Being Unprepared is Not an Option

Being Unprepared is Not an Option

What does the future hold for audit and compliance?

The cyber landscape has become so sophisticated that data breaches are now nothing new. Hackers are able to get their hands on countless sources of critical data and use it to their advantage, affecting millions and millions of consumers and citizens across the United States and beyond.

However, there are also many data breaches that aren’t in the public eye; there is a data goldmine that sits within the United States Federal Government which isn’t as widely documented, but just like anything, must be kept secure. The consequences of this data being stolen are extremely severe, with risks posed to state, national and global security if it falls into the wrong hands.

To combat this, the federal government must adhere to numerous policies and regulations to ensure the security of the data held. But, not all of these regulations and policies are applied to organizations sitting outside of the federal government, for example, contractors, which handle sensitive federal data when providing their services. This information must be protected to the same standards applied to federal organizations, and one regulation that is gaining attention is DFARS, the Defence Federal Acquisition Regulation Supplement which has the purpose of addressing this.

DFARS compliance has a primary objective of protecting Controlled Unclassified Information (CUI) and it is mandatory for any outside organization that conducts business with the Department of Defence (DoD) and as a result, processes, stores or transmits CUI. In particular, DFARS Clause 252.204-7012 compels DoD contractors to implement processes and controls to ensure that CDI is kept secure and that reporting mechanisms are in place to ensure cybersecurity incidents are reported.

The scope of DFARS increased in December 2017 to introduce mandatory cybersecurity requirements for contractors and subcontractors to the DoD. Despite this, awareness of the regulation is still low and many contractors are unprepared for an impending audit, oblivious of the challenges it can bring.

The Fine Print

The majority of the requirements of DFARS Clause 252.204-7012 arise from the obligation to meet all of the requirements set out in the NIST SP 800-171 publication. This governs how CUI should be handled and safeguarded in non-federal information systems and organizations.

A primary NIST SP 800-171 requirement is to “implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative safeguards”. Unfortunately, this amounts to challenges and frustrations for many IT departments or individuals, as deploying encryption solutions is thought to be complex, costly and time-consuming. This is not welcome news to departments that are often restricted on budgets and resource. When standard solutions are deployed in an attempt to overcome this, the networks team can become blinded from knowing the type of traffic being encrypted, increasing the difficulty of their day-to-day operations and tasks.

Compliance is Not a Choice

Adhering to regulations such as DFARS is not an option for contractors; it isn’t something that can be implemented when or if time and resource is spare. However, complicated solutions aren’t the only way forward, and they shouldn’t be accepted as the ‘norm’. Network-agnostic solutions focus on protecting the data itself, providing an alternative to the solutions that focus on protecting the network infrastructure and eliminating the cost and complexity usually associated with the deployment of encryption. It is these factors that usually turn encryption into something organizations want to ignore. Additionally, focusing on data rather than the network allows for network visibility, enabling IT teams can continue to do their jobs effectively and that data in transit is protected, meeting the fundamental DFARS requirement.

Who Should be Granted Access?

This is a fundamental question asked by many organizations and is a key challenge of DoD contractor environments. Which personnel should be granted access to which information? In order to adhere to the NIST SP 800-171 requirement, contractors must “establish and manage cryptographic keys for cryptography employed in organizational systems”.

The question is answered with secure, role-based management systems, that allow only authorized access to security policies and the associated encryption keys. With this, contractors can be assured that the CUI within the system is secure and protected; at the same time ensuring that the requirements of DFARS are being adhered to. And the solution is future proof; even if the keys are stolen once, they won’t be able to be used again, as the encryption keys are rotated per policy at the interval prescribed by the authorized user.

Time is Running Out

We know that meeting DFARS cybersecurity requirements can bring several challenges for DoD contractors, but now is the time to adopt the right policies and strategies. The DoD now has various means of enforcement, with cybersecurity clauses being included in both vendor prime and subcontracts for DoD projects. There really is no escape: vendors who do not comply risk not only losing business opportunities with the DoD, but worse, could then be liable for breach of contract actions. It’s not an option, it’s not a choice, and it doesn’t have to be complicated. It’s time to stop shying away from regulations and face them head-on.

Featured

  • Allegion, Comfort Technologies Implement Mobile Credentials at the Artisan Apartment Homes in Florida

    Artisan Apartment Homes, a luxury apartment complex in Dunedin, Florida, recently transitioned from mechanical keys to electronic locks and centralized system software with support from Allegion US, a leading provider of security solutions, technology and services, and Florida-based Comfort Technologies, which specializes in deploying multifamily access control, IoT devices and software management solutions. Read Now

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events
  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.