©2020 Manufacturer’s Edge
“It’s not about how many times you fall, but how many times you get back up.”Abraham Lincoln
“An ounce of prevention is worth a pound of cure.”Benjamin Franklin
Manufacturers understand the importance of resiliency: reliable equipment that is well maintained, dependable employees who show up and perform as expected, timely suppliers that deliver material according to specifications. These conditions promote resiliency, “the capacity to recover quickly from difficulties; toughness . . . the ability to spring back into shape.” But these conditions are not automatic. They are planned and cultivated—that ounce (or two) of prevention and planning that can reduce the risk of adverse surprises, an important piece of equipment being unavailable or a key employee being out with the flu.
Cybersecurity resiliency works the same way. It’s about managing the risk that is predictable, controlling the risk that is probable, and recovering from the risk that is inevitable. And this is the core of what the Department of Defense (DoD) is looking to achieve through supply chain compliance with DFARS 252.204.7012. Being fully compliant with the 7012 clause means that suppliers can assure the DoD that they will be able to perform as expected in a timely way without business or production outages.
DFARS 252.204.7012 Compliance
The fundamental requirements for compliance with this DFARS clause are meeting the 110 NIST SP 800-171 security objectives and the clause Sections c through m. The National Institute of Standards and Technology (NIST) objectives include articulation of a system security plan (SSP) that contains a plan of action and milestones (POA&M), which is an analysis of current security control gaps with an explanation of how and when those gaps will be addressed. Many of these gaps can be controlled through policy, training, process, and configuration adjustments, rather than significant investment in new technology.
Sections c through m of the DFARS clause address incident response, recovery, and reporting practices that are not addressed as fully in NIST SP 800-171. They represent that additional assurance about contractor resiliency and consistent communication should something unexpected happen so that the business impact to the contractor and to DoD and its supply chain are minimized.
April 21 Workshop (No Fee)
The DoD chose Denver as one of 23 cities in the US to stand up an all-day workshop on cybersecurity resiliency and DFARS 7012 compliance. The target audience is manufacturers and others that currently hold DoD contracts—or anticipate DoD contracts in the near future. The program will be highly interactive with group exercises on manufacturing-focused use case scenarios and next steps:
- How to prioritize the POA&M to align with DoD’s security level assessment methodology (and maximize your score)
- How to construct your audit preparation materials (including SSP and other security binder material)
- How to prepare for a security compromise (develop, communicate, and practice an incident response and recovery plan)
This free workshop will be held on April 21 at the University Club of Denver (1673 Sherman Street) from 9:00 to 5:00. Lunch will be included. There will be a post-workshop gathering (with a cash bar). The room limit is 120 participants.