Why Cybersecurity Is Important for Small Businesses


Cyber criminals consistently target businesses in an attempt to weaken our nation’s supply chain, threaten our national security, and endanger the American way of life.

Your small business may be at risk for cyber attacks that can cause damage in many ways, including:

  • Identity Theft
  • Business Interruption
  • Reputation Damage
  • Proprietary Information Theft
  • Hardware/Software Repair
  • Litigation Fees
  • Contract Loss

Cyber attacks can be very costly for a business when you factor in ransom costs, business downtime, and system restoration.

You need to know that your company’s systems and data are secure to do business with the U.S. Department of Defense (DoD) or any federal agency. You’ll need to demonstrate your ability to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

 

Understanding Your Data

(Resource: https://dodcio.defense.gov/CMMC/About)

  • Federal Contract Information (FCI): As defined in section 4.1901 of the Federal Acquisition Regulation (FAR), FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, excluding information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.”
  • Controlled Unclassified Information (CUI): As outlined in Title 32 CFR 2002.4(h), CUI is “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” For more information regarding specific CUI categories and subcategories, see the DoD CUI Registry website.

 

Cybersecurity Compliance for Small Businesses

Defense Federal Acquisition Regulation Supplement (DFARS) regulations require compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 for the safeguarding of defense-relevant information and cyber incident reporting.

NIST SP 800-171 provides recommended requirements for protecting the confidentiality of CUI. Businesses must implement these requirements to show they can adequately secure and protect the covered information in their federal contracts.

The DoD additionally developed the Cybersecurity Maturity Model Certification (CMMC) framework to review and combine various cybersecurity standards and best practices. CMMC maps these controls and processes across three maturity levels that range from basic cyber hygiene to advanced.

Achieving Your Required Compliance Level

The CMMC Program provides assessments at three levels, each incorporating security requirements from existing regulations and guidelines.

Level 1: Basic Safeguarding of FCI

Requirements:

  • Annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21.

Level 2: Broad Protection of CUI

Requirements:

  • Either a self-assessment or a C3PAO assessment every three years, as specified in the solicitation. Decided by the type of information processed, transmitted, or stored on the contractor or subcontractor information systems.
  • Annual affirmation, verify compliance with the 110 security requirements in NIST SP 800-171 Revision 2.

Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats

Requirements:

  • Achieve CMMC Status of Final Level 2.
  • Undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
  • Provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.
     

Speak with your contracting officer to better understand what level of cybersecurity compliance you need to achieve. For more details on the various cybersecurity controls, visit https://dodcio.defense.gov/CMMC/About.

A Cybersecurity Education, Awareness, and Compliance Resource

The DoD Office of Small Business Programs (OSBP) initiated Project Spectrum as a comprehensive platform to provide the tools and training needed to increase cybersecurity awareness and maintain compliance in accordance with DoD contracting requirements.

Project Spectrum provides businesses and institutions with the most up-to-date cybersecurity compliance and policy best practices. The platform educates users on relevant topics that affect business risk management.

Project Spectrum offers heightened, cost-effective awareness tools and training to small- and medium-sized businesses that are particularly susceptible to cyber threats due to funding and other resource limitations.

For more information about Project Spectrum, visit https://projectspectrum.io.

Additional Resources for Small-to-Medium-sized Manufacturers

The Manufacturing Extension Partnership (MEP) is a unique public-private partnership that delivers comprehensive, proven solutions to U.S. manufacturers, fueling growth and advancing U.S. manufacturing.

The MEP National Network™ comprises MEP Centers located in all 50 states and Puerto Rico providing any U.S. manufacturer with access to the resources they need to succeed. MEP Centers have helped thousands of manufacturers improve operations, increase profits, create or maintain jobs, and establish a foundation for long-term business growth and productivity.

Many MEP centers can provide additional cybersecurity awareness and compliance resources for small-to-medium-sized manufacturers.

For more information, visit https://www.nist.gov/mep/cybersecurity-resources-manufacturers.

Questions? 

For more information, contact us at 571.372.6191.