Post.

Simple steps

A measure as simple as two-factor authentication could have mitigated the attack, the Congressional panel found, but OPM didn’t adopt that requirement for remote logins until 2015. And that was just one suggestion. The Congressional report also called for better vetting of agency personnel and the CIO.

In their original response to the breach, back in 2015, OPM leadership outlined the steps taken to ensure this doesn’t happen again. And therein lies a lesson for every business. The OPM laid out 23 steps that they are currently implementing.

Among the suggestions:

  • Enhance oversight of outside contractors, with detailed documentation for doing so.
  • Limit the number of privileged users and how long they can log into the system, and track all of their system activity
  • Hire a dedicated IT portfolio manager to handle all “security and performance requirements”
  • Cybersecurity training for every employee, mandated
  • Centralize cybersecurity management in the CIO’s office

While many of us may not draw the attention of foreign cyber-espionage hackers, the measures, and the warnings, are good practice for everyone worried about cybersecurity — which should be all of us.

Is Child Labor Lurking in Your Supply Chain?

Congress has recently banned the import of any products linked to child or forced labor with the passage of the the Trade Facilitation and Trade Enforcement Act of 2015. Many countries do not have laws that protect workers from harsh working conditions like the United States, and when companies take advantage of this, it creates an unfair trade advantage. The U.S. Department of Labor maintains a list of countries that manufacture goods with child or forced labor. According to Kaitlyn McAvoy at SpendMatters:

The law amends previous legislation that allowed any product into the country regardless of how it was produced if it met the “consumptive demand” rule, which is when demand is high but supply is insufficient. The Tariff Act of 1930 allowed the Customs and Border Protection Agency [CBP] to seize imports of goods suspected to be produced by forced labor. However, according to the Associated Press, the agency last used that authority just 39 times due to consumptive demand. Section 910 of the new trade act closes that loophole.

Past Supply Chain Failures

There have been quite a few high profile manufacturers who have been found to have forced or child labor in their supply chain. However, up until now, companies mostly faced bad press when it occurred, rather than tangible penalties. However, It is expected with this elimination of the “consumptive demand” rule, that CBP will be enforcing the law more vigilantly and pursuing stiffer penalties for violations.

Nestlé
Famed candy maker Nestlé signed the Harkin-Engel protocol in 2001, to work to end child labor in its cocoa production supply chain. The voluntary agreement had little teeth, and in 2005, a human rights attorney sued Nestlé, Cargill and Archer Daniels Midland for the use of forced child labor. A decade later, a report commissioned by Nestlé from the Fair Labor Association found continued use of child labor on farms used by Nestle on the Ivory Coast. Additionally, the company has found that its suppliers in Thailand also use forced labor.

Apple, Microsoft and Samsung
Cobalt is mined with child labor in the Democratic Republic of Congo (DRC) and is a critical material in the manufacture of electronic components used in products made by Apple, Microsoft and Samsung. A recent Amnesty International report identified that while these companies have policies in place that prohibit the use of child and forced labor, these companies are not fully aware if products further down their supply chain are or are not compliant.

Copyright : Paul Prescott

Walmart and Wrangler
Probably one of the most well-known child labor issues relates to clothing production. In a CBS News investigation in 2013 following several tragic workplace disasters, facilities in Bangladesh that supply Walmart and Wrangler were found to have unsafe working conditions and child labor. Both companies worked to resolve the issue upon discovery and would ban that particular supplier in question. However, the issue could recur as factories may trade manufacturing orders among each other without notifying the end customer.

How Can You Protect Yourself?

Companies seeking to protect their critical information and avoid data breaches must be aware of the cybersecurity of all of their suppliers along their supply chain. The same will be true for companies who need to protect themselves from violations of the new trade law. Thorough supply chain mapping of both direct and indirect suppliers will be important to ensuring that companies are not unintentionally using a supplier that sells their manufacturing contract to the neighbor across the street who isn’t following the rules, or using a supplier that’s not really checking the age of the workers that are harvesting its cocoa.

Once upon a time ignorance could be used as an excuse, but in this day of information and 24/7 news coverage, taking the time and making an investment to do a little proactive investigation can save your company money and brand reputation in the long run.

Securing the Internet of Things (IoT)

39540545_l

We live in an increasingly connected world. More devices–in more ways that we could have imagined even a few years ago–connect to the Internet. Some 5.5 million new devices are expected to go online daily in 2016, 30 percent more than 2015. These gadgets include not only smartphones, but fitness trackers, keyless door locks, urban traffic monitors, washing machines, and cars.

This growing internet connectivity also presents more opportunities for cybersecurity breaches. Just as our world moves online, so do risks. A hacker in possession of a stranger’s personal smartphone could steal one person’s bank information — and also commit industrial espionage if that small phone also links to a larger workplace network. One entry into a cloud server could snag information from thousands of consumers — or offices.

