<div dir="ltr"><div class="gmail-Entry-header" style="box-sizing:border-box;margin:0px;padding:1.25rem 0px 0px;color:rgb(31,31,31);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,Cantarell,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:16px"><h1 class="gmail-Entry-title" style="box-sizing:border-box;margin:0px 0px 1.25rem;padding:0px;color:rgb(0,27,46);font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:2.1875rem;line-height:1.14286;letter-spacing:-0.035em">DoD should use third-party cybersecurity assessments for its vendors</h1><div class="gmail-Entry-info" style="box-sizing:border-box;margin:0px 0px 1.875rem;padding:0px;display:table;font-weight:700;font-size:0.875rem"><div class="gmail-Entry-infoImg gmail-author-commentator" style="box-sizing:border-box;margin:0px;padding:0px;display:table-cell;vertical-align:middle;width:56px"><img src="https://federalnewsnetwork.com/wp-content/uploads/2019/06/Leslie-Weinstein-Headshot-square.jpg" alt="" class="gmail-lazyload" style="box-sizing: border-box; max-width: none; height: 56px; display: inline-block; vertical-align: bottom; border: 0px; margin: 0px auto; border-radius: 28px; width: 56px;"></div><div class="gmail-Entry-infoContent" style="box-sizing:border-box;margin:0px;padding:0px 1.5625rem 0px 0.625rem;display:table-cell;vertical-align:middle"><div style="box-sizing:border-box;margin:0px;padding:0px;float:left">By <a href="https://federalnewsnetwork.com/author/commentator/" style="box-sizing:border-box;text-decoration-line:none;color:rgb(23,67,92);line-height:inherit;background-color:transparent">Leslie Weinstein</a> <br style="box-sizing:border-box"></div><div style="box-sizing:border-box;margin:0px;padding:0px;float:left"><span class="gmail-Entry-date" style="box-sizing:border-box;margin-right:10px">June 11, 2019 12:20 pm     </span><div class="gmail-read-time" style="box-sizing:border-box;margin:0px;padding:0px;display:inline-block;min-height:25px;min-width:20px"><div class="gmail-__sprite-icon-clock" style="box-sizing:border-box;margin:0px 5px 0px 0px;padding:0px;background:url("../img/icons/wfed-combined-icons.png") -210px -2px no-repeat;vertical-align:bottom;display:inline-block;zoom:0.65;width:35px;height:45px"> </div>4 min read</div></div></div><div class="gmail-Entry-infoSocial" style="box-sizing:border-box;margin:0px;padding:0px 0px 0px 2.5rem;display:table-cell;vertical-align:middle;width:414px;border-left:thin solid rgb(204,204,204)"><div class="gmail-Entry-social" style="box-sizing:border-box;margin:0px;padding:0px;color:rgb(17,17,17);display:inline-block;font-size:0px;height:40px;line-height:40px;white-space:nowrap"><span class="gmail-shares" style="box-sizing:border-box;line-height:inherit;font-size:1rem;padding:0px 1.25rem">13 Shares </span><span class="gmail-__sprite-icon-facebook gmail-st_facebook_custom" style="box-sizing:border-box;background:url("../img/icons/wfed-combined-icons.png") -2px -2px no-repeat;vertical-align:super;display:inline-block;zoom:0.75;font-size:1.125rem;text-align:center;margin:0px 10px;width:45px;height:45px"> </span><span class="gmail-__sprite-icon-twitter gmail-st_twitter_custom" style="box-sizing:border-box;background:url("../img/icons/wfed-combined-icons.png") -47px -2px no-repeat;vertical-align:super;display:inline-block;zoom:0.75;font-size:1.125rem;text-align:center;margin:0px 10px;width:45px;height:45px"> </span><span class="gmail-__sprite-icon-linkedin gmail-st_linkedin_custom" style="box-sizing:border-box;background:url("../img/icons/wfed-combined-icons.png") -93px -2px no-repeat;vertical-align:super;display:inline-block;zoom:0.75;font-size:1.125rem;text-align:center;margin:0px 10px;width:45px;height:45px"> </span><span class="gmail-__sprite-icon-email gmail-show-for-medium-up gmail-st_email_custom" style="box-sizing:border-box;display:inline-block;background:url("../img/icons/wfed-combined-icons.png") -138px -2px no-repeat;vertical-align:super;zoom:0.75;font-size:1.125rem;text-align:center;margin:0px 10px;width:35px;height:45px"> </span><span class="gmail-__sprite-icon-print gmail-show-for-medium-up gmail-st_print_custom" style="box-sizing:border-box;display:inline-block;background:url("../img/icons/wfed-combined-icons.png") -175px -2px no-repeat;vertical-align:super;zoom:0.75;font-size:1.125rem;text-align:center;margin:0px 10px;width:35px;height:45px"> </span><span class="gmail-__sprite-icon-more gmail-show-for-medium-up gmail-st_sharethis_custom" style="box-sizing:border-box;display:inline-block;background:url("../img/icons/wfed-combined-icons.png") -277px -2px no-repeat;vertical-align:text-bottom;zoom:0.5;font-size:1.125rem;text-align:center;margin:0px 10px;width:35px;height:45px"> </span></div></div></div></div><div class="gmail-Entry-content gmail-u-textFormat" style="box-sizing:border-box;margin:0px;padding:0px;line-height:1.5rem;border-bottom:2px solid rgb(212,212,212);color:rgb(31,31,31);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,Cantarell,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:16px"><p style="box-sizing:border-box;margin:1em 0px;padding:0px;font-family:inherit;font-size:inherit;line-height:1.35">In the wake of so many high-profile hacks and compromises it seems that no one is safe from a determined malicious cyber threat actor. Should we simply accept that data compromises are the norm and focus on developing coping mechanisms? No!</p><p style="box-sizing:border-box;margin:1em 0px;padding:0px;font-family:inherit;font-size:inherit;line-height:1.35">When implemented properly, data protection strategies work. The question is how can the small- and medium-sized businesses that are part of the Defense Industrial Base (DIB) do that?</p><p style="box-sizing:border-box;margin:1em 0px;padding:0px;font-family:inherit;font-size:inherit;line-height:1.35">While systems and data will always face the risk of hacking, it is possible to reduce the risk of becoming the victim of a malicious cyber actor by following basic cybersecurity guidelines. To this end, for nearly 20 years, the US government and other oversight bodies have been issuing cybersecurity guidelines and regulations.</p><p style="box-sizing:border-box;margin:1em 0px;padding:0px;font-family:inherit;font-size:inherit;line-height:1.35">But guidelines and regulations have not been enough to protect the DIB. A recent Interagency Task Force report to the White House report identified three key reasons for continued cybersecurity risks:</p><ol style="box-sizing:border-box;margin:0.10156em 0px;padding:0px 0px 0px 0.10156em;font-size:inherit;line-height:1.35;list-style-position:outside;font-family:inherit"><li style="box-sizing:border-box;margin:10px 0px 0.05078em 20px;padding:0px;line-height:1.375">Lack of uniform security implementation</li><li style="box-sizing:border-box;margin:10px 0px 0.05078em 20px;padding:0px;line-height:1.375">Inconsistent implementation of adequate security among defense suppliers;</li><li style="box-sizing:border-box;margin:10px 0px 0.05078em 20px;padding:0px;line-height:1.375">Reliance on self-attestation of adherence to <a href="https://s3.amazonaws.com/static.militarytimes.com/assets/eo-13806-report-final.pdf," target="_blank" rel="noopener" style="box-sizing:border-box;text-decoration-line:none;color:rgb(39,139,216);line-height:inherit;background-color:transparent">government cybersecurity standards</a>.</li></ol><p style="box-sizing:border-box;margin:1em 0px;padding:0px;font-family:inherit;font-size:inherit;line-height:1.35">These risks can be mitigated by requiring third-party network assessments and certifications of vendor networks.</p><div class="gmail-promo-main" style="box-sizing:border-box;margin:0px;padding:5px 0px"><a class="gmail-promo-inline" target="_blank" href="https://federalnewsnetwork.com/federal-insights-analysis/2019/06/executive-briefing-series-cyber-threat-hunting/?utm_source=federalnewsnetwork.com_in-articlepromo&utm_medium=referral&utm_campaign=carbon%20black&utm_content=in-articlepromo" style="box-sizing:border-box;text-decoration-line:none;color:rgb(39,139,216);line-height:inherit;background-color:transparent"><p style="box-sizing:border-box;font-weight:600;margin:1em 0px;padding:0px;font-family:inherit;font-size:inherit;line-height:1.35;color:rgb(0,147,208)"><span class="gmail-promo_dash" style="box-sizing:border-box;border-bottom:1px solid rgb(212,212,212);vertical-align:text-top;line-height:3px;margin-right:10px;display:inline">        </span>Insight by Carbon Black: Learn best practices for cyber threat hunting, compliance and cyber data analytics in this exclusive executive briefing.