DoD should use third-party cybersecurity assessments for its vendors

In the wake of so many high-profile hacks and compromises it seems that no one is safe from a determined malicious cyber threat actor. Should we simply accept that data compromises are the norm and focus on developing coping mechanisms? No!

When implemented properly, data protection strategies work. The question is how can the small- and medium-sized businesses that are part of the Defense Industrial Base (DIB) do that?

While systems and data will always face the risk of hacking, it is possible to reduce the risk of becoming the victim of a malicious cyber actor by following basic cybersecurity guidelines. To this end, for nearly 20 years, the US government and other oversight bodies have been issuing cybersecurity guidelines and regulations.

But guidelines and regulations have not been enough to protect the DIB. A recent Interagency Task Force report to the White House report identified three key reasons for continued cybersecurity risks:

  1. Lack of uniform security implementation
  2. Inconsistent implementation of adequate security among defense suppliers;
  3. Reliance on self-attestation of adherence to government cybersecurity standards.

These risks can be mitigated by requiring third-party network assessments and certifications of vendor networks.

In fact, Defense Federal Acquisition Regulation Supplement (DFARS) 252.204 already requires that all contractor and sub-contractor networks which process, store or transmit Controlled Unclassified Information meet the minimum cybersecurity standards listed in the National Institute of Standards and Technology Special Publication 800-171. But, the Defense Department does not currently have the manpower or budget to assess and certify that every vendor meets the DFARS cybersecurity standards. The DoD should, through policy, enable and require third-party assessment and certification of the Defense Industrial Base networks covered under the DFARS language. This policy would ensure compliance with DFARS cybersecurity regulations without burdening DoD with any additional manpower or capabilities requirements.

Third-party DIB assessments

Moreover, DoD can leverage a model that the Health Information Trust (HITRUST) Alliance has created by establishing a cybersecurity controls framework, enabling third-party compliance assessments, and developing a process by which to certify that networks are in compliance with the established cybersecurity framework. Since 2007, HITRUST has been assisting vendors with compliance to government and industry cybersecurity regulations. The DoD should leverage HITRUST’s approach and implement a similar model for the DIB.

DoD has already completed the first step, by establishing a cybersecurity controls framework, and is compulsory under the DFARS language. And like HITRUST, the DoD can and should approve organizations to perform assessments of the DIB networks. HITRUST has approved 80 organizations to conduct assessments in accordance with their risk management framework. Much like the DoD publishes a list of approved baseline cybersecurity certifications for the DoD cybersecurity workforce, the DoD could similarly vet and publish a list of organizations approved to conduct DoD DFARS assessments. Assessments should be required of all DIB networks covered by the DFARS language, and the assessment results should be made available to the DoD during the contracting process.

Initially, small and medium sized companies may view such assessments as a barrier to entry, but failing to have the necessary cybersecurity protections in place is a much bigger issue that will actually prevent such firms from competing in the future. Cybersecurity compliance cannot be done on the cheap, because the information shared by DoD is critical. And if a vendor cannot afford to properly implement cybersecurity controls, then they should not be allowed to process, possess or access government information on their networks.

Certification is a big challenge

The biggest challenge in adopting the HITRUST approach to risk management and compliance, would be their certification process. Tiger Connect, a vendor that was recently certified by HITRUST, claims that HITRUST’s certification process took more than seven months and involved several rounds of audits and corrections. The expense and time involved in that type of certification process may initially be too expensive for small to medium sized companies within the DIB. Moreover, unlike HITRUST, DoD does not have the resources to directly conduct network certifications.

Advertisement
In light of this, DoD should develop policies to allow third parties to certify networks as being compliant. And as DoD gains experience and more firms enter the market for cybersecurity certification, the cost and time burden of obtaining a DFARS certification should also drop. Initially, however, large DIB enterprise networks should be able to readily afford and attain a DFARS certification, and should be expected to do so.

The DoD already has the necessary tools to implement a network assessment and certification policy to significantly reduce the risk of data compromises among the DIB. Ultimately, the DoD should take action to both require a network assessment before the bidding process, and also ensure that post contract award all large enterprise networks achieve network certification.

Leslie Weinstein is an Army Reserve officer and a DoD policy consultant, and is writing a white paper on defense industrial base cybersecurity issues.

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.