The cyber world is becoming increasingly integrated. The DoD works with contractors, who often work with subcontractors, who in turn may subcontract part of their work, and so on down the line that comprises the DoD supply chain. Depending on the nature of the work they do, subcontractors may be responsible for handling government FCI or CUI on the prime contractor’s behalf, which puts them at risk for cyber incidents and breaches aimed at harming the defense industry. CMMC imposes stringent incident response requirements on both DoD prime contractors and their subcontractors. When systems are integrated, risk to the subcontractor is also risk to the prime contractor, as well as to the DoD itself. Therefore, it is vital that contractors coordinate with their subcontractors to handle incident responses.
Make sure your subs are prepared
Before starting work with any subcontractor on a DoD project, you should ensure that they are equipped to respond to cyber incidents and report them according to the appropriate regulatory requirements.
- The first step is to build compliance into the contract. Just as your own contract with the DoD requires your company’s compliance, your contracts with your subcontractors must require that they comply with the appropriate requirements depending on the data they will handle for you. Once 48 CFR is live, which is expected in the fall of 2025, defense contracts will require CMMC certification at the appropriate level. In the meantime, the applicable requirements that form the basis for CMMC must be complied with. This means that if your subcontractor handles FCI for you, they must comply with FAR 52.204-21, which corresponds to CMMC Level 1. If they handle CUI, they must comply with NIST SP 800-171, which corresponds to CMMC Level 2. If they handle high-risk CUI (as specified per DoD contract), they must comply with NIST SP 800-171 as well as additional requirements from NIST SP 800-172, which form the basis for CMMC Level 3.
- As the prime contractor, you should establish clear communication channels and reporting procedures for cyber incidents, so that your subcontractors know how and when to notify you and the DoD. Incidents affecting FCI or CUI must be reported to the DoD within 72 hours, including a detailed preliminary assessment, so your subcontractors need to be prepared to do that and to perform any remedial actions the DoD requires. Keeping the lines of communication open will help ensure this process runs smoothy.
- Continuous monitoring is critical not just for your own systems, but also for your subcontractors. They should perform regular surveillance audits, vulnerability scans, and risk assessments of their systems and should have remediation plans in place to address any vulnerabilities found. Again, open communication is key.
Include your subs in your Incident Response Plan
A comprehensive Incident Response Plan (IRP) will involve all stakeholders, including subcontractors at every level. An IRP specifies the procedures for responding to and recovering from incidents, ensuring minimal damage and safeguarding data throughout the supply chain. Having a coordinated IRP in place confers numerous benefits.
- The IRP clearly outlines the responsibilities of each stakeholder in case of an incident and identifies who must be informed and when, ensuring an efficient and effective response, along with clear communication.
- A coordinated, well-defined response is a quick response. Damage is contained quickly, which helps minimize loss, both reputational and financial, as well as reducing potential legal ramifications. It reduces recovery time, allowing all parties to more quickly resume normal business operations. The IRP also provides methodology for analyzing a breach and determining root cause, thus preventing future issues.
- Critically, the IRP identifies sensitive data and ensures it stays protected by requiring secure backups and ensuring proper access management.
Review your IRP with your subcontractors to make sure they understand their roles and responsibilities. Including subcontractor representatives in incident simulations and other training exercises can also enhance your IRP’s effectiveness.
Keep the lines of communication open
Communication and collaboration are essential for responding to cyber incidents and reducing their impact throughout the DoD supply chain.
- Prime and subcontractors should encourage a culture of information sharing. According to CISA, information sharing is essential to cybersecurity. This includes information about emerging threats and vulnerabilities, allowing the organizations to identify risks and take preventative action. It also includes timely communication in case of an actual incident, to ensure a quick and effective response.
- Sharing information involves proactively working together to mitigate threats. Conducting security audits between organizations to identify vulnerabilities, for instance, allows organizations across the supply chain to collaborate on addressing those vulnerabilities, strengthen the systems in question, and protect government FCI and CUI.
- Keeping the lines of communication open ensures that ongoing security measures can be implemented across the supply chain and that all players are aware of key decisions and process updates.
- Including all parties in post-incident reviews ensures that lessons learned are communicated and adopted throughout the supply chain.
Contact CyberNINES at this link for more information on cyber incident response and prevention throughout the supply chain.
Resources