Literally tens of thousands of small and medium-size businesses support the United States’ “military industrial complex” via the acquisition supply chain. However, for most of this sector’s economic life, it has been the big players, the “primes”, and those working on classified programs that have received the government’s security assurance attention.
That paradigm has ended. The deadline to be in-line with this new vision is December 31st, 2017. After that day, any organization possessing or processing unclassified but sensitive Department of Defense (DoD) data must comply with the Defense Federal Acquisition Regulation Supplement (DFARS), clause 252.204-7012. Failure to be compliant will leave you in breach of contract and subject to criminal, civil, administrative, and contractual actions in law, and equity for penalties, damages, and other appropriate remedies by the United States.
Do I have your attention?
Well the good news is, the United States government and non-government entities have provided tons of information regarding DFARS and the National Institute of Standards and Technology’s (NIST) 800-171.
The bad news is…the United States government and non-government entities have provided tons of information regarding DFARS and NIST’s 800-171.
Where does a small or medium-sized business start? What’s important? What are the priorities? What applies to your business? The bevy of information can be confusing. Few small businesses have leftover bandwidth, or in-house expertise, to quickly and effectively answer these questions.
Adding to the challenge, the process of ramping up to meet these compliance standards takes some time – and that time is clearly running out for processes that take on average 6-8 months to implement. Businesses that have not begun preparing are very likely “behind the eight-ball.”
So here are some important high-level points to keep in mind when trying to make a wheat and chaff analysis of the demands created by DFARS/800-171 for your business.
First of all, the implications of non-compliance can be serious. The most likely risk will come from contracts where a small or medium-size business is supporting a large, “prime” contractor. This is not to say the possibility of government audit is to be ignored. However, the government, especially in the beginning, is not likely to “shutdown” a small business for non-compliance, especially if that organization has demonstrated reasonable, goodwill efforts.
Large, “prime” contractors, however, will likely be less patient – unwilling to risk their large contract on the non-compliance of a smaller business in their supply chain. So DFARS/800-171 is really about business revenue risk. Don’t make the mistake of ignoring it since it’s unlikely Uncle Sam will come knocking on your front door. It won’t play out that way.
Note: Knowing your business does not have the in-house technical expertise to assess its environment correctly in accordance with DFARS/800-171, but not seeking outside assistance, will likely not pass a reasonable, goodwill efforts standard.
Setting aside technical controls, a second important aspect to understand about the impact of DFARS/800-171 is that it will incur cyber incident reporting and communication requirements. For most small and medium-size businesses, running autonomously and “dynamically” (i.e. informally with regard to communications) is often a fundamental aspect of its standard operating procedures. Making the cultural and managerial shift to support formal communications during an uncommon situation like a cyber incident can be a challenge. This challenge is one of just many reasons why “processes” may be sufficient to meet a compliance requirement, but fail to create the culture and managerial environment necessary to implement a truly effective information and cyber security posture. Programs are the key and they are ignored too often.
The third, and final tip that I’ll raise in this piece is the subcontracting effects. An organization that subcontracts work falling under DFARS will incur responsibilities for those subcontracted entities relative to DFARS/800-171. Again, not a liability situation common to most small and medium-size businesses experience, but an important aspect of conducting business under DFARS/800-171.
Oh yes, then there is the growing adoption of cloud based services – which results in a further increase in complexity and requirements….
But that’s for another time.
If you are facing the DFARS/800-171 requirements and unsure of what is the wheat and chaff in your DFARS/800-171 strategic plan and information systems environment, you can reach out to firstname.lastname@example.org. This is our bread and butter and we’re happy to help out.