As markets in Aerospace & Defense mature and competition intensifies, A&D organizations are driven to look at new strategies for sales growth, maintain a competitive model and reduce costs. Digital transformation and a growing global supply chain are adding to complexities to this mix, not to mention an expanded attack surface that increasingly sophisticated adversaries can’t wait to take advantage of. For years, compliance- based approaches have helped them maintain a minimal level of security. While they worked well from a Governance, Risk and Compliance (GRC) perspective, the approach has largely fallen short of ensuring a truly effective security posture.
The increasing challenges of regulations and a complex supply chain has organizations caught between investments between compliance and security, as the two disciplines have diverged over time. In many cases, they’re owned by different units or sectors. At the same time, the increasing dependence on external service providers is prompting government to ratchet up its security requirements to ensure all information transacted about their missions is secure and breaches are minimized.
Chief among them is DoD DFARS and the associated controls specified in the NIST 800-171 guidance that focus on data security. Specifically two new clauses, DFAR 242.204- 7012 and FAR 52.204-21, speak to the disclosure of information and safeguarding contractor information systems respectively. While these may be regarded as compliance requirements, they provide a layer of data protection and enhance security organization- wide and across the supply chain. Mapped to NIST Special Publication 800-171, they define the controls a contractor should implement while processing government information, and enable self-reporting to ensure smoother audits.
And this mandate has teeth – if your organization is or wants to do business with the government, you must demonstrate compliance with DFARS by December 2017. In fact, this new requirement is just the beginning. Contractors should expect, and be ready to adopt and adapt to changes related to additional DoD mandates, as well as broader federal guidance and NIST controls as they find their way into common practice.
The most effective way to comply with DFARS requirements is a solution that can meet not only compliance needs, but also provide self-reporting capabilities and incorporate organizational processes for secure operations. While there have been attempts to offer compliance solutions in the past, they have largely failed due to the myopic extent of their reach across the enterprise, rigid structures, lack of a customizable framework and access control capabilities.
In fact, the paper, “Keep Cyberdefense on Target”, is a very instructive read on what capabilities you need and how Splunk has helped customers in the A&D and Federal Systems Integrators space. The deadline is near, are you ready?
Until next time...