Cybersecurity Compliance in The Age of Hacked Everything?
Everyone hears about cybersecurity in the news, it seems with greater and greater frequency, touching more and more of our lives. Equifax got hacked. The Chinese purportedly steal intellectual property and military secrets from American companies on a massive scale. Retailers regularly report breaches of their systems exposing millions of customers’ credit card numbers to the “dark web.”
Right now, if your company is at all involved in a supply chain servicing contracts with the United States Department of Defense (DoD) as a direct supplier or as a subcontractor to a prime contractor with DoD contracts, there is a clock ticking away. Ticking very, very loudly.
Your organization has until December 31, 2017, to become compliant with NIST SP 800-171. This is a requirement that is stipulated in the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. Fundamentally, the Department of Defense is taking very seriously the risk of cybersecurity and cyberespionage, and have taken a very strong stance that compliance must be achieved by the end of the year. If a contractor is not compliant, they will not be eligible for to bid on further business. I know in talking to a number of DoD contractors that there exists a great deal of disbelief that this deadline is “real,” that it won’t be extended, just like so many other “hard” deadlines in the past.
This time, they mean it. Think about it – with cybersecurity in the news so much, with proof of breaches hitting the news almost daily, who in the Department of Defense would take the personal risk of relenting on a cyber-related deadline. Would you like to be the hapless colonel called before Congress to testify after some horrible cyber incident impacts our defensive capabilities to explain why you let things slide?
Understanding What Is At Stake
What can possibly go wrong with non-compliance in a contract with the U.S. Government?
Contract Termination. It is reasonably expected that the U.S. Government will terminate contracts with prime contractors over non-compliance with NIST 800-171 requirements since it is a failure to uphold contract requirements. Subcontractor non-compliance will cause a prime contractor to be non-compliant, as a whole.
Criminal Fraud. If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information.
Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a NIST 800-171-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., NIST 800-171 controls).
As you can see from those examples, the cost of non-compliance is quite significant. As always, seek competent legal counsel for any pertinent questions on your specific compliance obligations.
How Can MAGNET Help?
MAGNET offers a proven and comprehensive four-step cybersecurity program. We will help you gauge your current situation and tailor a plan specifically for your internal capabilities, budget and time sensitivity. Here’s how it works:
STEP 1: DISCOVERY – the professional assessment of your company’s practices related to the new standard. If necessary, a gap analysis will be completed to document the scope to be remediated. (Estimated timing 1-2 weeks)
STEP 2: REMEDIATE TO MEET NEW STANDARD – supports all necessary fixes to ensure compliance. This may include updates to firewalls, patches, policy development, employee training, physical security, network configuration, etc. (Estimated timing 1-12 months)
STEP 3: TEST AND VALIDATE – verifies that all technology and physical security aspects are working properly. A penetration test may be necessary. (Estimated timing 1-4 weeks)
STEP 4: MONITORING/REPORTING – establishes ongoing monitoring and scanning of the required enterprise network. Creates a working process to log, remediate and report (as required) cyberattacks. (Ongoing)
Cybersecurity is a serious issue, particular for any company operating in the Department of Defense Supply Chain
Non-compliance poses significant, and potentially existential threats to your business
Although right now the Federal focus is on DoD contractors, expanding the scope to include anyone doing business with the government who is exposed to Controlled Unclassified Information is anticipate
Even if you do not do business with the government, cybersecurity is a risk to be taken seriously, and a potential competitive advantage in marketing your firm as a reliable business partner to your industrial customers
Follow this blog to keep informed
What can you do?
Bookmark this blog to stay informed (press CTRL + D for Windows users or Command + D for Mac users)
Reach out to firstname.lastname@example.org if you want to discuss your organization’s project and program management, cybersecurity, procurement, product, operations, quality, workforce, specialized custom equipment, or other challenges
One remarkable thing about the list is that it rarely changes. The order may change but the top cited standards typically don’t change. Top 10 Sited Safety and Health Violations: 501 - Fall Protection 1200 - Hazard Communication 451 - Scaffolding 134 - Respiratory Protection 147 - Lockout/Tagout 178 - Powered Industrial Trucks 1053 - Ladders 305 - Electrical, Wiring Methods 212 - Machine Guarding 303 - Electrical, General Requirements Three of the 10 sited standards are directed at the construction standard (1926) while other fall within the general industry (1910). It should be noted however that the general industry standard also has fall protection guidelines. Year after year, inspectors see the same on-the-job hazards, any one of which could result in a fatality or severe injury. More than 4,500 workers are killed on the job every year, and approximately 3 million are injured. By understanding these regulations you can improve your safety program and prevent injuries. Give me a call if you have any compliance doubts, or want to review OHSA regulations. Gwido Dlugopolsky at 216-391-7766 or email@example.com
Why does it take a NASCAR pit crew only 15 seconds to change four car tires when it takes people like you and me minutes? The answer is simple SMED. Single Minute Exchange of Dies, or SMED, is a process for reducing the time it takes to do equipment changeovers. Using the principles of SMED you should be able to perform any changeover in your facility in under 10 minutes! The SMED process is simple – convert as many changeover steps as possible to “external”, meaning they are done while your equipment is still RUNNING, while simplifying and streamlining the remaining steps. SMED is broken down into the following 3 Steps: Separate Convert Streamline We found this article to be very helping in explaining the SMED process in more detail: LEAN PRODUCTION - SMED A good first step to achieve this level of SMED efficiency would be to run a kaizen event at your facility to standardize (5S) your tools and supplies. Doing this alone will help you achieve 40% to 50% greater efficiency. Once the “low hanging fruit” is gone, you can still reduce setup times another 20% by practicing more advanced SMED principles.
The secret to closing any sale is to reduce uncertainty in the buyer and replace it with confidence in YOU, your PRODUCT/SERVICE, and your COMPANY. Step 1 – Confidence in YOU Someone buying from you wants to be able to fundamentally connect with you on a human level and feel confident that you’re an expert in what you’re selling If you’re selling paperclips, be an expert in paperclips If you’re selling design and engineering related services, be an expert in design and engineering related services Focus on addressing the problem, not the solution….MEANING you already know you have the solution, connect with the buyer by being an expert with the problem he/she is facing. Prove that you know the problem and all aspects of the problem like the back of your hand. Step 2- Confidence in the PRODUCT/SERVICE you are selling Someone buying from you needs to trust the product/service you are selling will solve their problem. It’s your responsibility to deliver a solution and the benefits associated with it. Basically you need to “Hit a Homerun” communicating this message. Tip – Use Success Stories: Share with the potential buyer examples of your product/service solving problems and delivering value for