Navigating the DoD Cybersecurity Requirements
The DoD cybersecurity requirement was created because America’s adversaries attempt to hack into defense contractor IT systems thousands of times each day. In many cases, the hackers are not after Top Secret or Secret information. Rather, they are looking for information that is less sensitive but no less useful to them – research and engineering data, engineering drawing data, technical reports, financial records, software source code, and even personal data about employees.
To help stem the flow of sensitive information to our opponents, the Department of Defense has established DoD cybersecurity requirements that require defense contractors implement a broad range of cybersecurity measures to include NIST 800-171, CMMC, and the DAM.
In most cases, this means to comply to the DoD requirement each defense contractor, whether they are the prime or a subcontractor, must –
- Provide adequate security for all information systems that process or store Covered Defense Information (CDI) and,
- If a cyber incident occurs, report the incident directly to the Department of Defense within 72 hours of discovery.
The Path to Compliance
Although the DoD recognizes that there is no “one-size-fits-all” approach to cybersecurity, there are specific elements each defense contractor must address. National Institute of Standards and Technologies Publication 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” (hereafter referred to as 800-171) lists the specific cybersecurity requirements that constitute “adequate security”.
These DoD cybersecurity requirements are divided into 14 general categories (“families”). The general categories are comprised of 110 separate steps (“controls”) which are further divided into 320 different Assessment Objectives. With the Assessment Objectives in hand, a DoD auditor can examine every aspect of your company’s IT system for cybersecurity compliance.
The sheer number of DoD cybersecurity requirements may seem daunting but rest assured that compliance is possible. The path to compliance follows these four steps –
- Create a Systems Security Plan.
- Assess the current state of your systems against the Systems Security Plan.
- Develop a Plan of Action and Milestones to fix any deficiencies.
- Develop and exercise an Incident Response Plan.
Step 1: Develop a System Security Plan
The System Security Plan (SSP) is where you describe your IT system. This includes both written and visual depictions of system boundaries, system interconnections, and key devices. The SSP also lists all 110 separate security controls identified in 800-171.
Step 2: Assess Implementation of the SSP
With your SSP complete, you can identify where your organization is compliant and where it is deficient. NIST Special Publication 800-171A “Assessing Security Requirements for Controlled Unclassified Information” can help you focus your assessment. It ties each Assessment Objective with specific elements you should examine to measure your level of compliance. The results of the assessment are recorded in the SSP as either “Satisfied” or “Other Than Satisfied.”
Step 3: Develop Your Plan of Action and Milestones.
The Plan of Action and Milestones is a document with all of your company’s Corrective Action Plans (CAP). Your CAP uses what you learned by comparing the current state of your system to the DoD cybersecurity requirements you must meet. The CAP lists each Control that is not currently “Satisfied” and the actions you will take to reach compliance. Be sure to include the associated costs, expected completion dates, and the current status of the corrective measures you must implement.
Step 4: Develop and Exercise an Incident Response Plan
In spite of thorough planning and following the best security practices, compromises can still occur. The final step in compliance to the DoD’s cybersecurity requirement is to develop an Incident Response Plan (IRP). A well-crafted IRP will communicate how your organization will respond to a cyber incident so that you can limit potential damage and recover quickly. The IRP –
- Describes the structure and organization of your incident response capability.
- Provides a high-level approach for how your incident response fits into your overall organization.
- Meets the unique requirements of the organization, which relate to mission, size, structure, and functions.
- Defines reportable incidents.
- Provides metrics for measuring the incident response capability within the organization.
The DoD Cybersecurity Requirement is a Journey
The DoD cybersecurity requirement will ensure your organization has a thorough System Security Plan that identifies where you are compliant and where you need to improve. You will record your deficiencies and plans to fix them in your Plan of Action and Milestones. And in the unfortunate event your organization experiences a cyber incident, you will have an Incident Response Plan to help you limit damage and speed the recovery process.
Need Additional Help with this DoD Requirement?
If you are still overwhelmed by the dizzying number of DoD cybersecurity requirements, you are not alone. Totem Technologies has helped dozens of companies secure their IT systems and to maintain compliance with DoD requirements. Contact us today to see how we can help.