</p></a></div><p style="box-sizing:border-box;margin:1em 0px;padding:0px;font-family:inherit;font-size:inherit;line-height:1.35">In fact, Defense Federal Acquisition Regulation Supplement (DFARS) 252.204 already requires that all contractor and sub-contractor networks which process, store or transmit Controlled Unclassified Information meet the <a href="https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm" style="box-sizing:border-box;text-decoration-line:none;color:rgb(39,139,216);line-height:inherit;background-color:transparent">minimum cybersecurity standards</a> listed in the National Institute of Standards and Technology Special Publication 800-171. But, the Defense Department does not currently have the manpower or budget to assess and certify that every vendor meets the DFARS cybersecurity standards. The DoD should, through policy, enable and require third-party assessment and certification of the Defense Industrial Base networks covered under the DFARS language. This policy would ensure compliance with DFARS cybersecurity regulations without burdening DoD with any additional manpower or capabilities requirements.</p><h2 style="box-sizing:border-box;margin:0.05078em 0px;padding:0px;color:inherit;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:1.625em;line-height:1.38">Third-party DIB assessments</h2><p style="box-sizing:border-box;margin:1em 0px;padding:0px;font-family:inherit;font-size:inherit;line-height:1.35">Moreover, DoD can leverage a model that the Health Information Trust (HITRUST) Alliance has created by establishing a cybersecurity controls framework, enabling third-party compliance assessments, and developing a process by which to certify that networks are in compliance with the established cybersecurity framework. Since 2007, HITRUST has been assisting vendors with compliance to government and industry cybersecurity regulations. The DoD should leverage HITRUST’s approach and implement a similar model for the DIB.</p><p style="box-sizing:border-box;margin:1em 0px;padding:0px;font-family:inherit;font-size:inherit;line-height:1.35"></p><div class="gmail-Widget gmail-WidgetList gmail-WidgetRelatedStories gmail-alignright gmail-inarticle_related_right" style="box-sizing:border-box;margin:0px 0px 1.25rem 1.25rem;padding:10px;color:rgb(17,17,17);letter-spacing:0px;background:rgb(246,246,246);max-width:100%;float:right;width:322.656px"><h3 class="gmail-Widget-title gmail-items-list__heading" style="box-sizing:border-box;margin:0px 0px 1.25rem;padding:0px;color:rgb(0,27,46);font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:1.5rem;line-height:1;background:0px 0px;height:auto;letter-spacing:-0.02em">Related Stories</h3><ul class="gmail-Widget-list" style="box-sizing:border-box;margin:0.10156em 0px;padding:0px 0px 0px 0.10156em;font-size:0.875rem;line-height:1.35;list-style:none outside none;font-family:inherit"><li class="gmail-Widget-item" style="box-sizing:border-box;margin:10px 0px 0.05078em 20px;padding:0.625rem 0px;line-height:1.375"><a class="gmail-Widget-itemLink" href="https://federalnewsnetwork.com/acquisition/2019/04/navy-giving-agencies-industry-much-needed-wake-up-call-on-supply-chain-risks/" style="box-sizing:border-box;text-decoration-line:none;color:inherit;line-height:inherit;background-color:transparent"><span class="gmail-Widget-itemTitle" style="box-sizing:border-box;display:block;font-weight:600;font-size:1rem;padding:5px 0px">Why the Navy is giving agencies, industry a much-needed wake-up call on supply chain risks</span><span class="gmail-tag gmail-tag--primary" style="box-sizing:border-box;background:0px 0px;border-radius:0px;color:rgb(157,50,30);display:inline-block;padding:0px;text-transform:capitalize">Acquisition</span></a></li><li class="gmail-Widget-item" style="box-sizing:border-box;margin:10px 0px 0.05078em 20px;padding:0.625rem 0px;line-height:1.375;border-top:1px solid rgb(204,204,204)"><a