Author: Domenic Gargano, Chief Operating Officer, McLaughlin Research Corporation
By now you should be aware of the DoD’s December deadline for government contractors to meet new cybersecurity standards. Intended to protect Controlled Unclassified Information (CUI), contractors and sub-contractors must meet new security standards outlined in NIST SP 800-171 by December 31, 2017.
While the deadline is clear, enforcement of the new regulations is not. At this stage, compliance is self-reported. The government is not going to conduct surprise inspections. Instead, when you accept the terms and conditions of a DoD proposal or project, you are affirming you are/will be NIST compliant.
So, you may think you have some leeway. Right? If the DoD is not going to police NIST regulations, why do you have to spend the time and money to become compliant? Faced with the same decision when the DoD invoked DFAR clauses on one of our contracts, McLaughlin Research Corporation (MRC) used five considerations to decide in favor of compliance:
- Relative Cost. The amount you need to spend on compliance has a significant impact on your business case. In other words, how does the cost of compliance compare to the amount of government business that’s at stake? Can you afford to outsource compliance for hundreds of thousands of dollars? What if an internal team could achieve compliance for $20k? How does this compare to annual revenue? How does the cost of maintaining compliance each year (we estimate 35-40% of the initial cost), compare? Amortizing these costs over a stated period can give you a good sense of the cost of compliance relative to revenue.
- Lost Business. Put simply, if you have a breach and are not NIST compliant, you risk losing government business. This includes current projects and future work. Depending on the importance of government business to your company, this risk will vary. Perhaps you can live with repercussions of non-compliance if the revenue is a small part of your company’s business. For many prime contractors, DoD revenue is their business. So, non-compliance is not an option.
- Competition. Technically, contractors aren’t mandated to accept the terms of a proposal or bid. They may take an exception to terms and conditions, such as NIST compliance. Obviously, the DoD may choose a competitor who is willing to accept the terms. So, there is an inherent risk when taking an exception. This approach opens the door to competition.
- Company Reputation. If your company continues to resist (exception, mentioned above) what the government is proposing, it could lead to trouble. Nobody wants to work with companies that are difficult to do business with. The government is no different. There are times that your company may push back on the terms of a proposal. This, however, is not one of those times. NIST compliance is not going away. Security is very important to the government (and contractors). Nobody wants to be on the news after having a breach.
- Personal Reputation. Similarly, the company’s Compliance Officer is signing the proposal and accepting the terms and conditions. So, non-compliance or frequently taking exception is also a reflection of an individual.
Given these considerations, your company is faced with a make, buy or ignore decision. At MRC, 100% of our business is with the government. Despite ambiguity regarding how compliance will be enforced, it was too risky for us to ignore compliance. Retaining third-party security specialists was going to be extremely expensive. For a company of our size, the buy approach was not an option. So, we started down the make path. We hired cybersecurity specialists and built our own set of compliance tools. A web-based System Security Plan (SSP) builder helped us “tick boxes” as we progressed through each of the 110 NIST security requirements. A network security appliance helped us monitor and log network activity. The device will even send alerts about potential breaches and questionable incidents. Of course, if we do have a breach, we can respond quickly to the DoD.
At a fraction of the cost of hiring consultants, we have standardized compliance at MRC. Also, we have learned an incredible amount about NIST SP 800-171 that will be useful in maintaining compliance for years to come.
So, how much risk do you want to take? Can you afford to ignore NIST compliance? Or will you need to take a buy or make approach to compliance? The considerations above can help you determine the best approach for your organization.
McLaughlin Research Corporation is the parent company of NeQter Labs, a cybersecurity solutions company specializing in NIST compliance. For more information on the NeQter Labs story, please see our blog How DIY NIST SP 800-171 Compliance Tools Became NeQter Labs (link).