Contractors: Get ready for tighter DOD supply chain enforcement

NOTE: This article appeared first on FCW.com

The Defense Department has been ramping up efforts to quash supply chain vulnerabilities with enhanced cybersecurity guidance that gives the organization greater access to contractors’ security protocols and controls even before awarding a contract.

According to Tom Tollerton of the accounting firm Dixon Hughes Goodman’s cybersecurity advisory team, DOD has been firing off a series of memos and guidance since late 2018 aimed at tweaking contracting language and improving security conditions pre-award.

The most recent of which was in January from Ellen Lord, DOD acquisition head, designating the Defense Contracting and Management Agency with assessing contractors’ compliance with the NIST 800-171 in the cybersecurity framework by reviewing purchasing systems.

“This is really a step beyond previously identified gaps, which is what contractors were doing previously,” Tollerton said of the potential of on-site assessments in the firm’s April 16 webinar. “This was just released in January so this process is gearing up. So just be aware that its coming down the pike.”

He called particular attention to a set of guidance documentsreleased in November by Kim Harrington, acting principal director for the Defense Pricing and Contracting Agency, gave contractors a new urgency when considering security and partnering with the DOD.

One requires self-attestation to comply with DFARS and the NIST Cybersecurity Framework, as well as on-site assessments and “enhanced cybersecurity measures in addition to the security requirements in NIST SP 800-171 to safeguard information stored on the contractor’s internal unclassified information system” before an award is made.

Tollerton said that overall the guidance “was a little vague” and gave DOD latitude to evaluate or add system controls if the organization believes its necessary.

Additionally, DOD expects contractors to already have a system security plan, along with plans of action and milestones, in place and outlines the consequences to the government if the security standards are not met.

There’s “a lot of subjectivity in that guidance suggests that contractors need to make every effort to consider security of data and systems even before considering compliance requirements,” he said.