On December 30, 2015, DoD amended both DFARS 252.204-7008 (Compliance with Safeguarding and Covered Defense Information Controls), and DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) allowing contractors until December 31, 2017 to fully implement all NIST SP 800-171 controls on covered contractor information systems.
The new DFARS mandates are necessary however they pose huge challenges for small business professional services contractors. The mandates are necessary because too many small businesses ignore security primarily due to cost concerns and lack of understanding of the issues.
It’s easy to understand the DOD’s concern when the stats show the following:
However, when a small business looks at these mandates they can be overwhelmed. They see compliance is expensive and time consuming and they don’t understand how the government can expect them to invest when they are already being squeezed by LPTA contracts (more) and live on a 5% margin (more).
Most business leaders understand that they have a responsibility to protect their business and their customer’s data–This is why they either hired some IT professionals or outsourced the network to a third party managed services provider. However, in many cases this is where it starts and ends. NIST 800-171 requires business leaders to know much more about cyber security in the necessary precautions to protect an organization. NIST 800-171 requires the contractor’s executives to know how their organizations deal with the following 14 families of security requirements (see chapter 3 here):
… and to understand how their organization is dealing with the specifics of each. For example, this is just a bit of detail from item 4 (Configuration Management)
When the small business gets the time to understand the details of what they are being asked to do to comply with NIST 800-171 they realize they don’t have the people, time or experience—and they definitely don’t have the money to accomplish the task.
Compliance for these small business prime contractors is very expensive as many small businesses will be forced to purchase services from outside vendors to provide “adequate safeguards” for covered defense information. Most small businesses have neither the technical expertise nor the information technology personnel or software to conduct these services in-house. — US SBA Office of Advocacy
If you understand how a small professional services business Profit & Loss (P&L) works you will recognize that small business IT budgets are usually less than $500k/year and the security portion of that budget is usually 6-7% (reference table to the right from sans.org). So, if you take a company with a $250k/year IT budget the security portion of that budget is probably $16,250 (6.5%). The question you have to ask is… do you think a small professional services firm can buy all of this for $16k???
…of course not. …but that is the ask.
Then there is the responsibility of the prime contractor—does the DOD expect the prime to audit their subs? There is liability there… Who is going to ensure the subs are not just checking the box?
The DOD could learn a lot by watching how the HIPAA Security Rule has impacted small healthcare firms. The HIPAA Security Rule has been in place Since 2005 and many SMBs are still not compliant… The new NY Department of Financial Services (NY DFS) also recently passed legislation that requires Banks, Financial Services firms and Insurance companies working in the state of NY to adhere to more stringent security policies and procedures and to open themselves up for audit. The NY DFS has realized that small businesses are going to be a challenge (more) and they both built exemptions into the ruling as well as staggered out what needs to be in place over a few years.
Eventually every company in every vertical will need to get their act together when it comes to security or lose their customers and their business altogether however there is a need to appreciate the financial investment required by these small businesses to get to a place where they are capable of more effectively managing the security of their data (and their customer’s data). We built NetWatcher to help these firms with a low cost, high value platform that helps them meet many of the technical demands outlined in these compliance mandates.