Aliso Viejo, CA -- December 14, 2017 – Cytellix(cytellix.com), the cybersecurity division of Information Management Resources, Inc. (IMRI), has announced its managed cybersecurity framework for compliance with NIST SP 800-171 to support DOD manufacturers. “With only days left in the year and the manufacturing requirement looming, many small to medium-sized manufacturers who are suppliers under a prime contractor for the Department of Defense (DOD) have yet to start their compliance work,” said, Brian Berger, Cytellix executive vice president of commercial cybersecurity.
All DOD prime contractors have either included the DFAR 252.204-7012 (Safeguarding Unclassified Technical Information) in contract flow-downs or have mailed letters to the supply chain that this DFAR is required under their current and future contracts. The requirements include:
- Compliance by 12/31/2017
- Compliance within 30 days of contract award or notification
- Cyber-attack notification within 72 hours of event
Many manufacturers have not become compliant because of past regulatory rules that get adjusted and delayed over time. That is not expected to happen this time because it is critical to the agencies involved and the security of the US. The DOD manufacturing contracts represent Controlled Unclassified Information (CUI) that is vital to national security and commerce in the US. Hence the involvement of the DOD, Department of Homeland Security (DHS) and Department of Commerce (DOC) through NIST. There is no indication of a policy change for implementation of what is considered “adequate security” for this information. Reference “Defining CUI – Controlled Unclassified Information for the Manufacturing Segment” for additional information.
Action should be taken for several reasons. On the most basic level of cybersecurity, if an organization follows the Cybersecurity Framework they’re reducing their risk profile for attack. Secondly, new contract awards and continuation of existing contracts are dependent on compliance with the framework. And lastly, any business should make the effort to reduce their risk for a cyber-attack as the statistics have shown that 2/3s of small to medium-sized businesses (SMBs) that are attacked are out of business within six months.
The Cytellix managed cybersecurity framework walks an organization through the steps of evaluation, understanding, planning, implementing and monitoring. The framework defines five categories for compliance: Identify, Protect, Detect, Respond and Recover. These categories make up a set of critical systems, management, policies, planning and technology solutions. Compliance requires familiarity with a number of acronyms: SSP, POAM, CSET, NIST, DFARS. These are not simple but can be simplified into deliverables:
- Assessment – A critical review of the organization's cyber posture (the truth as of a point in time)
- Gap Analysis – Understand and identify the cyber gaps and vulnerabilities (SSP -System Security Plan)
- Plan of Action – The plan to remediate the cyber gaps (POAM)
- Cyber Breach Detection - Monitoring of the infrastructure cyber events that meet the Cyber-attack notification requirements
“Ok, let’s look at reality. Most organizations that I have been involved with in regard to helping them through cyber compliance are graded using tools from DHS. They typically average between the high 20s to mid-30s out of 100% compliant,” added Berger. “The gap between these low scores and compliance is knowledge and a plan. Cyber skills are scarce. IT has a full-time role keeping systems operational and cyber has come with a new set of responsibilities that take time, skills, and focus to implement.”
Berger continued, “One organization that I met with did not have a firewall, had a flat network, and recently had three ransomware attacks. Does this sound familiar? There are some very reasonable and fast solutions to help an organization boost/move their cyber posture from ‘attack me’ to ‘attack someone else.’ The industry has been saying the same thing for a while: You have been, will be, or are under ‘attack.’ There is no option that says, ‘we have been safe and are not important to attackers.’ If you have money, a business, a computer – you are a target. Is it worth the risk?”
Berger concluded, “There is good news, it’s not too late and the ability to outsource is a supported model for DOD compliance. Get started regardless of industry or requirements by contracts—the framework applies to all companies and size. Time to get cyber prepared!”
For more information about Cytellix and how they can support companies with becoming NIST SP 800-171 compliant, attend one of the Cytellix NIST 800-171 webinars (cytellix.com/webinarregistration), visit cytellix.com or call 949.215.8889.
About Cytellix
Cytellix, the cybersecurity division of Information Management Resources, Inc. (IMRI), is a team of innovative and creative thinkers whose goal is to “Help Businesses Stay in Business.” The cyber leaders at Cytellix thrive on providing services to small and medium-sized businesses, which are the largest targets for malicious cyber activity.
The Cytellix team of experts has created an affordable, low impact solution for defeating cyber-attacks with a best-in-class, turnkey service designed to help companies take a proactive approach to securing its environment.
Cytellix works with companies in government, manufacturing, finance, banking, law, healthcare and higher education sectors, and its innovative managed service model includes assessment, gap analysis, continuous monitoring, practical plans of action, and customized best practices for remediation and implementation.
They Cytellix team is proud to have successfully secured the government network perimeters for the U.S. Army, Missile Defense Agency, and municipal organizations such as the City of Irvine, and its cybersecurity solution has also been deployed at leading commercial corporations as PricewaterhouseCoopers, Kaiser Permanente, and The Walt Disney Company.
Cytellix and its highly-acclaimed team has been recognized with numerous honors such as the 2017 Washington Technology Innovative Company Award, the 2017 American Business Award, the 2016 Small Business Administration Person of the Year award, the 2015 Patriot Award, and the 2014 White House Champion of Change Honor; and the experts at Cytellix are frequently tapped for media interviews and keynote addresses by publications such as CNET and the Huffington Post. For more information, please visit cytellix.com.