class="gmail-Widget-itemLink" href="https://federalnewsnetwork.com/federal-drive/2019/05/new-task-force-aims-to-help-defense-contractors-comply-with-cybersecurity-standards/" style="box-sizing:border-box;text-decoration-line:none;color:inherit;line-height:inherit;background-color:transparent"><span class="gmail-Widget-itemTitle" style="box-sizing:border-box;display:block;font-weight:600;font-size:1rem;padding:5px 0px">New task force aims to help defense contractors comply with cybersecurity standards</span><span class="gmail-tag gmail-tag--primary" style="box-sizing:border-box;background:0px 0px;border-radius:0px;color:rgb(157,50,30);display:inline-block;padding:0px;text-transform:capitalize">Federal Drive</span></a></li><li class="gmail-Widget-item" style="box-sizing:border-box;margin:10px 0px 0.05078em 20px;padding:0.625rem 0px;line-height:1.375;border-top:1px solid rgb(204,204,204)"><a class="gmail-Widget-itemLink" href="https://federalnewsnetwork.com/defense-main/2019/01/pentagon-planning-new-steps-to-shore-up-smaller-suppliers-cybersecurity/" style="box-sizing:border-box;text-decoration-line:none;color:inherit;line-height:inherit;background-color:transparent"><span class="gmail-Widget-itemTitle" style="box-sizing:border-box;display:block;font-weight:600;font-size:1rem;padding:5px 0px">Pentagon planning new steps to shore up smaller suppliers’ cybersecurity</span><span class="gmail-tag gmail-tag--primary" style="box-sizing:border-box;background:0px 0px;border-radius:0px;color:rgb(157,50,30);display:inline-block;padding:0px;text-transform:capitalize">Defense</span></a></li></ul></div>DoD has already completed the first step, by establishing a cybersecurity controls framework, and is compulsory under the DFARS language. And like HITRUST, the DoD can and should approve organizations to perform assessments of the DIB networks. HITRUST has approved 80 organizations to conduct assessments in accordance with their risk management framework. Much like the DoD publishes a list of approved baseline cybersecurity certifications for the DoD cybersecurity workforce, the DoD could similarly vet and publish a list of organizations approved to conduct <a href="https://iase.disa.mil/iawip/Pages/iabaseline.aspx" style="box-sizing:border-box;text-decoration-line:none;color:rgb(39,139,216);line-height:inherit;background-color:transparent">DoD DFARS assessments</a>. Assessments should be required of all DIB networks covered by the DFARS language, and the assessment results should be made available to the DoD during the contracting process.<p style="box-sizing:border-box;margin:1em 0px;padding:0px;font-family:inherit;font-size:inherit;line-height:1.35"></p><p style="box-sizing:border-box;margin:1em 0px;padding:0px;font-family:inherit;font-size:inherit;line-height:1.35">Initially, small and medium sized companies may view such assessments as a barrier to entry, but failing to have the necessary cybersecurity protections in place is a much bigger issue that will actually prevent such firms from competing in the future. Cybersecurity compliance cannot be done on the cheap, because the information shared by DoD is critical. And if a vendor cannot afford to properly implement cybersecurity controls, then they should not be allowed to process, possess or access government information on their networks.</p><h2 style="box-sizing:border-box;margin:0.05078em 0px;padding:0px;color:inherit;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:1.625em;line-height:1.38">Certification is a big challenge</h2><p style="box-sizing:border-box;margin:1em 0px;padding:0px;font-family:inherit;font-size:inherit;line-height:1.35">The biggest challenge in adopting the HITRUST approach to risk management and compliance, would be their certification process. Tiger Connect, a vendor that was recently certified by HITRUST, claims that HITRUST’s certification process took more than seven months and involved several rounds of <a href="https://www.tigerconnect.com/blog/what-tigertexts-hitrust-certification-means-for-you/" style="box-sizing:border-box;text-decoration-line:none;color:rgb(39,139,216);line-height:inherit;background-color:transparent">audits and corrections</a>. The expense and time involved in that type of certification process may initially be too expensive for small to medium sized companies within the DIB. Moreover, unlike HITRUST, DoD does not have the resources to directly conduct network certifications.