Workplace Security

Every office these days likely has at least one employee who wears a Fitbit or some other tracker that sends location and other information to a network. Even if you password protect your building network, your employees might use their passwords to login via their personal smartphones. These are all machines that your business is not protecting, nor protecting its network from.

One recent study of IT professionals found that 73 percent of them expect to suffer a data breach tied to an employee’s connected device, and almost as many say the manufacturers of these devices don’t offer enough security protection. Does your company have a smartphone access policy? Do you know who is connecting? If you don’t, you could be opening yourself to major security breaches. Your employees could also open up opportunities for theft of your proprietary information from their phone.

Some firms increase their vulnerability by having employees use personal phones for work or allow work machines to become essentially the employee’s personal devices. This also blurs lines about what information gets locked down, and what could unintentionally–or intentionally–come under cyberattack.

Even light bulbs may come into play. Home-based services link smart bulbs to phones and laptops for control–dim the lights for living room movie night. Or, in the case of an office, control all utilities for cost-effectiveness. Building security can go online, instead of utilizing a traditional closed circuit system. Experts expect this workplace-based IoT market to grow rapidly this year.

Manufacturing firms have machines connected to the Internet that can signal staff about mechanical problems that could impact production. But how safe is the hardware and the software that connects those machines to a business network? Who are the installation techs who have access to your network, but possibly have not undergone as stringent a background check as your employees? Risk comes from human, hardware and software elements.

“Last year, a hacker took control of the thermostats, lights, TVs and window blinds in all 250-plus rooms of a hotel in Shenzhen, China, after discovering a vulnerability in the hotel’s ‘butler’ mobile application that allows guests to control these settings with their smartphones and tablets,” as Dell’s Power More publication notes.

Whether a hacker breaches a server by a company-owned desktop or via an employee smartphone doesn’t matter — what matters is the stolen information. This is bad for business, and it could also be illegal. Businesses that don’t take precautions to lock down their networks and intellectual property could be vulnerable to legal action. Companies with overseas ties are also subject to strict laws that protect data from abroad even if that information merely passes through a foreign server.

Banning IoT devices risks angering employees and even worse, letting your business fall behind the times on technology. However, you can take steps to assess the risk your business faces from these devices, create company-wide usage policies, and educate everyone from the boardroom to the janitors, as well as outside vendors who might need access to your network.

This takes time and effort, of course. But better a little precaution now, rather than a multi-million dollar loss and lawsuits later.

CISOs Must Change With the Times

In years past, the Chief Information Security Officer (CISO) role focused on IT needs and internal security. Many CISOs only influenced their own departments, according to the Computer Business Review. They had to wheedle funds from within their organizations. They reported directly to CIOs or CEOs, but were not involved in any Board interaction.

Today, CISOs face changing technology developments and security requirements, as well as a growing awareness outside of IT departments that these needs are so intrinsic to the performance of any company that the CISO must be a partner in company-wide decision-making processes.

CISOs are increasingly called upon to serve as a bridge between tech rooms and the board room. Just as workplace dependence on technology increases, so does the need for buy-in at all levels to understand threats, how to mitigate them, and how to bring departments together to do so. In the coming years, we’ll see more CISOs in the board room, sitting at the table with major decision makers to ensure risk assessment and other technology needs are considered with every business move.

This also calls on CISOs to embrace more “soft skills.” Think business school instead of engineering school — the ability to translate tech-speak into broadly understood needs and goals, and the business savvy to see them implemented company-wide.

This is how security leaders themselves see their future. “The role of the CISO today now requires new skills such as business acumen, risk management, innovation, creating human networks, and building cross-organizational relationships,” writes Bill Bonney, a CISO and security analyst, on a series of LinkedIn posts.

Bonney’s dual roles highlight the other change in the CISO job description. As Katz told the magazine, “In the next five to ten years, it will become two roles – the technology expert and the information risk expert.”

Monitoring PCs and other company-issued devices, and non-company issued, has become just a part of the CISO’s role. As more of our workspace technology shifts outside of direct control–cloud data storage, third-party software contracts, employees’ own electronic devices who blur the lines between personal and business technology usage–the job description has been rewritten. The stakes are higher and the risk keeps growing, as more and more information moves online.

Mike Kalac, the CISO of Western Union, told one industry blogger:

“The most important thing to understand is not technology, it’s risk management. Security is not a binary function… we aren’t ‘secure’. We have a spectrum of risks that we will manage to the best of our abilities.”

Nothing can be 100 percent secure, he notes, and some firms will decide to accept certain risks for the sake of their specific business needs.

But making those decisions increasingly means having a trusted CISO who can navigate the management waters and the boardroom as well as they manage IT offices.

