Dcma's Contributions To Cybersecurity Through DIBCAC

DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is making great strides in aiding the Defense Industrial Base in reducing the cyber risk exposure of a company and DoD data through their Defense Federal Acquisition Regulation’s Clause 252.204-7012 assessments of “Adequate Security” implementations. Since December 31, 2017, the DIB has been required to implement the cybersecurity requirements of NIST SP 800-171, “Protecting Controlled Unclassified Information (CUI) in NonFederal Information Systems and Organizations.” This Clause enacts 110 cyber requirements within DoD contracts. Starting in July 2019, DCMA began assessing large DIB companies in their implementation of these requirements labeled in the DFARS Clause as “Adequate Security.”

During the first 16 assessments, DCMA determined the largest DIB partners had strong cybersecurity programs that exceed the minimal requirements as defined by NIST. Starting in October 2019, the DIBCAC was a mission capable of conducting over 100 DFARS Clause 252.204-7012 assessments per year and focused their efforts on mid and small-sized DIB partners. 

This is where DCMA made great strides in educating and ultimately observing the reduced cyber risk exposure within the DIB. In some cases, there are companies that are very small but provide highly technical, important services and capabilities to the Department,which ultimately supportthe warfighter.

These smaller companies may not have understood or implemented the requirements. In our assessments, we get to work closely with company subject matter experts and leadership to ensure all parties understand what is required. In some cases, this has led to significant improvements in their cybersecurity posture, their programs, processes, and refocused efforts on the importance of cybersecurity, not only to meet federal requirements but to help protect their company data and intellectual property.

In one instance, the DIBCAC team identified items that needed to be corrected, and the company soon thereafter had a cyber-incident that they were able to identify, create mitigations for, and ultimately remediate. If they had not received a DIBCAC assessment,leading to valuable insight and discussions with our expert assessors, this particular company may not have been able to even identify the incident.

Like any cyber incident within the DIB, it may result in potential loss of the DoD data entrusted to them, along with a potential loss of their company intellectual property. In this particular instance, their intellectual property differentiates them from their competitors and is key for their company’s reputation, success, and future growth.

As we continue our assessment mission and work closely with the Small Business Administration, DoD, and Defense Industry groups, we evangelize the need for adequate security. We do this, not only to meet contract requirements but as a best practice that aids in reducing the risk across what the Department of Homeland Security defines as“Critical Infrastructure” due to being vital to the United States’ physical and economic security and safety.