Stephen Watkins, Vice President and Chief Security Strategist, G2 Ops, Inc.
Cybersecurity for Defense Federal Acquisition Regulation Supplement (DFARS) Compliance
“Give me six hours to chop down a tree and I will spend the first four sharpening the axe.”
― Abraham Lincoln
The Department of Defense has given the defense industrial base a relatively short period of time (Dec 2017) to ensure it is protecting sensitive information from unauthorized exposure. This new requirement imposes significant expanded obligations on defense contractors with regard to the protection of unclassified Covered Defense Information (CDI) and the reporting of cyber incidents that involve CDI or unclassified controlled information.
Building a Cybersecurity Program is time-consuming, absorbs budgetary and human resources and frankly seems unrewarding. Christening a new class of destroyer, it is not. If ignored, however, it could be the decommissioning of your organization.
Sharpening the cybersecurity axe requires building a thoughtful and comprehensive Cybersecurity Program. It will cost money, it will take time, and it could be challenging. You should expect a Cybersecurity Program to be a living entity because the cyber landscape is volatile. It will need nourishment, will require discipline and should be expected to grow. New requirements are often frustrating, but beefing up your cybersecurity posture is a necessity today to meet the challenges posed by our very capable adversaries. Increased intrusion prevention, expanded detection of malicious behavior, and improvements in keeping the unwanted out of your sensitive networks is critical in today’s cyber environment. Meeting the new requirements to protect CDI not only sets up your organization to protect critical data, it will help steel you against the business impacts of a compromise – they are often a catastrophic financial event.
When a malicious cyber breach event occurs, an organization often experiences revenue loss due to business interruption, and the costs associated with responding to the event. Holistic Cybersecurity Programs are designed to prevent information loss, keep the business running, protect the company’s reputation, and guard revenue streams.
To properly address new compliance requirements, holistic cybersecurity programs must include consideration for People, Process, and Technology - cross-connected with high-level buckets for Strategy, Operations, and Solutions. Oversight committees and our legislatures are just beginning to scratch the surface on cyber compliance, so we can expect regular updates to compliance requirements. Businesses that approach compliance with a box-checking mentality may always find themselves playing catch-up. Even if your organization has multi-compliance pressures (e.g., PCI DSS, HIPAA, SOX, DFARS), having a holistic Cybersecurity Program in place could meet all requirements without having to constantly change the way your program is structured. The easy way to say this is that a Cybersecurity Program drives Compliance; not the other way around.
If your organization (or a 3rd party on your behalf) is consistently assessing risk, introducing protective measures, monitoring the environment, responding to incidents, and measuring success, you’re going to meet compliance requirements. By thoughtfully coordinating people, processes, and technology as part of your holistic Cybersecurity Program, you’ll not only be prepared to meet DFARS compliance requirements, but chances are you’ll also be prepared to meet the next wave of compliance requirements. For more information on the Cybersecurity for Defense Federal Acquisition Regulation Supplement (DFARS) Compliance go to section 252.204-7012 at http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm.
“By failing to prepare, you are preparing to fail.”
― Benjamin Franklin
About the Author
Stephen Watkins is Vice President and Chief Security Strategist at G2 Ops, Inc. and leads their Cybersecurity Consulting Practice. He has decades of Cybersecurity expertise and has worked with Fortune 50 companies to help protect critical information assets. Stephen has undergraduate and graduate degrees in Computer Science from ODU and JMU specializing in Information Security and has held CISSP credentials for more than 10 years.
« Return to Newsletter