What We Learned: Our Compliance Story
Guest post by Jay Lustig
As the CEO of Scientific Solutions, Inc. (SSI), a small, highly specialized engineering firm in the defense ecosystem, I work with a team of eight of the best and the brightest engineers. We develop sophisticated SONAR solutions that protect critical assets.
When the DFARS compliance requirement came our way, I invested a large chunk of time wading through the NIST SP 800-171 compliance guidelines — and it was anything but straightforward.
While well-intentioned, the implementation guidebook, aptly titled NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements, proved challenging not only for me but even for our IT manager.
I’m the first to admit that I wasn’t the best candidate to shoulder the task of NIST compliance. SSI is a lean operation though, and pulling an engineer off of a billable job to focus on something we didn’t plan—or budget—for, has consequences.
The question wasn’t if or when I was going to implement NIST, it was:
- How do I devote my billable resources to the task of learning the guidelines and implementing them?
- What software, if it exists, would be necessary to satisfy all 14 NIST requirements?
- How do I budget for a mandate that I didn’t plan for?
- What’s the fastest, most straightforward and economical way to achieve compliance?
I was burnt out. I’d searched for solutions we could afford or successfully implement ourselves and came up empty-handed. Trying to decipher the requirements and implement them before the deadline seemed almost impossible. Far more concerning though, was the risk of losing my DoD contracts for non-compliance.
In the summer of 2017, I attended the Southeastern New England Defense Industry Alliance (SENEDIA) event, where I met the NeQter Labs team. The company, born from McLaughlin Research’s first-hand experience with the DFARS compliance mandate, is committed to helping defense subcontractors protect their business from cyber attacks and gain NIST compliance. Their software, the NeQter Compliance Engine, seemed to have exactly what we lacked: answers, guidance, and support.
When the NeQter team asked us to participate in their beta pilot, I didn’t need to think it over. I knew we needed to gain compliance. I’ve never questioned the logic or the intent behind the NIST mandate.
With NeQter’s software, support and guidance, I gained confidence faster than I ever thought possible, and was able to complete the NIST required deadline.
Fast forward: SSI was selected to participate in a beta program to review our compliance policies. Last week, the Navy conducted the Phase I review of our organization’s process, procedures and policies. While the assessment is ongoing, our interviews were positive. I was prepared and able to discuss SSI’s cybersecurity procedures with honesty, integrity, and confidence. NeQter’s software and tools were crucial in preparing me for this moment.
NeQter’s all-in-one approach allows us to understand what’s happening within our network at all times. We get customized alerts when there’s an issue requiring our attention — that even I can take action on. It continually monitors our system for attacks and vulnerabilities.
Most importantly, the built-in guidance gives me real help in building our policies.
In my opinion, one of NeQter’s best features is the built-in compliance reporting tools. They were vital to helping us meet the compliance deadline and now, in demonstrating our compliance to the Navy. The compliance tool allows me to create my SSP and POAM and correlate it to our organization’s policies.
All of the standards we’ve created with the help of NeQter are now part of our corporate documents.
Duty, Honor, Compliance
I’m proud to support our country and help to defend our freedom. Our DoD contracts are a crucial part of our business. Moreover, our organization considers the responsibility to protect the intellectual property and CUI we receive as a duty and a privilege.
NeQter works for our organization. It was the right choice. We work in the defense industry, building solutions for the U.S. Military. Our adversaries around the world are determined to steal our trade secrets. We must protect the information that the U.S. relies on to stay safe and secure.
Compliance, for us, is vital. It’s a no-brainer. NeQter makes it easy.