Have you seen cybersecurity requirements listed in contracts for work within your supply chain or government contracts? If you are bidding for DoD or government contracts, you will find cybersecurity requirements listed in the DFAR or FAR regulations; in the near future, DoD contracts will require Cybersecurity Maturity Model Certification (CMMC). You will also see cybersecurity requirements flow down from companies within your supply chain. If you are working within a supply chain, you will be required to help protect information that is shared digitally.
While working with small and mid-sized companies to help address cybersecurity needs, our security professionals have found two common first steps that can help you get started in becoming more cybersecure: having a system security plan and implementing two-factor authentication.
A system security plan (SSP) provides:
- an overview of your cybersecurity requirements
- descriptions of the controls you have in place or plan to use to meet the requirements
- a list of people of have access to your system and their roles and responsibilities
A system security plan will require input from all members of your management team, and not just an IT manager. This plan is meant to capture your full business and not just the computer network. For example, you will need to know who can access your financial data and how they access it. You will need to gather documents pertaining to policies and procedures.If a policy or procedure is in use, but not documented, you will need to document it. You will also need a documented current state of your IT network. All of these documents, together, become your system security plan. An overall document that contains links to all of these supporting documents can serve as an index for your plan.
Having a system security plan in place will help you identify your assets and perform a risk assessment for cyber threats. This risk assessment will then be able to help you identify your vulnerabilities and plan for closing any holes in your system. One such vulnerability is often in the area of controlling who can access your system. This is where authentication of users comes into play.
Authenticating users who access your system is an important step in securing your network and data. A basic form of user authentication is to assign usernames and passwords to all of your authorized users. However, as usernames and passwords are easy to hack, cybersecurity requirements now include two-factor authentication. Two-factor authentication requires that a username and password, along with a second access code, be required before a person can access your system. This second code is most often retrieved from an authentication app on your smartphone, a code sent via text message or a code displayed on an authentication dongle. This code is only valid for a short period of time (typically seconds) and resets to a new code once expired. This increases the level of security by increasing the complexity of the protection around your network access points.
Having a system security plan in place and adopting two-factor authentication will help you move forward towards meeting your supply chain’s cybersecurity requirements. Our security team also encourages you to update your system security plan regularly and periodically update your risk and gap assessment for cybersecurity.