Q&A With Sarah Stuart: Guest Post On Cybersecurity
This month’s Q&A With Sarah Stuart is hosted by her colleague, Geoff Lawrence, Impact Washington’s resident expert on Cybersecurity. If you have any further questions on whether your company is prepared for a cybersecurity breech, or the upcoming DFARS deadline, please contact Geoff at GLawrence@impactwashington.org.
We have received a lot of questions from clients in recent years concerning the topic of cybersecurity. Following is a summary of some of the questions most frequently asked:
Q: My company is an aerospace industry supplier and we have a couple of DOD contracts but would like to do more business in this space. I know there is a 12/31/17 deadline for compliance with the NIST 800-171 standard, but we have not undertaken a comprehensive review of our cybersecurity and I’m concerned. What can we do?
A: Two years ago the Department of Defense (DOD) established a December 31, 2017 deadline for all DOD contractors to be in compliance with the NIST 800-171 standard. Earlier in December of this year, the Pentagon revised this directive, from the requirement for being compliant with the standard, to simply having a plan in place to achieve compliance by the end of the year. This change clearly gives DOD contractors additional time to initiate and execute a compliance plan, but getting started is important if you’re serious about DOD contracts.
Q: I’ve heard about requirements for DOD contractors to adopt cyber security standards, but does cybersecurity apply to other industries?
A: Cyber threats are increasing, not diminishing and there is discussion within other industries to establish cybersecurity standards and compliance, including automotive, food production and medical devices to name a few.
Q: We don’t have an IT department and don’t have a budget for cybersecurity. What are my risks?
A: In truth, cybersecurity is just one of the several elements of risk management and mitigation in your enterprise. A large part of cybersecurity involves understanding, implementing and maintaining data handling best practices, and once you know where you are, you can intelligently adopt a plan of action by yourself or with some guidance.
Q: Do you have a recommendation for cybersecurity first steps?
A: For many small and medium-size manufacturers (SMMs), cybersecurity starts with an assessment of how you use data, who uses it within your company and your facility(s), and how access is controlled. After you determine the number of devices that are connected or have access to your network, you can make sure that all operating systems are supported and updated on a regular basis. As new cyber threats are identified, operating systems are updated to exclude them so keeping current is key. In addition, some operating systems are no longer supported (Windows XP and mainstream support for Windows 7 for example), and continuing to use them greatly increases the possibility of a breach. Password protocol for employees is an additional basic, yet important element of a cyber security strategy, employee training on cyber risks and data usage protocols is perhaps one of the most important elements. Completing just these basics is a great start to a cyber security risk management program.
Q: Are there formal guidelines for cyber security?
A: The National Institute of Standards & Technology (NIST), a division of the US Department of Commerce has developed a Cyber Security Framework (CSF) with key cyber security concepts and a cyber security standard “ NIST 800-171, essentially an outline of best practices for cyber security. The CSF consists of 5 central concepts:
- IDENTIFY “What structures and practices do you have in place to identify cyber threats?”
- PROTECT “What are the basic practices you have in place to protect your systems?”
- DETECT “How do you know when malicious there is malicious activity?”
- RESPOND “How will you deal with a breach if and when it occurs?”
- RECOVER “How will you get your business back to normal after a breach?”
The NIST 800-171 standard has emerged as the baseline against which adequate cyber security is measured, and various assessment tools have been developed to determine compliance with the standard.
Q:Â I know we need to up our game with cyber security, but I donâ€™t know how to get started.
A: Many SMMs we talk with need some assistance with conducting an assessment and developing an action plan with metrics (POAM) to measure progress. Impact Washington is able to give assistance according to a company’s internal capabilities, budget and time sensitivity, providing as much or as little help needed. Assistance basically follows the following outline:
Step 1: Discovery “The first step is to make an assessment of your company’s practices as they relate to the NIST 800-171 standard. There are standard assessment tools, such as the CSET (Cyber Security Evaluation Tool) which is most widely used. From this, a gap analysis is developed and a POAM is developed.”
Step 2: Remediate to Meet New Standard “Next, support is given to execute the POAM. This may include policy development, employee training, physical security, network configuration, updates to firewalls, patches, etc.”
Step 3: Test and Validate “This step provides verification that all technology and physical security aspects are working properly. A penetration test may be necessary.”
Step 4: Monitoring/Reporting “For companies that have requirements for ongoing monitoring and network scanning (such as DOD contractors), monitoring services can be contracted. Assistance is also given to develop a process to log, remediate and report cyberattacks (as required).”
Q: Is it essential that my company adopt a cybersecurity strategy?
A: The time is rapidly approaching when all enterprises, regardless of size or complexity, will need to adopt a cybersecurity risk management and mitigation strategy. As malicious cyber threats increase and become more sophisticated, cybersecurity is an important part of a company’s risk management practice. Early adoption of cybersecurity best practices will not only mitigate the likelihood of breaches, but will also protect assets as a company grows. In addition, it is anticipated that compliance with cyber security standards will become increasingly prevalent within many industry segments.
Let Impact Washington help you ensure compliance and move towards a strong, sustainable cybersecurity solution for your company.
- Defense Cybersecurity Requirements: What Small Businesses Need to Know (U.S. Department of Defense)
- Cybersecurity Resources (The International Society of Automation)
- Cybersecurity Resources for Manufacturers (MEP)
- Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (NIST)
- Directive-Type Memorandum (DTM): Cybersecurity in the Defense Acquisition System (Dept. of Defense)
- Cybersecurity Glossary (thecyberwire.com)
- Memorandum: Â Implementation of DFARS Clause 252.204-7012 (Department of Defense)
Please contact firstname.lastname@example.org for more information or support for your business.