Cybersecurity and the Defense Industrial Base
Cybersecurity is a major topic today, not just in news headlines but also in boardrooms and living rooms. As we all continue to move even further into the digital landscape, the dangers of cybercrime are lurking around the corner. In a highly connected world, things like ransomware, data harvesting, and identity theft are happening at alarming rates.
In fact, over $3.5B (yes, that’s with a “b”) in revenue was reported lost, according to research from the FBI IC3 2019 Internet Crime Report, as the result of cybercrimes in 2019. Of that amount, email compromises alone accounted for more than $1.7B. During that same period, almost 500,000 incidents were reported by businesses and individuals. Imagine what the total would be if you included all incidents that were never reported.
So, what about the Defense Industrial Base?
The Aerospace and Defense industries are charged with protecting certain types of information to which they have access. This is referred to as CUI (controlled unclassified information) and requires much more than mere hardware and software solutions to keep secure.
Protecting Controlled Unclassified Information
Oddly enough, CUI is not determined by what it is, but rather by what its effect could be if it fell into the wrong hands. In other words, it could be reasonable to define CUI as information that its unauthorized disclosure could be aggregated with additional information to reasonably be expected to cause a negative impact on national security.
For example, under the CUI “umbrella” you have
- Controlled Technical Information (CTI), where the CUI could include research and engineering data, engineering drawings, along with associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses, and related information, as well as computer software executable and source code.
- Export Controlled information, where the CUI could include information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives.
Enter DFARS 7012 (…bring on the acronyms)
One of the means by which the DoD specifies the measures that must be taken to protect CUI exists in DFARS 252.204-7012, often referred to as DFARS 7012. If you receive a contract subject to the DFARS 7012 clause, your contractor systems are subject to NIST SP 800-171. Further, if you, as the contractor, intend to use an external cloud service provider, it must meet the requirements established by FedRAMP Moderate. Maybe you’ve heard of CMMC (Cybersecurity Maturity Model Certification). Presently it’s somewhat of a moving target, but it’s essentially the 110 controls set forth in NIST 800-171 r2 plus 20 additional controls. That gets you to CMMC Level 3, which is considered the next step for cybersecurity compliance for most defense contractors. Phew!
As you might guess from the above, achieving and maintaining compliance on paper as well as in practice can be a daunting task when you consider the ever-changing nature of the rules necessitated by a constantly shifting security landscape.
With the recent increase in cybercrime activity, we must “up our game” as these attacks have become more sophisticated and devious. You can have the best firewall in the world, but it only takes one click of a link or attachment contained in a seemingly innocent email to rapidly put your entire IT infrastructure at risk…or worse…potentially exposing not only CUI but also sensitive company information.
So, what is Horberg doing? Actually, quite a lot…
Having measures in place like firewalls, network protection systems, and anti-malware solutions running, fully patched, and up to date is good…but not good enough. Our very best defense against the risks posed by cybercrimes is education and continuing awareness.
Horberg is currently undergoing another round of NIST 800-171 r2 assessment, remediation, and training. Outdated/insecure equipment, software, and procedures are being replaced/updated. We have aligned ourselves with KnowBe4, a leader in the field of security awareness and training solutions, to assist us in mitigating our (and any company’s) greatest vulnerability…the staff.
Having ourselves been victimized by this high-tech, nouveau, brazen, virtual crime…without a doubt, our best plan is to be proactive. As Ben Franklin famously advised, “An ounce of prevention is worth a pound of cure.” When it comes to cybercrimes, truer words have never been spoken.