Enterprise MN Magazine Featured Story: CyberNINES’ Experience Working with DoD Suppliers

It is not just large companies that become victims of cyberattacks, but small and medium-sized manufacturers and businesses who are often unprepared for the common types of attack. 43% of cyberattacks are targeted against small businesses.   

In this featured article in the Spring 2021 issue of Enterprise Minnesota magazine, Scott Singer, President of CyberNINES, shares his experience of helping small and medium-sized manufacturers comply with the Defense Federal Acquisition Regulation Supplement (DFARS).  

“Our country’s supply chain is built on small business,” Singer says. “A lot of the ways people are trying to attack a Lockheed Martin or a BAE Systems or a Medtronic is through that supply chain where it’s not protected. It’s about, ‘How do I find a way into that larger company because I really want to get into them?’ So, it’s critically important that we protect that supply chain and help that small and medium business be secure.” 

With the growing concern over national cybersecurity, the government is changing the way how it assesses the cybersecurity readiness of its supply chain. Recent SolarWinds incident shows the important role of each player in protecting sensitive government data. As of 30 November 2020, the Department of Defense (DoD) requires both primes and sub-contractors to submit their NIST SP 800-171 score to the Supplier Performance Risk System (SPRS), and enter a date by which they will become fully compliant. The concern that Scott shares in his interview with Enterprise Minnesota is the rushed and not-serious approach taken by many companies about the new requirements. If you get audited, and your self-posted score differs from the score attested by the Defense Contract Management Agency (DCMA), you are at risk of losing any DoD awards or even go to jail.  

“They’ll ask if you knowingly entered an incorrect score,” Singer says. “If there are any emails in your system that suggest you knew you weren’t in compliance but posted an incorrect score anyway, you’re subject to the False Claims Act. And that can take down your small business.” 

And the new changes are still coming to the DoD supply chain. The Cybersecurity Maturity Model Certification which comes to effect on 01 October 2025 will require a third-party audit by C3PAO (Certified 3rd Party Assessment Organization). The level of your cybersecurity “maturity” will define which contract you can get.  

There are many ways small and medium-sized manufacturers can start taking now on their own. Among them, is backing up your data. By having a really good backup process, companies can protect themselves from a ransomware attack.  “I don’t want people to be paying ransoms because it perpetuates the business model,” Singer says in an interview. “And if everybody keeps paying ransoms, then it’s not going to go away.” 

Find this and other important tips and thoughts shared by cybersecurity experts in the Spring 2021 issue of Enterprise Minnesota magazine here.