The "condition of doing business" with the Department of Defense
On February 6, 2018, Patrick Shanahan, the current Deputy Secretary of Defense, made a keynote speech at WEST 2018 where he warned current industry CEOs that they had to increase their data protection services, or the Pentagon would cease to use their services. This is one of the first times the SECDEF has personally and explicitly warned Department of Defense contractors of the consequences of inadequate cybersecurity. As you know, one such updated legislation is the Defense Federal Acquisition Regulation Supplement (DFARS) which had to be complied with by December 31, 2017. You can read more about DFARS and what in entails, here.
During his keynote, which can be viewed here, Deputy Secretary Shanahan also discussed the possibility of having companies that work with sensitive government information sign a disclosure statement verifying that everyone across their supply chain are cyber-secure. This means that Federal Contractors large, mid-sized and small would not only have to verify that their own systems are secure, but that every supplier they work with are also secure and sound. For smaller companies along the federal supply chain this can be a major undertaking, requiring their limited resources be applied to implement these programs.
SECDEF Shanahan's primary concern comes from the growing threat posed by an insecure federal supply chain. (To read more, visit WhiteHawk's blog on federal supply chains). However, legislation such as DFARS and the Pentagon's own internal security baselines are beginning to change the environment for contractors, due to the consequences of not abiding by minimum cybersecurity standards. For instance, contractors found not in compliance with the National Institute of Standards and Technology (NIST) Special Publication 800-171, which is mandatory under DFARS, could be and have been banned from working on sensitive government projects.
According to WhiteHawk CEO, Terry Roberts, Deputy Secretary Shanahan is simply highlighting the basics in security that should be in place and no one should be pushing back. Roberts noted, "But understandably if companies don't have the expertise, they need a place to come to and that's why WhiteHawk is here. And for us, there is no company too small. This really is about midsize and small businesses taking ownership of addressing and mitigating their business risks to the benefit of all of their customers and partners."
In order to avoid the consequences of not abiding by government 21, companies of all sizes need to ensure that they are hitting the basic cybersecurity practices outlined in both NIST Cybersecurity Frameworks and regulations such as DFARS. For help with implementation, as well as to get a sense of the general risk, contact WhiteHawk's Advisory Services for a free DIB risk assessment.
Editor: Terry Roberts