NIST 800-171 and DFARS Compliance for DoD Subcontractors
Christopher Michaud, chief information officer of McLaughlin Research in Middletown, launched NeQter Labs when he saw the need for a suitable, affordable way for small businesses to shore up National Institute of Standards and Technology compliance. With his development, Department of Defense suppliers have a new tool to become less vulnerable online.
PBN: What are some of the specialized DoD subcontractors that can benefit from the NeQter Labs Compliance Engine?
MICHAUD: Any company working in the defense ecosystem is now required to comply with a new cybersecurity mandate known as DFARS clause 252.204-7012, enforcing the NIST SP 800-171 framework. To put this in context, this applies to some 1,500 small businesses in Rhode Island –especially those doing business with the U.S. Naval Undersea Warfare Center, General Dynamics Electric Boat, Northrop Grumman, Raytheon Co., SAIC, Alion and Lockheed Martin … as well as their subcontractors.
These companies are busy with the day-to-day work of producing parts and engineering solutions, and have finite [information technology] support. So when a mandate like this comes down from the DoD, most business owners don’t know where to start. Any kind of compromise, breach or incident has the potential to spread and destroy a company’s reputation.
PBN: What circumstances came about that made a tool like the NeQter Labs Compliance Engine so useful?
MICHAUD: First, threats and breaches are on the rise. And hackers prey on those they suspect are most vulnerable. Increasingly, we’re seeing small businesses being targeted intentionally. Second, there are so many ways for a hacker to get a foothold. The bad guys and their malware target everything from mobile phones and email to older software that still works but isn’t supported anymore. This is why the government is so concerned about the protection of sensitive information and imposed the NIST cybersecurity mandate.
NeQter Labs was created out of McLaughlin Research’s own experience with the mandate. Our prime contractors were inquiring about our compliance status. More importantly, our own existing contracts were being modified by the government to include the new clause of being compliant with NIST SP 800-171 guidelines. We needed our compliance to flow down to the smaller companies subbed out to do a specific task, including machine shops, circuit board manufacturers, 3-D printing – even if they weren’t named on the contract. Compliance is a complex and expensive initiative. … The NeQter Compliance Engine takes the guesswork out.
PBN: Can you give us a quick overview of the NeQter Compliance Engine and what it does?
MICHAUD: Within hours of installation, the appliance plugs directly into your network and seamlessly ingests all raw network data from firewalls, switches, web filters, routers, servers and workstations. It presents them into a single, unified dashboard for networkwide visibility. It continuously analyzes, visualizes and alerts on user activity, threat intelligence, vulnerabilities, asset inventory, system stability and file access monitoring in real time, in accordance with the NIST SP 800-171 standards. There are built-in wizards to develop reports that the DoD will ask for in the event of an audit.
PBN: You say that uninformed employees can be a threat to cybersecurity. How does the product counter that, exactly?
MICHAUD: They are usually employees already behind your firewall. … You really need to think about two categories of insider threats: the disgruntled employee and the unintentional or uninformed employee. The worst-case scenario is that someone could take sensitive information and share it with China, or take business-sensitive information and go to a competitor. They could destroy, corrupt or delete data. Most companies don’t even test their backups … and only find out the problem after the data is gone.
The inadvertent problems are more common. Employees can click on malicious links that pollute all systems with ransomware. NeQter Compliance Engine provides real-time visibility and alerts to these anomalies as they are happening, allowing quick action and remediation. It also scans your entire network for vulnerabilities and offers remediation suggestions.
PBN: It seems that benefits of the NeQter Labs Compliance Engine are broad, going beyond just immediate, cybersecurity matters into more long-range business strategy efforts as well. Can you expand on that?
MICHAUD: Cybersecurity may start with the IT department, but it needs to flow up to the entire company from end-user training and awareness to executive buy-in. It’s a mindset that has to become part of the culture. But there’s an even more interesting long-range business impact. Because cybersecurity compliance seems so daunting at first, many small businesses are falling out of the defense supply chain. This gives those that can prove compliance a major competitive advantage. We’re already seeing our customers use their compliance to keep the business they have – and win new business away from their competitors.
Susan Shalhoub is a PBN contributing writer.