Those in the industrial and manufacturing sector face unique information security challenges. Especially those that are part of the Department of Defense (DoD) supply chain. Regardless of what tier you are within the supply chain it is likely that Defense Federal Acquisition Regulation Supplement (DFARS) requirements place a burden on your operation. It is also likely that you have a desire to protect your information assets. Further, more and more “upstream” vendors and customers are requiring their suppliers to protect against information security threats.
In late 2020 DoD announced new regulations regarding the implementation of NIST Special Publication 800-171 (800-171), the NIST standard that DFARS requires. 2021 brings us additional changes as the DoD begins implementation of CMMC over the next five years.
We have experience in working with a variety of DoD suppliers including those with a large global presence to those with only a local presence. We stand ready to help you meet your 800-171 or CMMC requirements and will work with you to create a custom information security program that meets your compliance and security goals.
Current NIST 800-171 Requirements
All DoD suppliers are subject to the DFARS requirements as part of the contracts they hold within the DoD supply chain. This clause requires suppliers to meet the requirements in NIST Special Publication 800-171. These 110 controls are not always easy to implement, especially if DoD contracts are not a large part of the company’s business. Under the DFARS programs, suppliers must self-attest that they are meeting these controls through the development of a System Security Plan (SSP) and a scoring mechanism to gauge implementation.
As of November 2020, the DoD now requires all vendors to publish their score in the DoD’s Supplier Performance Risk System (SPRS). This still allows companies to self-attest under 800-171, but now they must report their score to DoD. If a company does not score a perfect 110 points, they must also include a remediation plan that details when the missing controls will be put in place.
We have experience assisting companies with the implementation of a NIST 800-171 program. From policy development to creation of the SSP we are ready to help.
NIST 800-171 to CMMC
In early 2020 the DoD released a new, more comprehensive information security requirement for all manufacturers in the DoD supply chain. This requirement, called Cybersecurity Maturity Model Certification (CMMC) is a major shift in the way the DoD will assess its vendors.
It requires every vendor to be certified and audited by a qualified third-party assessor. Further, it introduces various levels of compliance (maturity models). This three-tier model requires most vendors that handle Controlled Unclassified Information (CUI) to be compliant to at least level 2.
As CMMC is rolled out between 2021 and 2025, Cyber Defense Institute is ready to be your partner in CMMC. We are ready to provide information security services similar to those required under DFARS, and plan to provide gap analyses and compliance assessments that will prepare you for a successful audit.
The Cyber Defense Institute Solution
Comprehensive Security Program Creation
CDI will develop and customize a comprehensive security policy that includes all required security controls that meet your regulatory requirements. Over 17 policies and templates are included with this service.
Compliance Assessment and Gap Analysis
We will work with you to assess your level of compliance to the 800-171 or CMMC standard. The goal is to validate your information security program or to find weaknesses in your security program that may be an issue during an audit.
Vulnerability Assessments
Internal and External Network Vulnerability Assessments identify detailed security flaws that exist on your network devices (PC’s, servers, laptops, firewalls, switches, etc.) that can allow a hacker to gain access to your confidential or critical information. Our scanning process provides the level of detail and the specific remediation steps required to fix each device that exhibits a security flaw. Our vulnerability assessment reports prioritize security flaws and several types of reports are generated that meet the needs of executives and the network administrators required to remediate.
Risk Assessment
800-171 requires periodic risk assessments, which is different than a gap analysis. We will perform a formal, comprehensive information systems risk assessment designed to meet regulatory compliance requirements the organization is subject to. This Risk Assessment follows the NIST methodology and includes technical, physical, and administrative security controls.
Wireless Security Assessments and Penetration Testing
Your wireless network is more vulnerable than you think. A malicious actor can sit in your parking lot or across the street and work their way into your network; printers and other network devices frequently have wireless capabilities that are enabled and expose your network to risk; and employees can attach rogue access points to your network in order to “steal” internet access. Our wireless assessments help identify and prevent these issues through state of the art scanning technologies and methodologies.
Web Application Security Assessment
While standard vulnerability assessments focus on the host and server platforms, web application vulnerability assessments focus on the web applications themselves. WAS assessments can detect web vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and URL re-direction. WAS provides identification of the most common web application vulnerabilities including the OWASP Top Ten. Vulnerable external network connections (publicly facing IP addresses) and devices can provide access to internal networks that can be compromised by hackers using the internet. External network vulnerability assessments identify weaknesses in network configurations that organizations can fix before they are exploited.
Security Awareness Training & Phishing
Cyber Defense Institute will provide online security awareness training for all employees with simulated phishing attacks to ensure users are vigilant in the use of e-mail and the internet. Online training consists of over 100 different short courses on cybersecurity, compliance and other related topics. Simulated phishing attacks helps the organization identify the human vulnerabilities in your organization. Bi-weekly security reminders are also sent to all staff with information to help them identify current scams and types of attacks.
Penetration Testing
Penetration testing is a primarily manual process by a CDI ethical hacker to attempt to gain access to an organizations information systems (internal or external) that contains proprietary or confidential information. We assume the role of a malicious hacker and may actually break in without actually causing any damage or stealing any information. The goal of penetration testing is to determine if your systems can be broken into, how they can be broken into, and specify what fixes need to be applied to prevent a breach.