By Christopher Michaud
Chief Technology Officer, McLaughlin Research Corporation
Founder, NeQter Labs
A couple of years ago, our contracts officer approached me about a Department of Defense (DoD) ruling—new cybersecurity standards for government contractors involving the safeguarding of covered defense information and cyber incident reporting. This ruling affected more than just our contracts. It had a tremendous impact on the way we do business and gave birth to our cyber division, NeQter Labs.
In 2013, the DoD published the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, requiring the safeguarding of Controlled Unclassified Information (CUI) on contractor information systems. This new supplement requires defense contractors to conform to the guidelines outlined in the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171) by December 31, 2017.
Though the final deadline was years away, the DoD already invoked a clause on a key contract. As the head of IT, I was familiar with the security measures we already had in place, and I was confident we could quickly comply. Maybe we would need to make a couple of security updates or improve the documentation of our security policies. After reviewing the NIST guidelines, I realized I couldn’t have been more wrong.
Spanning 14 security requirements families, NIST SP 800-171 sets standards for 110 security guidelines related to network auditing and accountability, policies and procedures, and implementation of best practices. It was clear that the DoD was serious about protecting CUI entrusted to contractors. It was also clear that we needed to get serious about compliance.
We knew cybersecurity consulting firms were going to be expensive—potentially, hundreds of thousands of dollars in the first year alone! Even after spending all this money, there was no guarantee that we would meet NIST compliance. Since NIST is based on continuous improvement, we were also unsure of what maintaining compliance might cost over the years. Investing hundreds of thousands of dollars was not a practical option for a medium-sized company like McLaughlin Research Corporation (MRC).
So, being an engineering company, we decided to tackle compliance ourselves.
With the help of newly hired cybersecurity specialists, talented interns and two of our brightest engineers, we dissected every single one of the NIST guidelines. Then we interpreted and mapped them to corrective actions. This framework produced clear, real-world recommendations for our network and policies. With a fresh set of eyes, our engineering team then tested and simplified the framework further. Eight months later, this cross-functional team put McLaughlin Research Corporation on the path to NIST SP 800-171 compliance.
Our approach was simple: We built an integrated set of tools and implemented core services to specifically address the main areas of compliance. The first is an appliance to address the auditing and accountability requirements. The second is a set of custom policy tools that is essentially a TurboTax for NIST compliance; it allows users to develop the required policies and a system security plan specific to their organizations. Our tools are clear, easy to interpret and user friendly. This allows auditors, IT staff and our executives to all have a clear understanding of our compliance, network stability, potential threats and overall health.
Necessity, as the expression goes, is the mother of all invention. MRC needed to comply with the DoD’s new security standards. But, as a medium-sized company, we needed an affordable and complete alternative to cybersecurity consulting services that typically only focus on one area of compliance. Our humble, homegrown solution, it seems, is the first suite of affordable hardware and software designed to help companies achieve NIST SP 800-171 compliance. And the response has been terrific! Many companies are facing the same compliance challenges that we were. In fact, fellow contractors looking for a cost-effective solution started using the NeQter Labs tools. To our surprise, consultants, cyber incident response groups, and IT solutions firms such as EmeSec, The Mako Group, and Category 5 Consulting are using our tools to supplement their cyber services! A standardized approach to NIST compliance saves them, and their clients, valuable time and money. Who knew?
We are thrilled that NeQter Labs is helping companies meet the challenging requirements of NIST compliance. With the DoD’s December deadline quickly approaching, it’s not a moment too soon!