Companies in the aerospace and defense supply chain may be classified under several of the 16 US critical infrastructure sectors identified in Presidential Policy Directive 21 (PPD-21) as “vital to public confidence and the Nation’s safety, prosperity, and well-being.” Components of this supply chain include companies in the defense industrial base sector, obviously, as well as those in the critical manufacturing, communications, information technology, and other sectors.
NIST 800-171 describes security control guidelines that must be implemented by prime and subcontractors that handle confidential unclassified information (CUI), as well as covered defense information (CDI), in their work related to the the US Department of Defense (DoD). Although compliance with DFARS 252.204.7012 may be declared via self-attestation, this is a case when not “walking your talk” could result in work order termination, serious penalties (e.g., False Claims Act damages), and disbarment. Even though deadline for compliance was 31 December 2017, unlike Y2K compliance, holding your breath until after the target date passes will not mean you are good to go. The DoD Inspector General recently released a memorandum announcing audits of logical and physical access controls protecting technical information: The Department is serious about this.
And you should be too. It’s not just about compliance with the 110 controls for the sake of a contract, it’s about protecting your business for the sake of survival. Boeing was hit 28 March 2018 by the WannaCry virus but controlled the production impact by launching its incident response plans. Granted, Boeing is a big target—but opportunist hackers are “rattling the doorknobs” throughout the manufacturing sector. At the other end of the size spectrum, a 15-person manufacturer in Greeley, CO confidently declined to pay when its systems were locked down by ransomware earlier this year. Its 70-year-old found had implemented effective data backup and recovery procedures.
Getting Started
The DoD has identified the most common areas of NIST 800-171 shortfall based on analysis of prime contractor assessment—and recommended fixes. Consider the following as you launch your own cyber security best practices program:
Lock the front (and back) doors
- Harden perimeter networks
- Deploy network access control
- Limit administrator privileges and track activity
- Disable unlimited remote access
Know “who’s there” before opening the door
- Limit logon attempts and lock after periods of inactivity
- Enable two-factor authentication as a minimum
- Enforce minimum password complexity
- Configure category “none” blocking (web content filter)
Know what you’re buying and what you’ve bought
- Prohibit “gray market” IT procurements (EBay)
- Confirm cyber security approval status of network hardware
- Conduct system risk assessment and remediate
- Limit information listed on commodity purchase orders
Clean house
- Remove stale/unused IT end of life systems
- Control use of removable media on system components
- Deploy security and patching
- Deploy email filter
- Identify and report system flaws
REFERENCES
On the dangers of noncompliance: https://www.infusionpoints.com/blogs/stephen-simchak/2017/08/24/dangers-not-complying-dfarsnist-800-171
On common shortfalls and recommended fixes: General Greaves’ memo dated 12 January 2018 on Missile Defense Agency (MDA) cyber security best practices