Cybersecurity Survey for Propel Stakholder Forum
The San Diego Regional Leadership Group (RLG) is updating its long-term strategy to better address more recent and future potential challenges to our regional defense industry and needs your insight and expertise. We kindly ask that you take 2-3 minutes to complete this 10-question survey to help us understand your industry. The results to this survey are entirely anonymous and will be informative in nature. We will use the results from this survey at the Propel San Diego Stakeholder Forum on April 23, 2019. For questions or concerns, please contact Nathan Loveland with San Diego Military Advisory Council (SDMAC) – Propel San Diego Program Manager. Email: firstname.lastname@example.org
Critical Infrastructure Cyber Community Voluntary Program
The DHS Critical Infrastructure Cyber Community Voluntary Program (C³) provides cybersecurity resources to owners and operators of critical infrastructure; small and midsize businesses; and State, Local, Tribal, and Territorial (SLTT) Governments. Per Executive Order 13636, The C³ promotes the Cybersecurity Framework, which was developed by the National Institute of Standards and Technology (NIST).
Leaders in Business Community Resilience
Developing resilient communities against all hazards requires leadership from government and business. Preparing the workforce, building safe facilities, investing in supplier relationships, and connecting to the community are all key pillars of true business community resilience—from the boardroom to the storefront. The path to leadership involves connecting with the right people and resources and committing to action by helping the business community and whole community mitigate the hazards they face and bounce back quickly after an incident. Plus, it can decrease the overall costs of disruptions and disasters.
Cybersecurity for Small Business
The Internet allows businesses of all sizes and from any location to reach new and larger markets and provides opportunities to work more efficiently by using computer-based tools. Whether a company is thinking of adopting cloud computing or just using email and maintaining a website, cybersecurity should be a part of the plan. Theft of digital information has become the most commonly reported fraud, surpassing physical theft. Every business that uses the Internet is responsible for creating a culture of security that will enhance business and consumer confidence. In October 2012, the FCC re-launched the Small Biz Cyber Planner 2.0, an online resource to help small businesses create customized cybersecurity plans.
The FCC also released an updated one-page Cybersecurity Tip Sheet. The quick resource features new tips on creating a mobile device action plan and on payment and credit card security.
FICO Cybersecurity Score
There’s a lot of buzz about cybersecurity ratings — measures of a firm’s cybersecurity risk — but most businesses don’t understand how they work or know how they rank. The FCC thinks it’s absolutely critical they know this information. That’s why they announced that they are making their own cybersecurity score free of charge to companies worldwide.
Now any company can vet the accuracy of their cybersecurity score before they’re unknowingly assessed by other organizations in their supply chain. As insurers begin using these scores in pricing cybersecurity insurance and as organizations start using ratings to vet supply chain and partner risk, businesses will need to vet the details used to assess their security posture — just as consumers check their FICO Credit Score before applying for loans.
Department of Defense Cybersecurity
It's no secret that the United States is now the number 1 target for cyberattacks. The Department of Defense (DoD) has continued to increase their cybersecurity compliance criteria for the defense industry base. Over the past few years the DoD as adopted the NIST standards laid out in the NIST Special Publication 800-171r1. Many of these requirements have been derived from the NIST Special Publication 800-53, used for Government Organizations. In the NIST 800-171r1 there are 14 families of Cybersecurity controls with a total of 109 + 1 controls (one additional control your organization implements) that contractors must comply with. Proof of compliance is show by listing out these contaols and how they are met in an organization's System Security Plan (SSP) - to be submitted with contracts. The controls which they have not reached a level of compliance must bewritten in the organization's Plan of Actions & Milestones (POAM). These two documents have become a mandatory part of government contract proposals. Previously, these strict requirements only applied to large Primes, and government entities. The addition to the DFARS Clause 252.204-7012 states that these requirements must be flowed down from the large contractors to the small sub-contractors. Small – Medium Defense companies are finding that compliance is confusing, hard, expensive, and time consuming. Additional funding is not being awarded in the contracts to meet said cybersecurity requirements. While some companies are tech savvy and have little to no struggles complying, others are failing to keep up. Propel San Deigo is working to provide the resources small to mid-sized companies will need to understand and self-hlep with these cyber security controls.
DoDIIS Worldwide Conference Breakout Session: Cybersecurity Maturity Model Certification
Stacy Bostjanick leads a discussion on securing the DoD supply chain titled ‘Cybersecurity Maturity Model Certification’ during a breakout session at the Defense Intelligence Agency DoDIIS Worldwide Conference, Aug. 21, 2019, at the Tampa Convention Center in Florida.
Please use these links to familarize yourself with the DoD's cybersecurity framework and policies.
Department of Defense Small Bsuiness Propgrams
NIST Cybersecurity Information For Small Business
DoD resources you should become familiar with:
The Department of Defense guidance for small contractors is to implement their cybersecure are controls laid out in the NIST Special Publication 800-171r1. Each organization will explain how they implemented each of the controls in a Systems Security Plan (SSP), submitted to the contracting organization. Any items not in compliance at the time the SSP is submitted, must be document on the Plan of Action & Milestones (POA&M). These controls must also be "Flowed Down" to the sub-contractors of an organization; requirement is detailed DFARS Clause 252.204-7012.The time and cost of implementing these controls can have a significant impact to small businesses and change their operating parameters. It is advisable to seek professional help in working through this process; however it is highly recommended that companies rad through the requirements to understand what they area asking a professional consultant to do. The NIST manuals listed here should be used together as you navigate these cyber controls:
Protecting Controlled Unclassified Information (CUI), and Controlled Defense Information (CDI) in Nonfederal Systems and Organizations