If you own or manage a small business that is part of the DOD supply chain, then you should be well on your way to completing the 130+ item compliance checklist as set out in NIST 800-171. Compliance needs to be in place by the end of 2017, only a few months away. Because I am working with a few clients that this requirement applies to, I do know that there are many suppliers that are not anywhere close, and a few who have yet to start.
NIST 800-171 deals with “Protecting Controlled Unclassified Information in Non-Federal Information
Systems and Organizations.” Quite a mouthful. Basically, the focus of the compliance requirements are to ensure that the computer systems and networks of DOD supplier companies have a minimum set of security controls in place, to help prevent an attacker from infiltrating these networks and making off with sensitive information.
Back in October, the Naked Security blog ran a story that perfectly illustrates why the DOD is requiring some very small suppliers to meet this complex and fairly expensive to implement set of standards. The gist of the story is that a small 50-person “mom and pop” engineering firm in Australia was breached. The attackers “had been inside the company’s network at least since the previous July, had full and unfettered access for several months, and exfiltrated about 30GB of data including, restricted technical information on the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft, the Joint Direct Attack Munition (JDAM) smart bomb kit, and a few Australian naval vessels.”
This is part of the reason items are more expensive when provided to the military than they are at Walmart. But the information that needs to be protected is irreplaceable, and cannot be retrieved once it is lost. There are simple steps any business can take to minimize the damage from a cyber intrusion:
- Use the principle of least privilege. Users should only have the rights they need to perform their work. Restrict administrative rights to actual admins.
- Apply operating system updates quickly.
- Apply updates for software applications, including Flash and Adobe Reader.
- Keep your web browsers updated to the latest version.
- Only allow computers and users to run approved software packages.