Department of Defense

How DFARS Impacts Your Business

interosblog Leave a comment

What do the new DoD DFARS (Defense Federal Acquisition Regulation Supplement) subpart 204.73 rules mean for contractors?

If you contract with the DoD, or work with a firm that contracts for the DoD, it’s vital to understand the security of every part of your network, whether it’s a laptop in your office or a server half a country away.

The rules basically require business owners to understand every aspect of a data chain. That includes second- and third-tier suppliers, including those that handle cloud storage — if there’s a violation, the contractor is held responsible for understanding any leaks the subcontractors might have contributed. It also includes connections between the cloud and what ends up linking to the DoD, as well as the employees of any subcontractors or suppliers, so you can be assured that no one who has access to your information via working in the cloud can cause a rupture in the security chain.

“The biggest thing your company needs to do is have an assessment done as soon as possible,” says the Association of Procurement Technical Assistance Centers’ blog.

Alexander W. Major, an associate in the Government Contracts, Investigations & International Trade Practice Group, writing in The National Law Journal, agrees:

“Contractors and subcontractors have been drafted into a fight to secure and defend their country’s data from the looming threats of cyber criminals and cyber-terrorists. All contractors need to plan accordingly – IN ADVANCE OF AGREEING TO GOVERNMENT REQUIREMENTS [capitalization Major’s]– if they expect to do business in accordance with the regulations being imposed by all executive agencies.”

Contractors also carry the burden of understanding exactly which government rules apply to them. As law firm Holland & Knight explains, regulations from different agencies can be contradictory:

“That data could be subject to one standard under a DoD contract and another standard under a civilian agency contract. Accordingly, there is no one-size-fits-all process for determining what cybersecurity compliance will look like for government contractors. At this point, a contractor may want to determine the most stringent controls potentially applicable to its mix of contracts and types of information and measure the adequacy of its information assurance systems against that standard.”

Proving this point, NextGov.com notes that the Office of Budget Management is also working on it’s security rules — which was opened for public comment — and will work in addition to, but likely dovetail with, DoD requirements.

In sum: Figure out which rules are the most stringent when it comes to your business, and follow those, all the way through to the lowest-tier supplier.

Businesses will also need to explain how they will track any “spillage,” notes another law review article. That means contractors will need to have plans in place on how to deal with problems well before they arise.

Ideally, your firm will have a solid grasp of all the regulations that apply to your business, and abide by the most stringent ones in order to ensure that you’re fully compliant.

It’s not easy to track every potential risk to your information so that you can accurately report those details should the DoD come calling. But now, it’s more vital than ever to know the answers. Your business depends on it.

The Importance of Criticality Analysis (CA) in Supply Chain Risk Management (SCRM)

interosblog Leave a comment

Securing any supply chain is a complex, evolving, and cyclical set of exercises, often complete with much trial and error.  While achieving a 100 percent secure supply chain may never be a realistic goal, it is very realistic and very possible to greatly reduce the risk your supply chain faces.  Part of effective risk reduction includes understanding your risk tolerance.  An important step in developing an accurate risk tolerance picture is to incorporate the practice of criticality analysis early into your agency’s SCRM cycle, as well as follow-through criticality analysis throughout the acquisition and product lifecycle.  The U.S. Department of Defense (DoD) defines criticality analysis as the primary method by which mission-critical functions and components are identified and prioritized. It is an end-to-end functional decomposition of the system which involves:

  • Identifying and prioritizing system mission threads;
  • Decomposing the mission threads into their mission-critical functions; and
  • Identifying the system components (hardware, software, and firmware) that implement those functions; i.e., components that are critical to the mission effectiveness of the system or an interfaced network.

Sending the Adversary Packing

While the process described is defined by DoD, criticality analysis is a highly effective tool when utilized in both government and commercial sectors with the overarching goal to protect one’s supply chain by simply making the adversary’s job more difficult.  Generally speaking, adversarial activity will gravitate towards the path of least resistance.  Criticality analysis leads to greater protection of your most valuable mission assets, which in turn makes those assets a more difficult target for the adversary.  The adversary thrives on successfully achieving their goals.  Criticality analysis and greater protection of your critical assets can go a long way in dissuading the adversary from persistent threat on those assets.  Important to note:  your most critical asset is integral to the continuation of operations versus simply where you spend the most money.

Key Points in Kick Starting Criticality Analysis in Your SCRM Program

Implement Criticality Analysis in the Design Process for Greatest Impact

Criticality analysis should begin with the system engineering and design process. While criticality analysis can be effective at any point in the acquisition and product lifecycle, there is a far greater chance of avoidance of mission failure and cost reduction when implemented initially in the earliest of stages.

Establish Follow-Thru Criticality Analysis Throughout the Acquisition/Product Lifecycle For Continued Mission Assurance

Criticality analysis doesn’t stop once the product or component has been purchased and put into use.  This is a particularly important point in parts deemed critical to mission success.  Reoccurring criticality analysis reviews throughout the lifecycle provide the benefit of:

  • possible upgrade or downgrade of level of criticality based on new or changing mission objectives,
  • the opportunity to re-survey new surrounding components that may have been introduced into the mission after the initial purchase of the item being analyzed,
  • opportunities to identify successes and failures throughout the lifecycle, and document in a historical criticality analysis catalog for future acquisitions and design process.

Understand Neighboring Components Criticality Analysis and Cross-Cutting Mission Criticality Analysis

Developing a criticality analysis library will assist in mapping out the criticality of your overall project.  The task of mapping out criticality can provide a cross-cutting view of how SCRM decisions affect other projects.  Additionally, a criticality analysis library can assist in the actual design process by helping engineers understand if there are risks posed by other components or mission equipment that may ultimately cause the failure of the component or equipment being analyzed.

Conclusion

Given the constraints on the government budget and investor pressures on public companies to produce profits, it is important to know how to best allocate limited resources and keep the adversaries out. We cannot protect everything – we must determine what is the most important to focus on and the level of rigor that should be applied.  This is not necessarily tied to the amount of money spent on the effort; moreover, the criticality is focused on the biggest impact to continuing operations should the operations be interrupted.  For this reason, criticality analysis is the first step in a good approach to supply chain risk management.