If your firm is charge of government information management, it’s time to be sure that your cyber security systems are operating as effectively as possible.
Within the government marketplace, it is considered general knowledge that government contractors, as well as all components of their supply chains are considered the “weakest links” when it comes to protecting federal information technology (IT) systems. And sadly, this common consensus holds true regardless of the type of your contract. It doesn’t matter if your Federal contract grants you access to classified networks, or only to Controlled Unclassified Information (CUI). It doesn’t matter – either way, you and your firm are considered the weakest links… And being considered as such makes you (and the information that you protect) an obvious target.
In the recent years, government contractors have been increasingly targeted, breached and exploited by nation-states, hacktivist groups, and organized online cream. The best comparison that I can make regarding these security exploitations is the much publicized Target breach of 2014. It wasn’t Target that was directly affected. Rather Target was just the vessel; the hackers exploited Target’s supply chain in order to wreak havoc on Target’s network – making Target shoppers those that ultimately felt the effects of the security violation.
Government contractors are facing a similar challenge. They are not the ones that will be most greatly impacted by a hacking – rather it is the governmental organizations whose information that they protect that will be. Looking at recent online attacks, we can see this quite clearly. Hackers associated with the Chinese government infiltrated the systems of U.S. airlines, technology companies and other contractors involved in the movement of U.S. troops and military equipment.
In a different attack, hackers went after KeyPoint Government Solutions and its main customer, the Office of Personnel Management (whose previous contractor, U.S. Investigative Services had also been hacked), compromising the information of over 50,000.
Both cases are different in that in the first the information protected by those contractors was classified, whereas in the second, all information compromised was not. However, in the second case there was no conclusive evidence that any sensitive information was touched. Yet both cases threatened the contractors by further showcasing the contractors’ lack of effective security systems.
The National Institute of Standards and Technology (NIST) and the National Archives and Records Administration (NARA) for trying to tackle this problem head on. NIST, in collaboration with NARA, is requesting comments on the second and final draft of a guidance document for Federal Agencies on effectively protecting the confidentiality of sensitive federal information held by nonfederal information systems and organizations such as contractors, state-run agencies, universities and more.
NIST and NARA joined forces in 2014 to write Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Yet just last week NIST published a call for Final Comments on a “Guidance Document” that will be used to develop stronger, more explicit controls through the development of additional Federal Acquisition Regulations (FARs).
Which leads me to this: Government contractors, get your security together. Whether you realize it or not, you could be the next target. All contractors must take cyber security threats (and protection) more seriously. For all intents and purposes, consider this precaution a marriage of government contract compliance and cyber security compliance.