Previous Next
Cybersecurity
Why cybersecurity is important for small businesses
Cyber criminals consistently target businesses in an attempt to weaken our nation’s supply chain, threaten our national security, and endanger the American way of life.
Your small business may be at risk for cyber attacks that can cause damage in many ways, including:
- Identity Theft
- Business Interruption
- Reputation Damage
- Proprietary Information Theft
- Hardware/Software Repair
- Litigation Fees
- Contract Loss
Cyber attacks can be very costly for a business when you factor in ransom costs, business downtime, and system restoration.
You need to know that your company’s systems and data are secure to do business with the U.S. Department of Defense (DoD) or any Federal agency. You’ll need to demonstrate your ability to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
RESOURCES
- Project Spectrum – Cybersecurity Support for Small Business
- Project Spectrum 1-pager
- CMMC 2.0 Details and Links to Key Resources
- NIST SP 800-171 Assessment Methodology Version 1.2.1
- NIST Computer Security Resource Center (CSRC) Glossary
- US Cert Alerts
- Supplier Performance Risk System (SPRS)
- U.S. DoD Defense Industrial Base Collaborative Information Sharing Environment (DCISE) Portal
- Defense Federal Acquisition Regulation (DFARS) Part 252
- DoD Cyber Crime Center (DC3)
- SBA Cybersecurity Resources
- DHS: Best Practices to Address Ransomware
- FCC Cyberplanner
- CDSE Cybersecurity Resources
Cybersecurity compliance for small businesses
Defense Federal Acquisition Regulation Supplement (DFARS) regulations require compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 for the safeguarding of defense-relevant information and cyber incident reporting.
NIST SP 800-171 provides recommended requirements for protecting the confidentiality of CUI. Businesses must implement these requirements to show they can adequate secure and protect the covered information in their federal contracts.
The DoD additionally developed the Cybersecurity Maturity Model Certification (CMMC) framework to review and combine various cybersecurity standards and best practices. CMMC maps these controls and processes across several maturity levels that range from basic cyber hygiene to advanced.
Achieving Your Required Compliance Level
DoD and other Federal contracts will require different levels of cybersecurity compliance, depending on the amount and type of data that needs to be protected.
Basic:
- Protect FCI only
- Employ up-to-date antivirus software
- Use safe password protocols for all staff
Intermediate:
- Transition between FCI and CUI protection
- Establish/document cybersecurity practices
- Utilize strategic planning
Good:
- Protect CUI
- Log/monitor incident response
- Develop backup/recovery process
- Employ DNS and spam protection
Proactive:
- Address Advanced Persistent Threats (APTs)
- Review/measure cybersecurity practice effectiveness
- Adapt to changing cybercriminal tactics
Advanced:
- Standardize all cybersecurity processes
- Achieve consistency across the entire organization
- Address 170+ security controls
Speak with your contracting officer to better understand what level of cybersecurity compliance you need to achieve. For more details on the various cybersecurity controls, visit https://www.projectspectrum.io/#!/standards.
A cybersecurity education, awareness, and compliance resource
The DoD Office of Small Business Programs (OSBP) initiated Project Spectrum as a comprehensive platform to provide the tools and training needed to increase cybersecurity awareness and maintain compliance in accordance with DoD contracting requirements.
Project Spectrum provides businesses and institutions with the most up-to-date cybersecurity compliance and policy best practices. The platform educates users on relevant topics that affect business risk management.
Project Spectrum offers heightened, cost-effective awareness tools and training to small- and medium-sized businesses that are particularly susceptible to cyber threats due to funding and other resource limitations.
For more information about Project Spectrum, visit https://projectspectrum.io..
Additional cybersecurity resources for small-to-medium-sized manufacturers
The Manufacturing Extension Partnership (MEP) is a unique public-private partnership that delivers comprehensive, proven solutions to U.S. manufacturers, fueling growth and advancing U.S. manufacturing.
The MEP National Network™ comprises MEP Centers located in all 50 states and Puerto Rico providing any U.S. manufacturer with access to resources they need to succeed. MEP Centers have helped thousands of manufacturers improve operations, increase profits, create or maintain jobs, and establish a foundation for long-term business growth and productivity.
Many MEP centers can provide additional cybersecurity awareness and compliance resources for small-to-medium-sized manufacturers.
For more information, visit https://www.nist.gov/mep/cybersecurity-resources-manufacturers.
Questions?
For more information, contact DoD OSBP at 571.372.6191.
