We see it in the news almost daily — malicious cyber activity, security breaches, and privacy violations. But that only impacts large enterprises like Target, Citibank, and Facebook, right? Wrong. In an ever-evolving digital world, small businesses have their own set of cybersecurity responsibilities that must be met in order to do business. This is especially true for any small business doing any type of work for the Federal Government or with system integrators like Northrop Grumman, Boeing, or Lockheed Martin.
As a small business grows, so does the need for additional support for basic business functions like accounting, IT, recruiting, staffing, and sales. Often overlooked is the growing necessity for cybersecurity. Instead of hiring a new salesperson, small businesses may need to find a cybersecurity specialist that can address security compliance before the company closes on a federal contract.
At a recent Global Government Exposition, it was stated that over 600,000 federal contracts have already been awarded containing security regulations from the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” Sifting through stacks of requirements and regulations is a daunting task, especially when SP 800-171 contains 110 security controls which map to 125 relevant security controls found in SP 800-53.
What is SP 800-171?
SP 800-171 is a set of cybersecurity standards that establish a baseline of best practices organized into 14 security control areas. In each of these areas, there are specific security requirements government contractors must implement. Proof of compliance requires documentation and implementation of the relevant procedures and technology controls. The 14 security control areas cover all aspects of cybersecurity that a company must understand, address and implement to achieve cybersecurity compliance. Listed below are the areas and a brief description of each:
- Access Control – who’s approved to access your systems.
- Auditing – who’s doing what.
- Configuration Management – what is on your system and how it is configured.
- Identification and Authentication – verifying user identity.
- Incident Response Plan – what to do when you have a cyber incident.
- Maintenance Plan – who is servicing your systems.
- Media Protection Plan – securing your physical and digital assets.
- Personnel Security Plan – vetting your personnel.
- Physical Security Plan – securing your facility.
- Risk Assessment Plan – assessing your security posture.
- Security and Information Integrity Plan – ensuring the integrity of your data.
- Security Assessment Plan – regular check-ins.
- Security Awareness and Training Plan – training for all personnel.
- System and Communication Protection Plan – ensuring secure communications.
Defense Contractors! You Must Comply With DFARS § 252.204-7012.
Department of Defense (DoD) contractors face the additional cybersecurity burden of achieving and maintaining compliance with Defense Federal Acquisition Regulation Supplement (DFARS) § 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” Under this regulation, DoD contractors (including small businesses) must adhere to three basic cybersecurity requirements:
- Comply with the 110 security requirements in SP 800-171.
- Rapidly report cyber incidents to the DoD.
- Use FedRAMP compliant cloud services.
So, how do you get started? Most small businesses will need, and should seek, help. Achieving compliance is not an easy task, but there are many experts specializing in guiding companies through the process. However, there are a few things that can be done to jump start the process.
Step One – Know Your System
Step One is Very Simple: Document, document, document! Three basic inventory-type artifacts are essential to begin the cybersecurity compliance process: (1) a network/system diagram, (2) a hardware list, and (3) a software list.
Although generating documentation sounds easy, it can be one of the most challenging tasks. Organizations that motivate their teams to implement organization and documentation establish a strong foundation for the path to compliance.
The goal of documenting is to ensure that the organization “Knows Its IT System”:
- What’s part of it?
- What’s “running” on it?
- How it’s connected and what it’s communicating with.
The system diagram documents the key computing components of a system and should include all computers, routers, firewalls and printers. The documents should also include how they are connected to one another. The diagram should also clearly identify system boundaries and how it connects to entities outside those boundaries. These external entities include things like the internet, email servers, and Cloud storage providers. The organization cannot protect a system if it does not know what it looks like. Generating and maintaining a comprehensive system diagram is crucial to security awareness.
An old workstation running XP cannot be upgraded to Windows 10 if the organization does not know it is running XP. Unsupported software and hardware can be a source of vulnerabilities. Unmaintained software is routinely exploited. It is important to install the recommended security patches and upgrades. New threats pop up daily and information about them is distributed via the U.S. CERT Cybersecurity Bulletin, which provides a summary of new vulnerabilities that have been recorded by the NIST National Vulnerability Database.
The key to being able to react and address vulnerabilities quickly is to know what software is running, including what version, and plugins. Software vulnerabilities are associated with a type of software product and a particular version. Knowing a system’s hardware, the software it is running and the version of that software ensures that it can manage to protect against vulnerabilities and threats.
The Weakest Link
A chain is only as strong as its weakest link. Focusing on a system’s most vulnerable component can help improve the organization’s overall security posture. It is not the firewall, or the router, or the servers. It is the Human Component. The majority of incidents can be traced back to the humans that interact with the systems.
The best security plans, policies and procedures are useless if no one follows them. An elaborate System Security Plan (SSP) can detail how to configure the firewall, lock down unneeded ports, and harden servers. But all it takes is a single person sharing a password or clicking on a malicious link to trigger a security incident. The key to minimizing these vulnerabilities is end user education, awareness and oversight. Most security incidents are accidental and preventable with proper training. NIST SP 800-171 requires annual cybersecurity awareness training to reinforce security best practices and to raise awareness of actions that could result in security breaches due to end user actions including: password sharing, opening email attachments from unknown senders, clicking unusual URLs, or inserting untrusted thumb drives into networked devices.
Leverage Existing Guidance and Frameworks
A wealth of free information and guidance is available from NIST. On April 16, 2018, NIST released version 1.1 of the “NIST Framework for Improving Critical Infrastructure Cybersecurity”. This free publication is a must read for all business owners. It describes standards, guidelines and best practices to manage a business’ cybersecurity risks. The Framework is a prioritized, flexible, and cost-effective approach that helps to promote protection and resilience.
The Framework can be used to assess existing processes and identify ways to strengthen them by incorporating industry best practices. Businesses with no cybersecurity program can use the Framework as a reference to establish one.
Cybersecurity is a critical business function that is still in its infancy. As industry best practices evolve, so must the cybersecurity processes of both small and large businesses. New regulations and compliance requirements will continue to impact business relationships and contract awards. Cybersecurity compliance is not going away and can no longer be ignored. The time to start down that path to compliance is now.