By: Bob Brewer, Braumiller Law Group
For anyone in the aerospace, defense, and export control markets, you have undoubtedly been faced with the question on cyber-security compliance. This form of compliance most often surfaces if you’re dealing in the International Traffic in Arms Regulations (“ITAR”), where the certification of compliance is required through systems such as EXOSTAR, which is the predominate on-line database used by nearly all prime defense contractors. In the majority of instances, whether it’s thru EXOSTAR or independent certifications, the question on whether you comply with DFARS 252.2014-7012 (this is the codified regulation on cyber-security for NIST 800-171 compliance), must be answered with a “Yes” or “No”.
For most business development & sales managers, as well as, legal and compliance officers, certifying subjects the both the company and the individual, to civil, criminal and/or contractual liabilities, when they are aware there are current existing gaps and non-existing capabilities, whether it be physical security, personnel controls, or sophisticated IT systems for marking, tracking, and identifying NIST controlled technical data (many folks overlook the False Statements Act when it comes to certifying directly and indirectly to the U.S. government). Just as important, is the risk of losing new and/or existing business because of a “No” response to the question of complying with NIST 800-171. There is hope though.
Many major defense contractors, including primes, are still in the process of implementing and meeting the requirements of NIST (including new revisions). From our experience, contractors are sympathetic to suppliers who are displaying due diligence in the process of fully meeting these requirements, given the efforts required to identify current Controlled Unclassified Information (CUI) and Covered Defense Information (CDI), which can be a daunting task, let alone, identifying the 110 elements of the NIST that must be complied with. This is why the government has provided a means for companies to comply, based on acceptable time lines created via a System Security Plan (SSP) and Plan of Actions and Milestones (POAM). This approach is basically your “roadmap” on where your company is today and when you will be in compliance with the NIST requirements.
So, where do you stand and what should you do? At a very high level, our experience with clients has been the following (prior to putting pen-to-paper for your SSP and POAM):
- Get a baseline idea of where you stand with the 110 elements required by NIST 800-171, by reviewing each and every one of the controls required for compliance
- Identify your primary servers and systems which may contain CUI/CDI controlled technical data (if you’re already segregating your ITAR and Export Controlled programs/data, this is where you’d start); this should include identifying all customers who may be subject to CUI/CDI
- Walk through and get a complete understanding of your operations, including hiring practices (HR and Foreign Nationals), IT controls/systems, Manufacturing & Production floor operations (check for stand-alone servers and systems, including 3rd party software where technical data may reside, such as, 8D conformance reports, Factory Acceptance Test results and data), as well as, your current Marketing and Business Development practices—this means, “rolling up your sleeves” and removing oneself from dogmatic/theoretical practice to hands-on/real-world practices—merely knowing the NIST regulations, will do little good if you do not have a thorough understanding of your front-office and back-office (manufacturing, production, etc.) systems, personnel, and practices
- Identify “quick-wins” with controls that are relatively easy to comply with, and record them accordingly
Only after you have a comprehensive inventory of your risks, including technology and business process gaps, can you embark on drafting your SSP and POAM.
So, back to our original question and challenge—how do you answer a customer certification or questionnaire with “No” when it comes to complying with NIST and cyber-security controls, without jeopardizing current and/or future business? Our experience has been that many prime, and Tier 1 contractors are understanding of a “No” response. In fact, having participated in training webinars with several prime contractors, our takeaways are that they do not want to see your SSP/POAM (at this time); rather, they want to know that you have them in place, and available for inspection when requested. We’ve also found that if you prepare a standardized response to go along with the questionnaire or certification, stating that your company has an SSP and POAM to address shortcomings and open items, the customer will be respectful and accept such statements. For cases with EXOSTAR, you may want to consider a follow-up email to your customer, with a similar statement as above.
As with any DFARS and cyber-security regulations, there is a plethora of other topics, especially when it comes to NIST 800-171 and DFARS 252.204-7012. These include current and proposed revisions of the NIST, Department of Defense Cyber-security Capability Model Certification (CCMC), and the various “levels” of certification available. So, stay tuned for future articles that will provide specific action items to help execute some of the required controls, including those in your supply-chain. Most importantly, you are NOT alone, as many of your counterparts are facing the same challenges. Just remember to step back, assess, evaluate, and develop a cross functional team to help in the next steps of developing your SSP and POAM.