How DFARS Impacts Your Business

What do the new DoD DFARS (Defense Federal Acquisition Regulation Supplement) subpart 204.73 rules mean for contractors?

If you contract with the DoD, or work with a firm that contracts for the DoD, it’s vital to understand the security of every part of your network, whether it’s a laptop in your office or a server half a country away.

The rules basically require business owners to understand every aspect of a data chain. That includes second- and third-tier suppliers, including those that handle cloud storage — if there’s a violation, the contractor is held responsible for understanding any leaks the subcontractors might have contributed. It also includes connections between the cloud and what ends up linking to the DoD, as well as the employees of any subcontractors or suppliers, so you can be assured that no one who has access to your information via working in the cloud can cause a rupture in the security chain.

“The biggest thing your company needs to do is have an assessment done as soon as possible,” says the Association of Procurement Technical Assistance Centers’ blog.

Alexander W. Major, an associate in the Government Contracts, Investigations & International Trade Practice Group, writing in The National Law Journal, agrees:

“Contractors and subcontractors have been drafted into a fight to secure and defend their country’s data from the looming threats of cyber criminals and cyber-terrorists. All contractors need to plan accordingly – IN ADVANCE OF AGREEING TO GOVERNMENT REQUIREMENTS [capitalization Major’s]– if they expect to do business in accordance with the regulations being imposed by all executive agencies.”

Contractors also carry the burden of understanding exactly which government rules apply to them. As law firm Holland & Knight explains, regulations from different agencies can be contradictory:

“That data could be subject to one standard under a DoD contract and another standard under a civilian agency contract. Accordingly, there is no one-size-fits-all process for determining what cybersecurity compliance will look like for government contractors. At this point, a contractor may want to determine the most stringent controls potentially applicable to its mix of contracts and types of information and measure the adequacy of its information assurance systems against that standard.”

Proving this point, NextGov.com notes that the Office of Budget Management is also working on it’s security rules — which was opened for public comment — and will work in addition to, but likely dovetail with, DoD requirements.

In sum: Figure out which rules are the most stringent when it comes to your business, and follow those, all the way through to the lowest-tier supplier.

Businesses will also need to explain how they will track any “spillage,” notes another law review article. That means contractors will need to have plans in place on how to deal with problems well before they arise.

Ideally, your firm will have a solid grasp of all the regulations that apply to your business, and abide by the most stringent ones in order to ensure that you’re fully compliant.

It’s not easy to track every potential risk to your information so that you can accurately report those details should the DoD come calling. But now, it’s more vital than ever to know the answers. Your business depends on it.

How Safe Is Your Cloud?

Knowing the answer, down to the most obscure-seeming data point, could be the difference between successfully navigating government contracting, and closing up shop.

New rules rolled out at the end of August codify the Department of Defense’s cybersecurity policy, including the responsibilities of DoD contractors and subcontractors when it comes to information security. The new “interim rule” pulls together some requirements already scattered through other acts and memorandums, but adds some new items.

And in early October, the federal government made it clear that these are not voluntary regulations, but instead requirements for doing business, according to The National Law Review.

Some 10,000 businesses will be impacted by the changes, according to NextGov.com.

The Small Print (Some of It)

Data breaches have become such a major concern that the DoD says “urgent and compelling reasons” pushed authorities to issue the new rules without any public comment, effective immediately. Likely weighing heavily on their minds was an alleged Russian spearfishing attack against the Pentagon just weeks before the August announcement.

Ultimately, the issuances demand a closer examination of data security and resources along every step of a defense contractor’s supply chain.

Essentially, contractors must report any incident that impacts “covered defense information (CDI), a covered contractor information system (a federal contractor’s information system that handles CDI), or on a contractor’s ability to provide operationally critical support” according to one trade organization. In return, the DoD promises to protect proprietary information on behalf of the contractors should they need to investigate.

The Government Contracts, Investigations and International Trade blog from the law firm of Sheppard Mullin lays out the changes in great detail. It’s worth reading the entire post. Some of the highlights:

  • The DoD has expanded the definitions of the unclassified information that, if involved in a potential “incident,” contractors are liable to report.
  • The burden of following the new rules falls on contractors. Those who can’t follow the new rules will have to prove why it’s impossible or inapplicable.
  • Contractors must report whether their work utilizes cloud computing, and includes wording for contracts.

Additionally, all cloud computing facilities must be located in the U.S., another law journal post notes, and firms must be able to explain how they will track everything and work with the DoD should the worst happen.

Businesses have 72 hours to report any breaches — the clock starts as soon as the problem is discovered — and reporting happens via a DoD website. Law firm Holland & Knight reports that it’s up to the contractor to investigate the scope, as well as the circumstances while the DoD reserves the right to dive into systems to check the breaches themselves.

And if you think there is wiggle room because you may be a small business with only a handful of employees? Think again–there are no exceptions for small businesses.