DFARS Compliance is Sticky Business
In a post about use of the carrot or the stick (rewards versus threat of a smack) as persuasion tools for behavior change, I noted that compliance regimens always use the stick. DFARS, in particular, is a good example of DoD making use of the big stick to force changes in behavior. If you do business with DoD as a contractor or sub-contractor, and you want to win DoD contracts, retain them, or even have the privilege of competing for them, you now have no choice but to comply with Defense Federal Acquisitions Regulations Supplement (DFARS) 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting.
As discussed in the last post in this series, this has come about because DoD has recognized a rapidly escalating threat environment and the urgent need to protect CDI-Covered Defense Information. DoD’s expectation now, is for contractors to take the protection of DoD data share and used in partner’s networks – seriously!
An Economic Burden
This means it’s in the contract language. Contractors will have to demonstrate that they are DFARS compliant, or in the interim, propose an an equivalent set of security controls that map to the NIST 800-171 controls standard for non-federal networks. They now face the challenge of proving their due diligence when it comes to protecting covered defense information, or CDI.
Failure to perform at the standard could lead to negative consequences. Defense contractors risk possible loss of contracts or disqualification from future competition due to non-compliance. DFARS will significantly increase the cost of doing business for DoD contractors, and will now definitely be considered a cost of doing business with DoD.
DoD acknowledged that DFARS compliance would most likely have a significant economic impact on a substantial number of contractors, right from the start. Contractors who are not in the business of cyber security usually lack the required cyber security skill set in-house. A reasonable assumption will be that most smaller and many medium companies will require the services of an outside cyber security consultant to achieve initial compliance. They will also likely require additional outsourced expertise in order to comply with on-going incident recovery and reporting provisions of this regimen. Even though the NIST 800-171 controls standard for non-federal networks is estimated to reduce complexity roughly ~30% when compared to the NIST 800-53 controls standard, there remains substantial cyber control complexity for contractors to try and deal with.
Compliance drives security spending but the line is blurring…
For years the security officers have been attempting to educate and persuade enterprise management to invest beyond the minimum operating floor to a more robust level of security controls. DFARS is an interesting case though. With DFARS compliance, the new minimum requirement, or baseline operating floor, presents a substantial jump in the expected cyber security defensive capability of contractors. We’re not talking about a low bar minimum with DFARS. The level of expected performance and adherence to the requirements is strict!
Yes, DFARS compliance has blurred the line between compliance and stricter security. As the threat environment escalates, expect the compliance landscape to be forced to follow and present more stringent, complex compliance regimens mapped to comprehensive control standards like NIST 800-171.
Perhaps you’re thinking DFARS is just a one-off. Ravid Circus warns of the potential impact of the European Union’s GDPR, or General Data Protection Regulation here, and tells us;
“If you’re a company in the EU, you are likely already panicking. GDPR doesn’t care much where your headquarters are – if you have business operations in the EU or handle EU citizen data, it applies to you.”
“These aren’t your grandma’s cybersecurity regulations. Current penalties in the EU stand at around €750K. Under GDPR, fines will reach as high as €20M or four percent of turnover.
Security officers are going to have their hands full just fulfilling compliance requirements as they adopt tougher security.
Also pay attention to the warning to security folks in the article “Can Security and Compliance Coexist Happily?;
“When requirements aren’t met and fines or penalties ensue, security staff, themselves, say that negligence constitutes a “fireable” offense.”
“68% of IT security staff report that “failure to meet regulatory compliance that led to [SIC] large fine or other penalty” would be considered an infringement that could reasonably lead to the firing of security personnel. Therefore, on the one hand, security staff are generally quick to dismiss compliance as ineffective; on the other, compliance is of such significant importance to organizations that practitioners realize ignoring it could cost them their livelihoods.”
Ravid Circus also informs us that,
“Other tough regulations have gone into effect in recent months and are on the horizon. New York State is implementing March 1 new cyber regulations for the financial sector, which could potentially open executives up to criminal liability for non-compliance.”
Perhaps that might open up management ears and minds a bit? As compliance gets stricter, security personnel and management could find themselves at greater risk.
Carrots Over Sticks
Organizations and businesses will have a harder time with compliance regimens as they become more strict and map to tougher control standards. Looking forward, organizations and contractors are going to need innovative tools and new best practices to enable them to satisfy increasingly demanding regimens. Some existing compliance regimens have not been adequately addressed due to complexity and cost. The HIPAA security rule is one prime example. We know that healthcare is a vertical that has been suffering a multitude of breaches. But just because larger fines (more stick) are being levied for HIPAA non-compliance, that doesn’t make the task any easier.
Defense Contractors Need Carrots!
Can solution vendors innovate so that they may better assist defense contractor’s to overcome compliance and cyber security implementation burdens? They must! Even the smallest contractor needs assistance so that they may continue to serve DoD without being priced out of the game, or be victimized by excessive threats. SMBs in all sectors are already overwhelmed, and under-served by the security industry. For a smaller player, any breach could result in monetary penalties, additional expenses due to incident recovery, or could potentially be an extinction-level event. SMBs in the defense vertical are facing a double whammy when DFARS compliance is piled on top of everything. They need help.
And Vendors Must Provide Them!
Vendors must provide the carrots that will deliver desired outcomes, provide real value, and encourage willing investment in both compliance and security solutions, because they go hand-in-hand. Can compliance solutions save a business time and money, when it comes to the integration of controls, their implementation, administration and maintenance of all the pieces? This is certainly needed by defense contractors struggling with DFARS compliance.
To provide an example, the next post in this compliance series will discuss the Trustifier DFARS Compliance Kit and how it’s going to simplify life for defense contractors, as well as save them time and money.
Stricter DoD Compliance Regimens: a New Trend?