Cybersecurity Standards For Defense Contracts: A Brief Guide

Companies doing business with the Department of Defense (DoD) often become targets of different cyberattacks. Defense contractors become targets because the DoD sources them to carry out various tasks, including storing and sharing sensitive information. Therefore, without proper security safeguards, it can threaten the lives of service members and National Security.

That’s why cybersecurity and privacy regulations have been changed or updated over the past decade. Hackers are finding new and sophisticated ways to launch cyberattacks on information systems of contractors and subcontracts. For instance, MFA fatigue has become an emerging attack vector, where malicious actors exploit users’ weariness from frequent multi-factor authentication requests to gain unauthorized access. As a result, the DoD has implemented laws and regulations to protect its data.  

Several cybersecurity standards may come from federal, state, local, or tribal agencies. Therefore, this article will serve as a brief guide to some DoD cybersecurity regulations.

Defense Federal Acquisition Regulation Supplement (DFARS) Compliance 

External DoD contractors and suppliers must meet the DFARS basic security controls to be considered compliant. Contractors must pass the readiness assessment by following the guidelines in NIST SP800-171. Additionally, if a contractor or subcontractor uses a cloud-based system on behalf of the DoD, they need to comply with DFARS 252.239-7010. 

The DFARS is a set of cybersecurity standards that defense contractors need to adhere to if they’re handling controlled unclassified information (CUI). These standards aim to protect the confidentiality of the CUI per the NIST SP800-171. 

Ensuring DoD cybersecurity compliance is crucial for maintaining national security and the integrity of sensitive information. By adhering to these regulations, contractors contribute to a robust defense infrastructure.

There are two basic cybersecurity requirements defense contractors are expected to meet: 

  • If a contract stores defense information in their internal unclassified information systems, they must ensure adequate security to protect that information. 
  • Contractors are required to report cyber incidents to the DoD and work with them to respond to the security threat or breach. 

If a contractor fails to meet these standards, their contract with the DoD will stop until they become DFARS compliant. Additionally, they could be penalized financially, like getting sued for breach of contract. 

Cybersecurity Maturity Model Certification (CMMC) Compliance 

To protect the information on a contractor’s information systems, the DoD recently introduced the Cybersecurity Maturity Model Certification (CMMC) framework to assess their cybersecurity infrastructure reliability and maturity. Your configuration baseline should be consistent with the NIST SP 800-171 guidelines to achieve CMMC compliance. The certification process will involve a third-party assessment organization (C3PAO) and is mandatory for all contractors seeking DoD contracts.

The CMMC has five levels that measure and verify the level of cybersecurity practices within a supplier’s or contractor’s organization. Defense contractors must complete one of the five levels. The level you need to achieve may be determined by your work and the kind of information you will handle. 

All DoD contractors, including subcontractors, require CMMC compliance. Additionally, the CMMC assesses whether you are compliant with other cybersecurity requirements like ISO 27001 and NIST SP 800-53. 

Therefore, prime contractors should work with subcontractors to implement a CMMC security  plan to ensure the proper safeguards are protecting CUI. Failure to meet the standards set in the CMMC could impact your ability to compete for DoD contracts in the future. 

National Defense Authorization Act (NDAA) 

The National Defense Authorization Act (NDAA) covers a range of activities and programs for the DoD, including addressing issues related to digital and cybersecurity needs. The cybersecurity provisions defense contractors should take note of include:

  • Sec. 1501 gives the DoD the directive to have a taxonomy on cyber capabilities that affect cyber operations.
  • Sec. 1508 specifies that the U.S. Cyber Command should engage with cybersecurity and information technology organizations in the private sector in developing methods to defend the country and the department against foreign malicious cyber actors.
  • Sec. 1511 states that contracts on the Defense Enterprise Office Solution (DEOS) and Enterprise Software Agreement (ESA) must comparatively analyze cybersecurity capabilities. The NSA and DISA must do this.
  • Sec. 1533 regards everything that has to do with the CMMC program. This includes compliance and roles and responsibilities required of contractors to manage their subcontractors’ cybersecurity performance.

National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology (NIST) produced a cybersecurity framework to assist organizations with guidelines to improve their cybersecurity and better manage cyber risks. Additionally, the NIST handbook is there to help contractors to self-assess whether they meet the DFARS 2552.204-7012 and NIST SP 800-171 cybersecurity requirements. 

The NIST framework focuses on how an organization can identify, detect, respond, protect, and recover from cyber threats. Furthermore, it guides contractors to implement frameworks in managing organizational risks. The framework is regularly updated to assist contractors in effectively responding to new sophisticated cybersecurity risks that may arise.

Payment Card Industry – Data Security Standard (PCI-DSS) Compliance

PCI-DSS compliance means that you have taken the necessary security measures to ensure that credit card data processing, storing, and transfer are maintained in a secure and safe environment. Therefore, regardless of the size of your organization or transaction, you need to protect such information. Otherwise, you will have to pay fines if your company doesn’t have adequate security to safeguard credit card data.

As a defense contractor, you will be required to comply with the Payment Card Industry – Data Security Standard (PCI-DSS) requirements. The DoD has access to significant funds, which anyone can steal during a cyberattack. If the DoD’s credit card information fell into the wrong hands, it could cause a security risk.

Consumer Data Compliance

Any organization that stores customer data must have security measures to ensure that the data is protected. As a defense contractor, you need to comply with several state privacy laws that will guide you on ways to collect and use customer data legally. Therefore, as a contractor with the DoD, you need to comply with this policy.

Moreover, you have to notify the DoD if a breach may have compromised their consumer data. Failure to do so will result in a penalty by the Federal Trade Commission (FTC). Furthermore, the DoD can stop your contract until you resolve the issue or the worst-case scenario terminates your contract. 

Conclusion 

Even if you have the most substantial checks and control, someone can break through the measures. That’s why the cybersecurity standards will continue to change for a defense contractor as technology advances. Additionally, changes will be further influenced by increased attempts to steal critical defense technology and sensitive data. Therefore, you must comply with the DoD cybersecurity standards. However, if you find yourself having a cybersecurity issue like a breath within your information systems, you should immediately inform the DoD.