With nation-state-sponsored cyberattacks on the rise, we must prioritize protecting the businesses holding our nation’s secrets. Today, there are increasing opportunities for small and medium-sized businesses to contribute their inventions and ideas to serve and support the Defense Industrial Base (DIB). These inventions and ideas also make these companies targets of nation-state threat actors intent on stealing their data or disrupting their operations. According to our “DIB Cybersecurity Maturity Report | 2024,” 59% of companies experienced four or more user accounts or endpoints compromised in the past year and 46% say cybersecurity-related incidents have cost their company $100,000 or more.
The critical path forward is to see the cybersecurity posture of SMBs serving the DIB dramatically and quickly improve. Seeing this realized is why we founded RADICL. It is also why the Department of Defense has mandated certain companies currently comply with NIST SP 800-171 Rev 2 (per DFARS 252.204.7012) and report self-assessment scores to the supplier performance risk system (SPRS) (per DFARS 252.204.7019). It is also why the DoD has introduced the Cybersecurity Maturity Model Certification (CMMC). CMMC Level 2 is currently mapped to NIST SP 800-171 Rev 2 and will require an independent third-party assessment vs. the self-assessment required under DFARS 7019.
The Department of Defense (DoD) Supplier Performance Risk System (SPRS) is designed to help evaluate and manage the performance and risk profile of suppliers within the defense supply chain. SPRS provides a centralized repository of performance and risk data used to make informed decisions about awarding contracts and managing supplier relationships. The primary purpose of SPRS is to ensure that suppliers meet the necessary performance standards and comply with regulatory requirements, thereby maintaining the reliability and security of the defense supply chain.
Cybersecurity is a fundamental component of the supplier performance risk system (SPRS) due to the sensitive nature of the information managed within the defense supply chain. Protecting controlled unclassified information (CUI) and other sensitive data is paramount with the increasing prevalence of cyberthreats. For this reason, the DoD has implemented Defense Federal Acquisition Regulation Supplement (DFARS) clauses that require vendors to meet a minimum cybersecurity baseline and report their posture to the SPRS.
DFARS clause 252.204-7012, titled “Safeguarding Covered Defense Information and Cyber Incident Reporting,” mandates that defense contractors implement adequate security measures to protect information designated as CUI and report any cyber incidents to the Department of Defense (DoD) within 72 hours. This clause requires contractors to comply with the security requirements outlined in NIST SP 800-171 and it ensures that the DoD is promptly informed of potential security breaches to take necessary actions to protect sensitive defense information.
DFARS clause 252.204-7019, titled “Notice of NIST SP 800-171 DoD Assessment Requirements,” requires contractors to perform and submit a current assessment of their implementation of NIST SP 800-171 Rev 2 security requirements to the SPRS. This clause ensures that the Department of Defense (DoD) can evaluate the cybersecurity posture of its contractors when evaluating whom to award contracts to.
If you are doing business with the DoD or intend to, ensuring you are compliant with the DFARS above clauses is critical. Failure to report your NIST 800-171 Rev 2 self-assessment score can preclude you from winning contracts. Reporting a false score can open you up to Federal False Claims Act (FCA) accusations and resulting legal repercussions – a notable example being the case brought against Penn State University last year.
Take the following 4 steps to improve your cybersecurity posture, report an accurate NIST 800-171 Rev 2 score, and reduce your cyber incident risk.
Conduct a rigorous and honest assessment of your current compliance posture per the DoD Assessment Methodology. Determine and report your self-assessment score to SPRS. Conducting an assessment and computing a score will take time, resources and expertise. You might consider investing in a compliance management tool to help automate and streamline the assessment process. Alternatively, you might enlist the support of a compliance consultant to help drive the initiative and provide expert guidance.
Remediate low-cost requirement gaps
Certain requirements are easier to achieve than others. Once your self-assessment is complete, identify requirements having the lowest cost to remediate and tackle these first. A compliance management tool and/or consultant will be of great help in identifying where low-hanging fruit opportunities exist.
Transfer adherence to high-cost requirements
Certain requirements are harder and more costly to realize. For these, it is worth considering transferring adherence to third-party technologies and/or service providers who can take the requirement off your plate. Some of the costliest and hardest to achieve requirements include threat monitoring, threat investigations and logging, 24×7 incident response, and vulnerability management. These capabilities require the purchase of technology staffed by experts. When evaluating vendors, ensure they plan to become fully compliant with CMMC once the rule is in effect. This will likely prove essential for ensuring the continued transfer of compliance responsibility.
Conduct another self-assessment and report.
With the above complete, you will find yourself in a much stronger compliance and cybersecurity position. Perform another self-assessment to validate the remediations you’ve directly implemented or those you’ve transferred to a third-party provider. Once the self-assessment is complete, resubmit what should be a much higher SPRS score.
Taking the above steps will help ensure your business is optimally positioned to compete for government contracts today and when the CMMC rule goes into full effect early next year (by most estimates). These steps will also reduce your risk of experiencing a damaging cyber security incident like ransomware. You will also find your company harder to compromise by nation-state-sponsored cyber spies that seek to steal your inventions in support of an agenda that likely runs contrary to the best interests of America.