No excuses after Dec. 31: Companies doing business with the Department of Defense must comply with NIST SP 800-171 or face losing their contracts.
The National Institute of Standards and Technology Special Publication 800-171 is a set of 110 cybersecurity controls and reporting standards mandated by Defense Federal Acquisition Regulations System clause 225.204-7012, which is now included in all DoD solicitations and contracts.
Its full name — “NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” — gives an idea of the aim, but not the size of the task. Small businesses in particular could struggle to meet the standards.
Bob Reehoorn, COO of ISSAC Corp, a Springs-based advanced data analytics and engineering consulting firm with a staff of about 20, said the work required by NIST SP 800-171 is not trivial.
“It presents immense fiscal challenges — because although I don’t have the amount of contracts and complexity of, say, a small business of 500 people, in the end I have to meet the same requirements,” Reehoorn said. “Complying with federal cybersecurity standards is essential to the defense industrial base, and I’m fully in support of that, but we need help because instituting these baseline requirements as a condition of contract award is a real forcing function. We’re a fairly technical company; we deal in data every day, and even for us this is an onerous task. If you’re just a service provider, man — that’s tough.”
Local startup Sudolynx Inc. is aiming to ease the burden on DoD contractors and subcontractors, launching a turnkey cybersecurity-as-a-service solution.
Sudolynx CEO Greg Roman said the LynxLocker integrated suite of tools will allow businesses to comply with all 110 controls quickly, for about a quarter of the cost of a do-it-yourself solution.
“When we look at the cost and time and funds to meet those compliance standards, most small companies are going to have a very difficult time doing that. And some companies are actually considering not being able to do [DoD] business after 31 Dec. because they just don’t have the means to get there,” Roman said.
Roman and Sudolynx chief technology officer Richard Kuskye, both Air Force veterans with decades of DoD contracting experience, formed the company in March and launched the technology rollout Aug. 17 at Catalyst Campus. LynxLocker will be fully operational Oct. 1.
The platform includes more than 400 controls and provides the system security plan and incident response plan, as well as DFARS proposal support.
It’s like a security deposit box, Roman said.
“Rather than telling small businesses to build the bank vault, just rent a security deposit box in the bank vault that we built,” he explained.
Pricing varies depending on the size and complexity of the business, with significant discounts for small companies that might not otherwise be able to afford compliance.
After a one-time retainer, companies only pay for LynxLocker when they need it.
“If they don’t win an award for six or eight months, then they don’t have to be spending money on a cybersecurity solution if there’s no requirement to have one,” Roman said.
LynxLocker provides continuous monitoring, monthly audit reports, maintenance and upgrades.
“It’s built into the service that we maintain the configuration with the most current best-of-breed technology,” Roman said.
He said it’s unclear how stringently the government is going to police NIST SP 800-171 standards; regardless, large prime contractors will likely be the biggest enforcers.
“On [Jan. 1], as the prime, they are responsible for their subs’ cybersecurity standard. If one of those subs creates an incident, the prime is responsible,” he said. “I think what’s going to happen is the primes might actually drop any subcontractors that fail to meet those standards.”
Businesses should tackle compliance as quickly as possible, Reehoorn said.
“You’ve got till Dec. 31, and I wouldn’t wait till Dec. 15. You’ve got to pull your head out of the sand and pay attention,” he said.
“With the ongoing frequency and the continual sophistication of cyberattacks, I think the government’s going to continue to focus on the development of stronger protections for sensitive data — so you need to start adopting measures now. It’s not going to get easier.”
Colorado Springs Chamber & EDC Chief Defense Development Officer Rich Burchfield said while the current crop of compliance standards is aimed at defense contractors and manufacturers, all businesses should pay attention.
“When you start to dig down a little deeper and hear the conversations that are going on, this could certainly expand into state government … along with even school systems,” he said.
“[I]n the interconnectedness of a community like the Springs, we don’t want to look at it with defense contractor blinders only. We’re smarter to look at it as a true community.”
Burchfield said without proper cybersecurity measures, hackers could use small subcontractors as backdoors.
“Hackers don’t have to go to the big [contractors] anymore, they can find that small company that has a tie-in to the big [contractors] … and all of a sudden they’ve got an avenue in, unbeknownst to the prime,” he said. “On that scale it affects anyone who’s in that range, supporting defense contractors.
“…The way the city’s connected, we have to be very careful. It’s incumbent upon all of us to take on that responsibility, to take basic cyber hygiene and up our game, so we’re helping protect each other,” he said.
Burchfield said NIST intended SP 800-171 to build on existing cybersecurity measures. “We do need that baseline set,” he said.