As the military supply chain expands, so does the information security risk
The military supply chain continues to expand, with the result that more confidential unclassified information (CUI) spreads further than just military servers. With business information now also commonly stored in the cloud, keeping this data secure quickly becomes a complex task. Information assurance flows downstream in this ecosystem by necessity, with the result that it now touches all defense contractors. Those who can demonstrate secure and compliant data processes stand to gain real business advantages in this increasingly cyber-aware ecosystem.
In a changing and more complex supplier ecosystem, any organization involved in the U.S. military supply chain must have strategies in place to meet multiple requirements from the U.S. Department of Defense (DoD), specific branches of the military, and even the U.S. State Department.
In particular, there are three key areas that defense contractors should focus on. Those companies that adapt their processes to deal with these three areas can stand to gain huge opportunities.
- Security and compliance complexity
These various regulations and administrative rules are designed to meet a single goal: Compliance protocols for the Federal Information Security Management Act (FISMA). As one component of the Electronic Government Act of 2002, FISMA is designed to protect government information from threats including malicious or accidental disclosure or natural disasters.
The National Institute of Standards and Technology (NIST) provides the NIST Risk Management Framework as a guide for supplier compliance. This voluntary framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. Each federal agency must conduct annual reviews of systems handling confidential unclassified information. The U.S. DoD requires that suppliers comply with the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards. NIST issues regular guidance on compliance and helps contractors make sense of the requirements by organizing them into 14 families ranging from access control to maintenance, media protection, and systems and information integrity.
NIST also outlines several self-assessment steps a company should take to prepare for compliance in each of the 14 families. While NIST assumes that defense contractors have existing IT infrastructures in place that do not necessarily need to be replaced, a variety of tactics can be used to achieve compliance. There is no shortage of mandates for the treatment of CUI in nonfederal systems, and the fact that defense contractors have some degree of discretion in terms of how they comply may be more confusing than liberating.
- Cloud confusion
Application security control (ASC) is a substantial challenge even when enterprise applications and underlying data is housed on servers in an organization’s own premises. These server rooms must be secured physically against intrusion and data must be encrypted. Applications also need to include preventive and detective controls to ensure that data cannot be improperly accessed or modified, and that any security breach is recorded and will show up in an audit trail.
The trend of commercially available cloud-based software places new burdens on organizations protecting CUI and other sensitive data. A few short years ago, cloud-based software was viewed with skepticism in the defense sector. This was not only due to overarching security concerns, but specifically to International Traffic in Arms Regulations (ITAR) requirements that data should only be available to U.S. persons. Now, cloud infrastructure has produced workarounds for this challenge, most notably from Microsoft, which has made its Azure cloud platform ISO-compliant.
The Bureau of Industry & Security has also issued a rule that exempts cloud data from some requirements of ITAR provisions if the cloud platform delivers “end-to-end” encryption of the data. Put simply, it requires that data be encrypted before it crosses any foreign border and remain encrypted unless it is accessed by an authorized U.S. person.
- Export control considerations
ITAR takes a broad interpretation of the term “exports” to include data released or stored on servers outside the U.S. or released to non-U.S. persons. The Defense Acquisition University (DAU) suggests that military organizations must not only protect U.S. DoD CUI and information subject to export control by the State Department, but must also protect CUI originating from other countries, following the laws of each country. In an environment where U.S. military organizations collaborate globally on major projects such as the Joint Strike Fighter and where American manufacturers and defense contractors may supply militaries around the world, this situation adds yet more complexity to the data-security challenge.
This brings CUI protection to the attention of the State Department and the DoD. The DAU recommends that conforming to ITAR alone may be insufficient when it comes to protecting CUI for export control purposes, even for military organizations. These entities must, according to DAU, walk a tightrope between two bodies of regulation. It states that “there are several DoD policies that govern overall EC-CUI transfer by DoD personnel to foreign entities, they are overlapping and in some areas unclear of the procedures that DoD personnel should employ for transfer and safeguarding of EC-CUI to foreign entities in the pre-contract award phase of the DoD contracting process.”
Enterprise software underpins security
Dealing with complex data-security problems that have broad business implications is best handled with a centralized approach. The enterprise software system of record in a military or defense contractor organization may be the ideal tool since it can be used to exclusively handle CUI as it flows through the organization and even to suppliers and subcontractors. Centralizing CUI in an application proven specifically in the defense industry can be beneficial.
Security and privacy of data can be centrally administered based on role or individual permissions. This can help executives ensure and document to auditors that only employees authorized and trained in the handling of CUI have access to it.
An enterprise application can also enable an organization to take a standards-based approach to compliance. For the defense sector, ISO 27034-1 is a globally recognized approach for managing application security. Adopting the standard can signal to regulators and trading partners that an organization more likely has a sound approach to ASC. There are technical elements within enterprise software that are verifiable so a government or private entity can prove these measures have been adequately implemented. Included in this process are not only the people-focused elements, which would require tracking of certification and training, but also the application control security data structure, including XML schemas and Application Lifecycle Reference Model. (Figure 1.)
Enforce compliant practices
An enterprise application can be configured to deny network communications traffic by default, in favor of allowing network communications traffic by exception. But internal changes to the software configuration, functionality or data models should be handled according to ITIL [Information Technology Infrastructure Library] processes. These ITIL processes will affect all changes to the instance of the software, but the change-management benefits will be particularly desirable when it comes to ensuring that application security policies are followed and protections remain intact as an instance of software evolves.
Organizations subject to these regulations will want to carefully audit their current enterprise technology and processes and keep CUI security top of mind during new technology-acquisition processes. It also may make sense to ensure that enterprise software vendors whose products handle CUI handle security issues using an industry standard framework, most notably the Common Vulnerability Scoring System (CVSS). The CVSS obviously helps an organization gauge the severity of a given threat by assigning each a numerical score based on common criteria. It also assigns scores based on the extent to which the problem can be easily mitigated and how widespread it is in an organization.
Opportunity ahead for defense contractors
Rather than view new security requirements as a difficult hurdle, defense contractors should view them as an opportunity. There is now very clear guidance on how to handle CUI data, either on premise or in the cloud, but this requires diligence, hard work, and the support of the right enterprise software. With those three factors, contractors can meet regulatory requirements of the different agencies involved in the military ecosystem. It is this enhanced information security that will help differentiate them from competition and secure ongoing business in an increasingly cyber-aware market sector.
IFS North America www.ifsworld.com