Mastermind Monday: DOD Contractor Cybersecurity Requirements
Adam Austin, CTO & Cybersecurity Lead of Totem Technologies, shares Department of Defense’s (DOD) Contractor Cybersecurity requirements!
RESTRICTIONS OF CLASSIFIED INFORMATION
When you win a huge contract, you have the freedom to share and brag a little bit about your numbers on social media.
However, consider that there is some information in our contract that is not allowed to be shared in public.
These include delivery orders, invoices, engineering drawings, and other technical information that is not publicly posted on sam.gov or any govcon database.
“All information generated by or for a contract that you would not publish to the general public, it can’t be on your website… on LinkedIn. You can’t be taking pictures of it and putting it on Instagram, Facebook. None of that.”
THE LIFE CYCLE DETERMINATION OF INFORMATION
Because we are working with different federal agencies, we need to consider that there is critical information that should not be read by the public.
In order to make sure that this information is not publicly-shared, we need to analyze how we handle the information.
We call this the life cycle determination. It helps determine the scope and the footprint of your IT system that has to be protected.
The first thing to do is ask which agency did you receive this information from? Is it directly from the DOD, is it from the prime contractor, or do you generate it internally?
If you generate it internally, what IT components are being used and which of your staff members handle and generate this information?
Then, after receiving it, ask these questions: How do you store it? Do you store it on premise or in the cloud? How do you process it? Who comes in contact with it? Do you share it with 3rd parties, like your suppliers and vendors?
Finally, at the end of the information life cycle, how do you dispose of it? If it is on paper products, then you have to shred that paper. If it is on digital media, what do you do with those?
Once we have an idea or footprint of our IT system and where that information resides within our organization and how it’s handled, we can then look at the safeguards which we can use for our cybersecurity practices.
“The very first step to our cybersecurity journey is to develop that catalog and then begin to manage that configuration to establish what looks normal in your environment.”
MSP AND MSSP
In order to make sure that we are following our cybersecurity practices and we are not leaking classified federal information, we should consider hiring MSPs and MSSPs?
Managed Service Providers (MSPs) ensure that your IT systems are operational. Their jobs include the day to day IT stuff, like unlocking user accounts, resetting passwords, and managing your catalog of IT components.
Meanwhile, Managed Security Service Providers (MSSPs) perform monitoring and maintain security operations analysis and security operations centers. They should be highly specialized in anomaly detection and incident response.
Most importantly, in hiring one, make sure that they at least have an idea of 800-171, DFARS, CMMC, and other federal government cybersecurity measures.
TARGET AT LEAST ONE LEVEL OF CCMC CERTIFICATION
All DOD contractors will have to at least target a CMMC level 1 certification.
This includes lawn maintenance crews that mow the grass of the Pentagon or the waste management crews that have contracts to empty dumpsters at Idaho National Labs.
We should target this because we all process some kind of contract information which is not available for the general public and deserve some minimum protections.
Still, the level of CMMC you have to target depends on the type of information you process in your organization.
For instance, if you process controlled unclassified information, you’re gonna have to target CMMC level 3.
If you want to learn more about the DOD cybersecurity requirements for contractors, then check our full video below.
DoD Contractor Cybersecurity requirements with Adam Austin