Blog

Defense Contractors Meet to Discuss Protecting the Supply Chain

Posted by: Mary Pat Simmons November 15, 2016 Cybersecurity
Defense Contractors Meet to Discuss Protecting the Supply Chain

Engaging the Supplier Community

In October I participated in a very informative, timely, and thought provoking conference at the Omni Scottsdale Resort & Spa at Montelucia in Scottsdale, Arizona. The focus of the Second Annual Aerospace Defense Chain Conference was the urgency and importance of cybersecurity measures in Aerospace and Defense (A&D) programs, what companies can do to combat the existing threats, and specifically the new DoD regulations and requirements for protecting sensitive information in the supply chain. The panel I had the honor to participate in included Steven Kipp, Director of Information Systems Security for L-3 Communications; Ernie Magnotti, Chief Information Security Officer for DRS Technologies; and Dave Grasso, VP of North American Aerospace & Defense for Cap Gemini. Heavy hitters, to be sure.

I began the session with a quick discussion about 800-171. We’ve all heard this term, so what exactly is it? 800-171 is short for National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which lays out a set of requirements for protecting covered defense information (CDI). In August, DoD decided to use the 800-171 standard as the basis for a Defense Federal Acquisition Regulation Supplement (DFARS), which has since been revised and re-published with a compliance deadline of December 31, 2017. What this means is that prime defense contractors must intimately understand their cybersecurity postures, as well as those of all of their global, multi-tiered networks of suppliers and subcontractors, and have a plan of action to achieve full 800-171 compliance by the end of next year – in about 13 months.

So, after introducing (or re-introducing) the audience to 800-171, I posed a few questions to the panel. We began with the following: What impact is 800-171 having on your organization? How is this DFARS changing the way you do business? Surprisingly, they told us that it hasn’t had a particularly significant impact on changing what they do, but it is forcing their organizations to look at their suppliers and focus a more on who they’re doing business with, and how secure each partner is.  The panelists discussed how much risk there is in the market today, pointing to how the breaches that we read about so often are coming from targeted weak points in the supply chain – the suppliers. The main point we all took from this portion of the discussion was that the primes are very aware that the targeted suppliers located “down the chain” are obvious points of entry into their organizations. So awareness is key; and the primes are very aware of the issues and their inherent dangers. They mentioned that, in a very real way, this DFARS has forced them to elevate their emphasis on securing the weaker points of the supply chain.

Next question: What has been the most challenging aspect of the 800-171 requirements? A couple of points came up in this part of the discussion: 1) two-factor authentication and 2) the ability to identity what is and what is not CDI (in order to protect it). This was a lively discussion. The reality is that CDI is pervasive in large prime defense contractors’ networks. So a major challenge for them is – and will continue to be – sifting through all the information in their networks, discovering what is and what is not CDI, and making sure it resides in a system that is compliant with the security controls and standards in the DFARS.

What are the benefits your organization is gaining from this DFARS? Well, it turns out that discussing this DFARS within these prime defense contracting organizations has required a real emphasis on investing in cybersecurity. If your organization needs better tools to comply with this DFARS, it goes without saying that it gets the attention of executive leadership because it will end up affecting your bottom line. Leaders are more inclined to make investments in cybersecurity when the need is driven by mandates like this DFARS.

How have your suppliers responded? In short, the panel divulged that there has not yet been enough discussion with the suppliers to date about 800-171 and the expectations in the marketplace that are – and will continue to be – placed on them. That is exactly why we held this panel, to get the discussion started and engage the suppliers. They need to know how important this is and why these large prime defense contractors are asking for this critical information. Quite frankly, I can see that the prime defense contractors are deeply involved in this because they need both sides – their own organizations as well as the suppliers – to get better at identifying and protecting sensitive information within the supply chain. And that’s exactly why Mr. Kipp, Mr. Magnotti, and Mr. Grasso agreed to participate in this panel – they see the importance of evangelizing this information and getting the whole supply chain involved, both the primes and the suppliers.

What advice would you give other organizations when addressing these requirements? The answer to this was just what you’d expect:

  • First and foremost, start working on this early, don’t wait until the last minute
  • Start looking for options; find companies that specialize in this and know what they’re doing in this space

Note: This is where Exostar’s name came up. We can help primes get the information they need from their suppliers, and better understand their suppliers’ security postures.

This is where things got interesting. An audience member asked “So, is this compliance going to impact my company’s ability to work with one of the prime contractors? Will this be a requirement for suppliers like me to win work?” And the panel was very forthcoming: “Yes. It absolutely is. We need suppliers that can handle sensitive information in a compliant fashion. If your organization can’t do that, then yes, it will probably preclude us from doing business with you. The current position of the DOD is that contracting decisions will not be based on this requirement however, it’s up to the prime how they apply this knowledge to there suppliers. Frank, open discussion. It’s necessary to get the important points of this discussion out into the supplier community. They need to hear the answers to the difficult questions.

To sum up, I would say that the first, very important steps are being made by prime defense contractors. The need to understand the supply chain’s security posture is clear and the direction in which to move is obvious. This won’t affect the supplier community today, or tomorrow, but it is coming and the December 2017 deadline is really not that far away. We urge companies to look around and ask about this issue, but don’t wait too long…