Blog

It’s time for all companies to embrace what the large Aerospace & Defense companies already understand: that a supplier’s ability to protect sensitive information and manage cybersecurity risk is vital to your business. It can help your company make decisions on how best to manage risk. The ground is shifting for government contractors; the Department of Defense is moving toward making all companies, even those who deal indirectly with them (i.e., suppliers), abide by the same cybersecurity regulations. The most recent step in that direction is the Defense Federal Acquisition Regulation Supplement (DFARS) interim ruling that states that anyone handling “Covered Defense Information,” or CDI, is required to abide by the 109 cybersecurity regulations set forth in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

There is a way to get ahead of the upcoming changes. The Exostar Supplier Cybersecurity Questionnaires are central to helping companies of all sizes, in addition to the A&D giants who already use them, understand a supplier’s cybersecurity readiness.

Five of the largest A&D companies are currently using these two surveys to measure a supplier’s ability to manage cybersecurity. The companies worked with Exostar to host both questionnaires. A supplier who sells goods to two or more of the partner companies need only answer once, and Exostar will then share the submittal with the other company (or companies). The two questionnaires are 1) the cybersecurity questionnaire, and 2) the NIST SP 800-171 cybersecurity compliance questionnaire.

Supplier Cybersecurity Questionnaire

The supplier cybersecurity questionnaire is based on the Center for Internet Security Critical Security Controls. This questionnaire is required of all suppliers that have answered “YES” to handling sensitive information. Suppliers that share sensitive information must complete and maintain the supplier cybersecurity questionnaires in their Exostar profile.

NIST SP 800-171 Cybersecurity Compliance Questionnaire

The NIST SP 800-171 cybersecurity questionnaire was developed and published by NIST. This questionnaire is required by DFARS Clause 252.204-7012, which states that prime contractors and their subcontractors employ “adequate security” appropriate to the consequences and probability of loss, misuse, or modification of, or unauthorized access to, information.

The questionnaires take about 2-3 hours to complete. It is recommended that companies print a copy of the questionnaires, meet with their IT security team to gather the necessary information, and then input the company’s responses into their Exostar profile. Help is always available to answer the questionnaires for all customers in the Exostar Partner Information Manager (PIM) Questionnaire Frequently Asked Questions (link to FAQ?).

Supplier Briefings

In addition to the questionnaires, some companies periodically conduct information sharing sessions in which they discuss cybersecurity threats, cybersecurity best practices, and how to better manage risk. These sessions are collaborative in nature and are helpful for introducing suppliers to organizations and teams that can provide ongoing threat and risk management information.

Supplier Validations

Another option is to conduct onsite and virtual assessments of a supplier’s cybersecurity posture. The validations look at items like cybersecurity controls and risks in order to help the company and the supplier understand the extent of their cybersecurity capabilities, their ability to protect sensitive information, and deliver secure products and services.

Get ahead of the upcoming changes to cybersecurity regulations by implementing Exostar’s cybersecurity questionnaires. It’s a great way to ensure compliance, mitigate risk, make sound decisions about your suppliers, and get some peace of mind…before the new regulations kick in.