</p><p style="box-sizing:border-box;margin:1em 0px;padding:0px;font-family:inherit;font-size:inherit;line-height:1.35"></p><div class="gmail-Ad gmail-Widget gmail-alignleft" style="box-sizing:border-box;margin:0px 1.25rem 1.25rem 0px;padding:0px;text-align:center;max-width:100%;width:300px;float:left"><div class="gmail-Ad-label" style="box-sizing:border-box;margin:0px 0px 0.625rem;padding:0px;color:rgb(204,204,204);font-size:0.75rem;font-weight:900;text-transform:uppercase">ADVERTISEMENT</div><div class="gmail-Ad-content" style="box-sizing:border-box;margin:0px;padding:0px"><div id="gmail-DFP_slot_fnr_article_1" style="box-sizing:border-box;margin:0px auto;padding:0px"><div id="gmail-google_ads_iframe_/6585/fnr_article_0__container__" style="box-sizing:border-box;margin:auto;padding:0px;border:0pt none"></div></div></div></div><span width="300" height="250" type="doubleclick" style="box-sizing:border-box"></span>In light of this, DoD should develop policies to allow third parties to certify networks as being compliant. And as DoD gains experience and more firms enter the market for cybersecurity certification, the cost and time burden of obtaining a DFARS certification should also drop. Initially, however, large DIB enterprise networks should be able to readily afford and attain a DFARS certification, and should be expected to do so.<p style="box-sizing:border-box;margin:1em 0px;padding:0px;font-family:inherit;font-size:inherit;line-height:1.35"></p><div class="gmail-promo-main" style="box-sizing:border-box;margin:0px;padding:5px 0px"><a class="gmail-promo-inline" target="_blank" href="https://federalnewsnetwork.com/email-alerts/" style="box-sizing:border-box;text-decoration-line:none;color:rgb(39,139,216);line-height:inherit;background-color:transparent"><p style="box-sizing:border-box;font-weight:600;margin:1em 0px;padding:0px;font-family:inherit;font-size:inherit;line-height:1.35;color:rgb(0,147,208)"><span class="gmail-promo_dash" style="box-sizing:border-box;border-bottom:1px solid rgb(212,212,212);vertical-align:text-top;line-height:3px;margin-right:10px;display:inline">        </span>Subscribe to Federal News Network's Morning Federal Report and In Case You Missed it newsletters and be the first to read the latest from Mike Causey, Tom Temin, and the most important issues facing federal managers and government agencies.</p></a></div><p style="box-sizing:border-box;margin:1em 0px;padding:0px;font-family:inherit;font-size:inherit;line-height:1.35">The DoD already has the necessary tools to implement a network assessment and certification policy to significantly reduce the risk of data compromises among the DIB. Ultimately, the DoD should take action to both require a network assessment before the bidding process, and also ensure that post contract award all large enterprise networks achieve network certification.</p><p style="box-sizing:border-box;margin:1em 0px;padding:0px;font-family:inherit;font-size:inherit;line-height:1.35"><em style="box-sizing:border-box;line-height:inherit">Leslie Weinstein is an Army Reserve officer and DoD policy consultant, and is writing a white paper on defense industrial base cybersecurity issues.</em></p><p style="box-sizing:border-box;margin:1em 0px;padding:0px;font-family:inherit;font-size:inherit;line-height:1.35"><em style="box-sizing:border-box;line-height:inherit">Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.</em></p></div><br class="gmail-Apple-interchange-newline"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+<br><br> Harold F. Schiffman<br><br>Professor Emeritus of <br> Dravidian Linguistics and Culture <br>Dept. of South Asia Studies                     <br>University of Pennsylvania<br>Philadelphia, PA 19104-6305<br><br>Phone:  (215) 898-7475<br>Fax:  (215) 573-2138                                      <br><br>Email:  <a href="mailto:haroldfs@gmail.com" target="_blank">haroldfs@gmail.com</a><br><a href="http://ccat.sas.upenn.edu/~haroldfs/" target="_blank">http://ccat.sas.upenn.edu/~haroldfs/</a>    <br><br>-------------------------------------------------</div></div>