While there are an abundance of reasons to enforce cybersecurity requirements, it doesn't take long to understand why the DoD is concerned about even the smallest subcontractor's security posture.
Let's create a tiny fictitious company in order to illustrate a very realistic scenario, without throwing anyone under the bus. Suppose "Bob's Pipe Bending Service" is suddenly unable to complete a piece of critical tubing that is a required component for the construction of an aircraft carrier. Bob's process is so unique and specialized (as is often the case with military grade equipment) that there were no other contractors ready to take his place. Bob's Pipe Pending Service was the recent victim of a ransomware attack and is still figuring out how to get the data back. Bob never thought all of his detailed diagrams were at risk because, "Why would a cyber criminal would target Bob?" He's a nice guy!
Long story short, Bob's portion of the project was delayed for 3 weeks while the diagrams were reconstructed, working almost 20 hours per day. What's more, Bob suffered a major penalty for not meeting the project deadline and slightly delaying the aircraft carrier's assembly. He didn't end up making a profit on this project, but hopefully the next project scheduled to start in two years will go well.
Tens of thousands of companies across the U.S. are at risk of delaying or losing their Department of Defense (DoD) contracts. The DoD has required its contractors and subcontractors to meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards. These companies are specifically required to meet the requirements defined in the NIST Special Publication 800-171 framework. The requirement was supposed to be met by the end of 2017 and many (perhaps most) have not yet met the standards.
Simply put, a break or delay at any point in a supply chain has the potential to severely disrupt an entire operation. If the supply of fuel is choked during times of war, it is clear why military operations will be severely hindered. For corporations supplying the DoD, the smallest and simplest parts matter to production of critical assets. Even Boeing had major struggles to complete aircraft when their supply of rivets (perhaps the simplest component) was not able meet the demand.
It's no wonder why the DoD is serious about even the smallest businesses in its supply chain. Our Nation's defenses are dependent on small and midsize companies.
If you represent one of the many DoD subcontractors working to figure out how to meet this requirement, please contact us for a complementary consultation.
To stay organized and track progress while navigating compliance requirements like NIST 800-171, we recommend using the Ivis GRC platform.