Cybersecurity Compliance in The Age of Hacked Everything?
Everyone hears about cybersecurity in the news, it seems with greater and greater frequency, touching more and more of our lives. Equifax got hacked. The Chinese purportedly steal intellectual property and military secrets from American companies on a massive scale. Retailers regularly report breaches of their systems exposing millions of customers’ credit card numbers to the “dark web.”
Right now, if your company is at all involved in a supply chain servicing contracts with the United States Department of Defense (DoD) as a direct supplier or as a subcontractor to a prime contractor with DoD contracts, there is a clock ticking away. Ticking very, very loudly.
Your organization has until December 31, 2017, to become compliant with NIST SP 800-171. This is a requirement that is stipulated in the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. Fundamentally, the Department of Defense is taking very seriously the risk of cybersecurity and cyberespionage, and have taken a very strong stance that compliance must be achieved by the end of the year. If a contractor is not compliant, they will not be eligible for to bid on further business. I know in talking to a number of DoD contractors that there exists a great deal of disbelief that this deadline is “real,” that it won’t be extended, just like so many other “hard” deadlines in the past.
This time, they mean it. Think about it – with cybersecurity in the news so much, with proof of breaches hitting the news almost daily, who in the Department of Defense would take the personal risk of relenting on a cyber-related deadline. Would you like to be the hapless colonel called before Congress to testify after some horrible cyber incident impacts our defensive capabilities to explain why you let things slide?
Understanding What Is At Stake
What can possibly go wrong with non-compliance in a contract with the U.S. Government?
Contract Termination. It is reasonably expected that the U.S. Government will terminate contracts with prime contractors over non-compliance with NIST 800-171 requirements since it is a failure to uphold contract requirements. Subcontractor non-compliance will cause a prime contractor to be non-compliant, as a whole.
Criminal Fraud. If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information.
Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a NIST 800-171-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., NIST 800-171 controls).
As you can see from those examples, the cost of non-compliance is quite significant. As always, seek competent legal counsel for any pertinent questions on your specific compliance obligations.
How Can MAGNET Help?
MAGNET offers a proven and comprehensive four-step cybersecurity program. We will help you gauge your current situation and tailor a plan specifically for your internal capabilities, budget and time sensitivity. Here’s how it works:
STEP 1: DISCOVERY – the professional assessment of your company’s practices related to the new standard. If necessary, a gap analysis will be completed to document the scope to be remediated. (Estimated timing 1-2 weeks)
STEP 2: REMEDIATE TO MEET NEW STANDARD – supports all necessary fixes to ensure compliance. This may include updates to firewalls, patches, policy development, employee training, physical security, network configuration, etc. (Estimated timing 1-12 months)
STEP 3: TEST AND VALIDATE – verifies that all technology and physical security aspects are working properly. A penetration test may be necessary. (Estimated timing 1-4 weeks)
STEP 4: MONITORING/REPORTING – establishes ongoing monitoring and scanning of the required enterprise network. Creates a working process to log, remediate and report (as required) cyberattacks. (Ongoing)
Cybersecurity is a serious issue, particular for any company operating in the Department of Defense Supply Chain
Non-compliance poses significant, and potentially existential threats to your business
Although right now the Federal focus is on DoD contractors, expanding the scope to include anyone doing business with the government who is exposed to Controlled Unclassified Information is anticipate
Even if you do not do business with the government, cybersecurity is a risk to be taken seriously, and a potential competitive advantage in marketing your firm as a reliable business partner to your industrial customers
Follow this blog to keep informed
What can you do?
Bookmark this blog to stay informed (press CTRL + D for Windows users or Command + D for Mac users)
Reach out to email@example.com if you want to discuss your organization’s project and program management, cybersecurity, procurement, product, operations, quality, workforce, specialized custom equipment, or other challenges
HEADLINE The survey definitively shows that product innovation leads to more growth, while “grow your own workforce” strategies will be needed to fill the major labor shortages hampering small manufacturer growth. Emerging technologies like the Internet of Things (IoT), 3D printing, and digital manufacturing are beginning to enhance innovation and productivity, but still have significant room for adoption amongst Ohio’s small manufacturing businesses. ABOUT THE SURVEY Under the direction of the Ohio Manufacturing Extension Partnership (Ohio MEP), MAGNET: The Manufacturing Advocacy and Growth Network conducted a thorough survey of Ohio’s manufacturing base. Contributing approximately 20% of Ohio’s jobs (and driving in some regions up to 50% of Ohio’s economy), and generating a disproportionate amount of export revenues and Gross Regional Product, manufacturing is critical to Ohio. Greater than 95% of Ohio’s manufacturers are small (under 500 employees), and these manufacturers need to remain competitive both nationally and internationally to ensure our economy’s health. Ohio’s Development Services Agency and the National Institute of Standards and Technology, which runs the MEP, recognizes the importance of this sector and fuels MAGNET and the Ohio MEP program to directly serve and support innovation, efficiency, and growth in small and medium manufacturers. What manufacturers need
How Virtual Reality and Augmented Reality Can Help Keep Our Engineers Safe and Our Manufacturing Strong Recall how difficult it was to put together complex LEGO creations when you were a child or helping a child. Now, picture assembling a fighter plane from a room full of parts. Even highly trained engineers can benefit from technology to help improve consistency and quality. Virtual reality (VR) and augmented reality (AR) are making near-perfect assembly a possibility in the manufacturing space. By wearing AR glasses that use cameras, depth sensors and motion sensors to overlay images onto the real working environment, engineers and factory workers can visualize the exact bolts, parts, part numbers and instructions on how to assemble a particular component correctly. Lockheed Martin began using AR goggles and improved F-35 assembly time by 30 percent, in addition to increasing accuracy to 96 percent. In order to remain competitive, businesses should consider the ways VR and AR can improve efficiency and supply chain productivity. According to a recent BofA Merrill Lynch Global Research report, AR platforms can provide companies up to 25 percent in cost savings on installation of equipment. Here are four ways VR/AR is disrupting the mid-market manufacturing space:
Why should you consider TechLink? To date: More than 1,270 technology transfer partnerships brokered between companies and 110 DoD labs or centers, including all 65 DoD labs that generate patented inventions More than 600 license agreements facilitated between DoD and companies nationwide, transferring over 1,000 DoD inventions to industry Facilitated 60% of total DoD licensing agreements over the past 10 years What does TechLink Specialize in? TechLink specializes in 10 technology areas: Energy, BioTech, Materials, Sensors, Photonics, Software/Info Technology, Military Technology, Electronics and Environmental Technologies. 4 Ways TechLink can help you: Actively market DoD inventions to industry nationwide Help companies evaluate these inventions and submit license applications Facilitate communications between DoD labs and companies leading to “win-win” license agreements for both parties Maintain the nation’s only comprehensive database of DoD-patented inventions, fully searchable through techlinkcenter.org Why should you believe in TechLink? Check out the TechLink technology database and the Technology Spotlight for regular updates on available technologies and contact information for the related Technology Manager. The Manager will help you assess the technology for your company needs, facilitate your connection with DoD, and walk you through the licensing process. Most DoD inventions have civilian and commercial applications. DoD technologies licensed by TechLink have generated