This is a guest post by Benjamin Brooks of Beryllium InfoSec Collaborative.
When you think “contractor with the U.S. government,” what do you think of? Bureaucracy? Guaranteed steady revenue? Those are the most popular responses, because after-all, we are in business to make money, right? But how many people reading this think of “cybersecurity” as one of the ideas surrounding contracting with the United States government?
Today, however, when it comes to getting a government contract, cybersecurity is “the new black.” Traditionally, cybersecurity requirements were only a big deal for direct, prime contractors or their subs. However, because there have been so many breaches involving contractors, and the associated costs of those breaches, the United States government is starting to get tough on cybersecurity.
So much so, that the government is going to issue a certification process for ensuring cybersecurity before allowing contracts to be awarded! Because government contractor cybersecurity is such a huge issue today, let’s jump into some information to help companies earn their contractor cybersecurity “badge.”
1. Identity management
Contractors are going to need to make sure that all the users in the organization can be positively identified when using the information system (the network/computers). This means everyone who uses a computer gets a username. And who needs one, gets a mailbox. You can have a shared inbox, but the logins need be unique to each person. That goes for admins too!
2. Multi-factor authentication (MFA)
Multi-factor authentication is one of the most affordable ways to protect your organization from a plethora of cyber-attacks. Whether your organization uses single sign-on, zero-trust, or another model in between, MFA is a powerful tool against cybercriminal activity.
For example, if Tiny Tim wants to log in to his email remotely, it would be a good idea to confirm it is he who is logging in, right? By using MFA, an alert can be sent to Tiny Tim’s phone to prompt “is this you logging in?”…and Tiny Tim clicks “yes.” If a hacker were to obtain Tiny Tim’s username (typically his email address) and his password (which often is an easy one to remember, yikes!), the hacker still needs Tiny Tim’s phone to gain access. That is a simple way to make it much harder for the bad guy! For smaller organizations (and larger ones too) MFA solutions like DUO are a great way to provide MFA services/software.
Security tip: Avoid using an SMS code push, or a phone call for your second authentication factor, as SIM-swap attacks are on the rise.
3. Effective anti-malware programs
There are plenty of anti-malware programs around, and unless your organization has been hiding under a rock for the past 10 years, you probably know this simple and essential protection. On that note, the most effective anti-malware solutions are those that can be centrally managed for updates, patches, etc., by your IT folks.
4. General user cybersecurity awareness training
Training your employees of the current cybersecurity threats, and what to do in the event something bad does happen, is one of the biggest bangs-for-your-security-buck! With email-based compromises being one of the largest sources of breaches these days, improving poor user behavior into an effective line of defense is a huge double impact investment. Of course, the right user awareness training is key. Making it fun and memorable will make your employees be more aware of cyber threats.
If you really want your organization to build internal information security defense via your people, test them via a phishing simulation tool! What good is training if you aren’t testing to see if it is working? There are very good (and super affordable!) solutions out there to strengthen your first line of defense (your employees). There have been rave reviews about InteproIQ’s platform that combines both training and a phishing tool, so it is definitely worth looking into.
5. The Cybersecurity Maturity Model Certification
If your organization has been anywhere near the United States government defense contracting space for the last few months, you hopefully have heard of the newly announced Cybersecurity Maturity Model Certification (CMMC). I think we can all agree that cybersecurity is important. The new sheriff in town for DOD contractor (and potentially other federal) cybersecurity policy and practice adherence is the Office of the Under Secretary of Defense.
The Cybersecurity Maturity Model Certification will be tiered-out in order to ensure affordability by even the smallest of sub-contractors, but more importantly, by the data potentially sensitive data shared with outside organizations. The CMMC allows for different levels of security for different amounts and types of information that need protection. Whether or not this will be implemented outside of the DOD is yet to be determined.
In cases where the contract is not with the DOD, specific clauses for cybersecurity requirements will be laid out through FAR clauses, specific organizational requirements, and NIST 800 series documents.
To summarize, cybersecurity in government contracting is not going away anytime soon. If your organization is aspiring to get a GSA schedule, or be a contractor to the U.S. government in any regard, it will pay dividends to get help understanding the ins-and-outs of both contract negotiating and cybersecurity requirements.
Ensuring taxpayers are not overspending on goods and services is a worthwhile and potentially lucrative business opportunity. Safeguarding the information and data surrounding that venture will ensure it stays lucrative.
Beryllium InfoSec Collaborative helps defense contractors get compliant and implemented with all the DFARS 252.204-7012 and NIST SP 800-171 requirements. We do so in an affordable, practical and secure way, so you can focus on your business. You can watch Winvale’s joint webinar with Beryllium about “Managing Cybersecurity Requirements in Today’s Federal Market” here.
This post originally appeared on the Winvale blog at https://info.winvale.com/blog/top-5-cybersecurity-tips-for-government-contractors.