2019 Cybersecurity Report Beyond Obfuscation: The Defense Industrys - - PowerPoint PPT Presentation

2019 cybersecurity report
SMART_READER_LITE
LIVE PREVIEW

2019 Cybersecurity Report Beyond Obfuscation: The Defense Industrys - - PowerPoint PPT Presentation

Jun 13, 2023 49 likes •254 views

2019 Cybersecurity Report Beyond Obfuscation: The Defense Industrys Position within Federal Cybersecurity Policy About the Report Section I: Illustrations of Cyber Threats and Vulnerabilities Section II: Policy Response to Cyber Risk

slide-1
SLIDE 1

2019 Cybersecurity Report Beyond Obfuscation: The Defense Industry’s Position within Federal Cybersecurity Policy

slide-2
SLIDE 2

About the Report

  • Section I: Illustrations of Cyber Threats and Vulnerabilities
  • Section II: Policy Response to Cyber Risk
  • Section III: Industry’s Perspective (Survey Analysis)
  • Section IV: Conclusions and Recommendations

1/9/2020 2

  • Released: August 2019
  • Available online at: NDIA.org/CyberStudy2019
slide-3
SLIDE 3

SECTION III: INDUSTRY’S PERSPECTIVE

(SURVEY ANALYSIS)

1/9/2020 3

slide-4
SLIDE 4

Methodology

  • Online Survey Developed with NDIA San Diego Chapter
  • Distributed via Email & NDIA Website
  • Responses Collected for 60 Days
  • Approximately 300 Responses Collected

– Participation was not limited to NDIA members

1/9/2020 4

slide-5
SLIDE 5

Demographics

1/9/2020 5

Technology Manufacturing Services Other

PRIMARY INDUSTRY

slide-6
SLIDE 6

Demographics

1/9/2020 6 0% 10% 20% 30% 40% 50% 60% 70% 1 to 500 501 to 1000 2001 +

Number of Employees

0% 10% 20% 30% 40% 50% 60% 70% Prime contractor 1st tier subcontractor 2nd tier subcontractor 3rd tier subcontractor Raw material supplier Processor

Primary Position in the Supply Chain

slide-7
SLIDE 7

Company Financials

1/9/2020 7

  • Key Takeaways

– Subcontractors are less dependent upon revenue from the Department of Defense than prime contractors – Small businesses have less diversified revenue streams than larger businesses

slide-8
SLIDE 8

Information Technology

  • Key Takeaways

– Large businesses employ more security measures than small businesses – Small businesses are more reliant on external information security solutions – Use of personal devices is much more prevalent among small business employees

1/9/2020 8 0% 20% 40% 60% 80% 100% Other We outsource most of our IT support to an external provider We self-service but do not have staff dedicated Hosts its own website Relies on anti-virus software that came installed

  • n our equipment

Has a dedicated email server We have a dedicated in house IT person or department Uses access security at the workspace in addition to door locks Requires VPN usage for remote work Uses two-factor or multi-factor authentication for log-ons Uses a firewall

What Security Measures Does Your Company Use?

Large Companies (500+ Employees) Small Companies (<500)

slide-9
SLIDE 9

Information Technology

1/9/2020 9

0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0% 80.0%

Personal-use desktop or laptop only An external drive Internally-owned network storage Server provided by managed-services company Onsite Offsite Internally-owned cloud server Commercial cloud service

Data Storage Methods Small % Other-than-small %

0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0% 80.0%

Issue corporate mobile phones, laptops or tablets for mobile use Let employees use their own mobile phones, laptops or tablets for corporate purposes Use Government-issued devices

Device Use Policy

Small % Other-than-small %

slide-10
SLIDE 10

COST ESTIMATING AND ACCOUNTING

  • Key Takeaways

– The majority of respondents view security-related costs as a cost-driver when pricing contract bids – Industry supports treating costs associated with carrying out DFARS 7012 requirements as direct costs – Nearly half of respondents have not estimated the cost of DFARS 7012 compliance

1/9/2020 10

slide-11
SLIDE 11

COST ESTIMATING AND ACCOUNTING

1/9/2020 11

slide-12
SLIDE 12

Corporate Opinions

  • Key Takeaways

– 44 percent of companies with greater than 500 employees have been the victim of a cyber attack – Of a list of potential cyber-related threats, respondents are least concerned about having a contract rescinded by a prime contractor or contracting officer as a result of a cyber incident – Small business does not have an adequate sense of the cost of responding to or recovering from a cyber incident – 44 percent of prime contractors do not have documentation of a system security plan (SSP) from their subcontractor(s)

1/9/2020 12

slide-13
SLIDE 13

Corporate Opinions

1/9/2020 13

slide-14
SLIDE 14

Corporate Opinions

1/9/2020 14

slide-15
SLIDE 15

Corporate Opinions

1/9/2020 15

slide-16
SLIDE 16

Corporate Opinions

1/9/2020 16

slide-17
SLIDE 17

REPORT RECOMMENDATIONS

1/9/2020 17

slide-18
SLIDE 18

Recommendations for Government

  • Increased communication between industry partners with a focus
  • n small business
  • Right-size the flow of information to industry
  • Simplifying the current cyber regulatory regime

1/9/2020 18

slide-19
SLIDE 19

Recommendations for Industry

  • Prime contractors must share best practices and experiences with

lower-tier companies while working with government to manage the flow of sensitive information within the supply chain

  • Smaller businesses need to make a more intentional effort to

adopt cyber fortifications and ensure compliance with current cyber regulations

  • All of industry must commit to working with government as the

new CMMC program is developed to ensure that the new set of regulations is as effective as possible without an unduly burden

  • n industry

1/9/2020 19

slide-20
SLIDE 20

CEVANS@NDIA.ORG (703) 247 – 2598

Corbin Evans, Director of Regulatory Policy

1/9/2020 20

QUESTIONS?