As we know, compliance is said to drive security spending. This is certainly going to be the case for SMB defense contractors due to some updates to two DoD compliance regimens. The security controls and cyber incident reporting requirements required, become quite a bit stricter. There is no doubt these regimens are using the “stick” to motivate.

The term “carrot and stick”  refers to an idiom using either reward or punishment to induce desired end behaviors:

  1. Carrot – benefits or rewards as positive incentives to bring about desired behaviors; or
  2. Stick – the use/threat of punitive or negative consequences to motivate people to adopt desired behaviors, to avoid painful consequences.

Don’t most compliance regimens use the stick as the motivator? Compliance may be wrapped up in the gospel of protecting consumer data, like PCI. PCI is a thinly disguised risk transference to merchants from the payment card companies. It really gave merchants no choice if they wished to retain the “privilege” of benefiting from continued use of popular credit card brands. If there’s some kind of “or else” implied by a compliance regimen, you’re dealing with the stick.

Conforming Change 2 to NISPOM

All cleared contractors, (those receiving access to classified DOD data) now have to implement insider threat programs under Conforming Change 2 (CC2) of NISPOM. (The guidelines will follow insider threat compliance templates that apply to contractors of all U.S. Federal Government departments and agencies, on January 1/2017.) I have already suggested here, how NISPOM CC2 may be a good start to drive insider threat awareness, but little more. Initially, the bar is set so low with an immature, yet-to-be-figured-out standard, that contractors and federal departments remain at a high risk of suffering an insider incident.

It is important for defense contractors, some of whom, in this day and age, still formally lack a CISO, to get on board with dealing with the insider threat. It may seem like a daunting challenge, but it’s absolutely necessary in the defense vertical. Not only to mitigate abusive or reckless insiders, but to also protect against traditional espionage, – the inside plant, inside collusion, or a compromised (coerced) staffer. However, the best way to protect against those threats are technical controls, which the CC2 doesn’t even look at yet.

Anyone wishing to learn more about how technical controls can take insider incident prevention to a higher level, should check out our comparative with CERT recommended insider threat best practices.


The other compliance regimen is DFARS. If you do business with DoD as a contractor or sub-contractor, you have no choice but to comply with updated Defense Federal Acquisitions Regulations Supplement (DFARS) 252.204-7012.  The updated “Final Rule” replaces the “Interim Rule” in place since 2015. DoD estimates about 10k defense contractors and sub-contractors, mostly SMBs, are affected. They must now protect an extended, broad range of DoD data. Contractors must also now abide by stricter reporting rules regarding “any” possible cyber incidents in their own networks, or that of a partner. DFARS compliance is going to hit many SMBs hard because it really raises the bar in terms of implementing controls for improved defensive posture, incident response and reporting capability.

Apparently the updates to these compliance regimens are causing more than a few contractors some consternation, and a bit of panic. This is because they are realizing that there is some major expense and hard work involved, and they now have a hard deadline! 

DoD acknowledges that the update to DFARS compliance could present some economic burden, especially to smaller companies which may make up close to half of the contractors impacted. Many will likely need to hire outside assistance to help implement new controls, and to investigate any possible cyber incident to comply with stricter reporting rules, because they lack the required skill set in-house.

DFARS Compliance – All stick!

Defense contractors face possible loss of contracts or disqualification from future competition due to non-compliance. That may be due to either the complexity of the process, or from the high financial burden that hiring consultants, a gap analysis, strategic planning, implementation, auditing and incident response might entail.

As a corollary to a point from the previous post, it looks like one can add,

DFARS compliance is now a cost of doing business with DoD.

The stick is clearly being used by DoD and it’s stinging SMB defense contractors. If you want to land DoD contracts, retain them, or have the privilege of competing for them, you have no choice but to comply with the DFARS rules. DFARS compliance is being used as an example of compliance regimens that wield the “stick” – rules and regulations, that force organizations and businesses to do more. The same goes for CC2 – NISPOM insider threat programs as well.

Consider the strictness of these compliance updates in the context of DoD necessity and the resulting expectations upon supply chain contractors. It helps one to understand why this is the case, and that these changes are here to stay, and likely for more than just DoD requirements. This series will consider these issues and see if there’s a carrot for defense contractors, to be found.


Stricter DoD Compliance Regimens: a New Trend? ––>




Related Reading

Panel: Obsession with regulatory compliance doesn’t guarantee good cybersecurity