The NIST 800-171 deadline is approaching at the end of December, 2017. In the scramble to reach compliance, it is important not to lose sight of the reason these controls are needed to protect sensitive information. Simply put, these controls are necessary because of the very real cyber threats Aerospace & Defense organizations face today.
Today’s cyber threats are persistent, well-funded, and of professional caliber. Industry-standard tools often do not detect them. Also, cyber criminals are bold enough to target anyone who has what they want—intellectual property, financial information, or personal data.
And there are a number of reasons bad actors engage in this kind of cybercrime. For instance, industries and governments alike are looking for competitive advantages, shorter R&D cycles, and shortcuts to new technology. Breaches of sensitive information can have economic as well as national security implications.
Unfortunately, many companies are not prepared to defend against these kinds of attacks. In particular, many small to mid-sized businesses are not compliant with existing regulations to protect themselves and their data. They may be deterred by the investment required to implement technology and processes. They also may not have the right personnel in place to know what to do. Knowing this, attackers often attempt to access larger organizations through their smaller, less secure partners.
Because of the risk to national interests, governments have begun to step in to address these cyber threats. Organizations must decide if they are going to anticipate the new regulations they will be subject to, or wait and react once new standards are put in place. Here are just a few of the regulations that have been rolled out:
- FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems
- DFARS 252.204-7008-Oct2016: Compliance with Safeguarding Covered Defense Information Controls
- DFARS 252.204-7009-Oct2016: Limitations on the Use or Disclosure of Third-Party Contractor Information
- DFARS 252.204-7012-Oct2016: Safeguarding Covered Defense Information and Cyber Incident Reporting
- DFARS 252.239-7010-Oct2016: Cloud Computing Services
- Cyber Essentials
- Cyber Essentials Plus
- Defence Cyber Protection Partnership (DCPP)
By investing time and resources into developing and implementing these regulations, governments are sending a strong message: Threats are Real, and You are a Target.
Large and small, A&D organizations must manage cyber risk like any other business risk. Regulations like the NIST 800-171 standards are the minimum bar that the government has set. However, organizations must recognize that they need a good cyber security risk management plan to ensure long-term security.
Whether you choose to build in-house tools, or turn to experts like Exostar to help implement comprehensive solutions, the time to get ready is now.
Waide Jones is VP and Chief Information Security Officer for Exostar.