Top 5 Cyber Security Tips for Government Contractors
As part of Winvale's guest blogger series, Benjamin Brooks, Vice President of Beryllium InfoSec Collaborative, is sharing his top 5 cyber security measures government contractors need to know. Winvale partnered with Beryllium to host a recent webinar, Managing Cyber Security Requirements in Today's Federal Market.
When you think "contractor with the US Government," what do you think of? Bureaucracy? Guaranteed steady revenue? Those are the most popular responses, because after-all, we are in business to make money, right? But how many people reading this think of “cyber security” as one of the ideas surrounding contracting with the United States Government?
Today, however, when it comes to getting a government contract, cyber security is “the new black." Traditionally, cyber security requirements were only a big deal for direct, prime contractors or their subs. However, because there have been so many breaches involving contractors, and the associated costs of those breaches, the United States Government is starting to get tough on cyber security. So much so, that the government is going to issue a certification process for ensuring cyber security before allowing contracts to be awarded! Because government contractor cyber security is such a huge issue today, let’s jump into some information to help companies earn their contractor cyber security “badge.”
1. Identity Management
Contractors are going to need to make sure that all the users in the organization can be positively identified when using the information system (the network/computers). This means everyone who uses a computer gets a username. And who needs one, gets a mailbox. You can have a shared inbox, but the logins need be unique to each person. That goes for Admins too!
2. Multi-factor Authentication (MFA)
Multi-factor Authentication is one of the most affordable ways to protect your organization from a plethora of cyber-attacks. Whether your organization uses single sign-on, zero-trust, or another model in between, MFA is a powerful tool against cybercriminal activity.
For example, if Tiny Tim wants to log in to his email remotely, it would be a good idea to confirm it is he who is logging in, right? By using MFA, an alert can be sent to Tiny Tim's phone to prompt "is this you logging in?"...and Tiny Tim clicks "yes." If a hacker were to obtain Tiny Tim's username (typically his email address) and his password (which often is an easy one to remember, yikes!), the hacker still needs Tiny Tim's phone to gain access. That is a simple way to make it much harder for the bad guy! For smaller organizations (and larger ones too) MFA solutions like DUO are a great way to provide MFA services/software.
Security tip: Avoid using an SMS code push, or a phone call for your second authentication factor, as SIM-swap attacks are on the rise.
3. Effective Anti-Malware Programs
There are plenty of Anti-Malware Programs around, and unless your organization has been hiding under a rock for the past 10 years, you probably know this simple and essential protection. On that note, the most effective anti-malware solutions are those that can be centrally managed for updates, patches, etc., by your IT folks.
4. General User Cyber security Awareness Training
Training your employees of the current cyber security threats, and what to do in the event something bad does happen, is one of the biggest bangs-for-your-security-buck! With e-mail based compromises being one of the largest sources of breaches these days, improving poor user behavior into an effective line of defense is a huge double impact investment. Of course, the right user awareness training is key. Making it fun and memorable will make your employees be more aware of cyber threats.
If you really want your organization to build internal information security defense via your people, test them via a phishing simulation tool! What good is training if you aren't testing to see if it is working? There are very good (and super affordable!) solutions out there to strengthen your first line of defense (your employees). There have been rave reviews about InteproIQ’s platform that combines both training and a phishing tool, so it is definitely worth looking in to.
5. The Cyber security Maturity Model Certification
If your organization has been anywhere near the United States Government defense contracting space for the last few months, you hopefully have heard of the newly announced Cybersecurity Maturity Model Certification (CMMC). I think we can all agree that cyber security is important. The new sheriff in town for DOD contractor (and potentially other Federal) cyber security policy and practice adherence is the Office of the Under Secretary of Defense.
The Cybersecurity Maturity Model Certification will be tiered-out in order to ensure affordability by even the smallest of sub-contractors, but more importantly, by the data potentially sensitive data shared with outside organizations. The CMMC allows for different levels of security for different amounts and types of information that need protection. Whether or not this will be implemented outside of the DOD is yet to be determined.
In cases where the contract is not with the DOD, specific clauses for cyber security requirements will be laid out through FAR clauses, specific organizational requirements, and NIST 800 series documents.
To summarize, cyber security in government contracting is not going away anytime soon. If your organization is aspiring to get a GSA schedule, or be a contractor to the US Government in any regard, it will pay dividends to get help understanding the ins-and-outs of both contract negotiating and cyber security requirements.
Ensuring taxpayers are not overspending on goods and services is a worthwhile and potentially lucrative business opportunity. Safeguarding the information and data surrounding that venture will ensure it stays lucrative.
Beryllium InfoSec Collaborative helps defense contractors get compliant and implemented with all the DFARS 252.204-7012 and NIST SP 800-171 requirements. We do so in an affordable, practical and secure way, so you can focus on your business. You can watch Winvale's joint webinar with Beryllium about "Managing Cyber Security Requirements in Today's Federal Market" here.
About Benjamin Brooks
Benjamin is the Vice President of Beryllium InfoSec Collaborative and is a 20-year information security veteran. Using the National Institute of Standards and Technology (NIST) frameworks, his work focuses on behavioral and administrative controls to prevent information security breaches. He is a certified CISSP and CEIA.