No one loves a new federal regulation. Say "compliance" and you'll hear a chorus of groans. Compliance regulations often feel like a convoluted mousetrap designed by lawmakers who have no practical experience in the field.

In November 2013, the Department of Defense issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) in clause 252.204.7012 Safeguarding Unclassified Controlled Technical Information, effective immediately for all DoD contractors.

Recently the clause is picking up traction. The Missile Defense Agency announced in January that the clause would begin appearing on all requests for proposals and task orders, and Lockheed Martin has posted on its website that it requires all subcontractors to be compliant.

The initial gut reaction is as expected: panic and frustration. Initial implementation may feel rushed and harried, but this regulation brings some immediate benefits to national security and to the individual companies that take the time to implement it thoughtfully. It creates a shift in focus and mentality that results in changes in behavior. Fundamental reform is needed; DFARS 252.204.7012 has led to a shift in focus and function.

The awareness and need for greater cybersecurity has been growing for over a decade. At the Cyber Security Conference in 2012, former FBI Director Robert Mueller laid it out: "We are losing data. We are losing money. We are losing ideas and we are losing innovation. Together we must find a way to stop the bleeding." President Barack Obama announced his Comprehensive Cyber Security Initiative in 2008. While these initiatives are an important part of the greater cybersecurity movement, they do not impact the daily operations inside America's DoD contracting companies. After several painful and costly breaches, it's clear that DoD contractors are an enemy target.

Ask any DoD contractor, and they will tell you they are proud to support the war fighter; they are mission-focused. But the problem is that the war is increasingly fought and won in the digital realm on the routine vulnerabilities found in the networks of private companies. And why not? If the enemy can attack the chain on both ends, damaging the profitability of American companies and disrupting the flow of services supporting frontline capabilities, it's a double win.

We empathize with the energy and focus required to run a business. Issues like security are often lost in the daily tyranny of the urgent. When we listen to the chatter at industry events, we understand the frustration we see our colleagues face when the new cybersecurity plan is attached to their most recent task order, but we are glad to see security come into focus. The new regulations are not creating a problem; they are forcing the contracting world to face one that has existed for a decade.

The regulations are risk-based, creating a shift in mentality and behavior. The DFARS calls out 14 vectors and 51 subcontrols from NIST 800-53, which is based on the Risk Management Framework. We have been fielding questions that reveal companies are looking for a list of boxes to check: "What do I need to do to be compliant?"

This is a good news/bad news situation. The bad news is that there is not a simple checklist. The good news is that the controls are specific, practical and comprehensive. Because of this, we are seeing small to midsize companies begin to understand cybersecurity and their own risks in a deeper way.

Often security is misconstrued as completely structural and one-dimensional; the belief is that malware prevention and firewalls constitute security.

But imagine a house with a valuable heirloom inside. Is the heirloom secure simply because you have installed locks on the house's obvious entry points? No. A comprehensive security posture would include considerations such as: Do residents use the locks and activate the alarm? Can they identify damage from potential intruders, and if so, do they know how to respond? Does anybody monitor or store the security videos? Do residents know how to segment the room holding the heirloom? Are there any other entry points? Could someone tunnel through the floorboards? Have all risks been mitigated?

The 51 controls require a comprehensive approach that marries hardware, software, policies and procedures, leading to a much stronger security posture. As companies' leaders begin taking steps towards compliance, they are often realizing for the first time exactly how weak their security has been, and the risk to their proprietary and controlled information. Improved security posture is a best-business practice.

What we are seeing time and again is this progression: initial gut check, resolve to the task, shift in focus and mentality, improved security posture and a changed perspective. Company leaders who have embraced the requirements are realizing that they are not just contributing to national security, but they have implemented best business practices to their own benefit. Several of our clients and colleagues have expressed how much better they sleep at night. Overall we welcome the DFARS Safeguarding UCTI regulation and think it is necessary to transform the way DoD contractors do business.

Jonathan Hard is CEO/president and Carol Claflin is in business development for H2L Solutions which specializes in Cyber and information assurance.

Share:
More In Commentary