As reported in CSO magazine this past month, the end is Nye for becoming cybersecurity compliant within the DoD Industrial Base (DIB) according to the U.S. Department of Defense (DoD). Everyone knows in the U.S. that the DoD is a major consumer of goods, which includes very technical and sensitive intellectual property. They are always involved with the procurement of weapons, heavy equipment and various other third-party services. They deal with numerous outside U.S. Government contractors on a daily basis. Unfortunately, The DoD has been dealing with a number of increasing cybersecurity incidents and data breaches involving private government contractors and other types of third-party providers. Therefore, DoD has issued a mandate that all vendors and organizations in procurement dealings with DoD must comply and implement a standard of cybersecurity controls, procedures and system processes within a cybersecurity implementation plan. This initial announcement was made in 2015, allowing organizations time till December 31, 2017 to implement IT security best practices as specified in NIST Special Publication (SP) 800-171. However, that time is now. There are only weeks left to implement such a plan. There is a requirement to enforce such an implementation plan within the NIST SP 800-171. The NIST document was therefore written into the DoD procurement rules and regulations called the Defense Federal Acquisition Regulation Supplement (DFARS). NIST SP 800-171 is only about policy, process and configuring IT securely. There are no specific specifications for how to run and implement cybersecurity processes and procedures for the over-all implementation. Therefore, NIST SP 800-171 by itself does not provide the data on how these new requirements should be met. However, personnel can use specific guidance such as security controls which are specified in NIST SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations.” These security requirements are organized and listed in fourteen (14) distinct groups and illustrated in a table within the NIST SP 800 171 document. Unfortunately, according to Redport IA, LLC’s CEO Steve Reinkemeyer, the controls are only the absolute minimum of requirements to ensure the confidentiality, integrity and availability of information within the system. The use of DFARS as well, goes further to define the more intricate processes and procedures for implementing such a control for cybersecurity compliance and to ensure that no data breaches occur within the DoD in the future.
By Dr. Randall Sylvertooth
Sources:
https://www.csoonline.com/article/3239925/compliance/department-of-defense-contractors-must-implement-it-security-controls-by-december-31.html

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf

For more information about Redport’s information assurance and cyber security services, visit www.redport-ia.com, email us at info@redport-ia.com, like us on Facebook, and follow us on Twitter@redport_ia.

cybersecurity, so here comes NIST 800 171