Small Contractors Struggle with Cyber Rules.

• Author: Evans, Corbin L.
• Position: NDIA Policy Points

Clear policy drives effective implementation. Conversely, complex, opaque policy frequently leads to confusion and lack of compliance. Unfortunately, complexity and lack of understanding limit the Defense Department's efforts to enhance cybersecurity in its supply chain.

Research by the National Defense Industrial Association's Manufacturing Division finds that the revised Defense Federal Acquisition Regulation Supplement (DFARS) part number 252.204-7012, and the continued evolution of the National Institute of Standards and Technology cybersecurity framework, add more complexity than clarity to the business environment for defense contractors.

Companies are actively opting out and others are simply watching from the sidelines, unconvinced the benefits of compliance are worth the costs. The department needs to streamline the policy, collaborate with industry partners to develop best practices for implementation, and help companies understand the risks to their business to incentivize compliance.

Recognizing the risks of cybercrime and interested in contractor efforts to implement evolving policy, NDIA's Manufacturing Division worked with experts to examine and explain levels of adherence. The resulting study, "Implementing Cybersecurity in DoD Supply Chains," released in July highlights findings from a 2017 survey of small- and medium-sized businesses conducted by Michigan State University's Department of Supply Chain Management, in coordination with NDIA members. The full study is available at ndia.org/divisions/manufacturing/resources.

Findings illustrate how defense suppliers struggle to respond to escalating regulatory pressure for enhanced cybersecurity. The report indicates that most respondents, especially small- to medium-sized suppliers, possess a poor understanding of the DFARS and NIST framework.

Although this finding may not surprise others in industry and outside observers, policymakers and defense officials responsible for crafting these rules and regulations should take the results seriously. Effective reform requires clearly understood rules and strong education efforts to streamline implementation; unfortunately, the department has thus far fallen short in delivering clear policy and effective education.

As the report suggests, when contractors are inadequately educated about the technical implications of new cybersecurity regulations, they make poor implementation decisions. Lack of clear policy and education on strategies...