By Kathryn Daily, CISSP, CAP, RDRP
That’s an eye-catching headline, right? Unfortunately, it’s not actually a thing, at least not yet, but will be in the future, if I get my way. Currently, all federal information systems are required to go through an Assessment and Authorization (A&A) process to be in compliance with the Federal Information Security Modernization Act (FISMA) in order to store, process or transmit government information. Vendors who possess that same information are held to a much lower standard and thus hold a greater amount of risk.
In December of 2015, the U.S. Department of Defense published a three-page interim rule to the Defense Federal Acquisition Supplement (DFARS) that gave government contractors a deadline of 31 December 2017 to implement the requirements of the NIST Special Publication (SP) 800-171. These requirements protect the confidentiality of Controlled Unclassified Information (CUI) in non-federal systems and organizations. As of now, there is very little, or no oversight into how or if contractors are
complying with these requirements. Contractors are required to submit a self-attestation, or a documented pinky swear, that they are compliant with the controls in the NIST SP 800-171.
In my opinion, that’s not enough. There needs to be independent validation that contractors are in fact compliant with these requirements. The DoD doesn’t have the bandwidth to do these verifications for all contractors but they could authorize companies to perform third-party assessments to provide the much-needed assurance. Some may argue that the expense of a third-party assessment would be a barrier for small and medium-sized companies, and while they may be correct, you have to understand that cybersecurity isn’t, and shouldn’t be, cheap. Cutting corners and not meeting requirements leaves government information susceptible to a breach and I think we can all agree that no one wants that.