Part 1 of our interview with Regan Edens, looked into steps to simplifying and enabling DFARS compliance.
Part 2 will look into how contractors are managing their encryption mandate. Additionally, it will look at steps they can take to better secure their supply chain.
PreVeil: In the companies you’re looking at, how are they handling encryption and how far off are they from where they need to be?
Regan Edens: According to CMMC, FIPS 140-2 validated algorithms are required when CUI has to be encrypted. That was inherited from NIST 800-171. However, most defense contractors we speak with don’t even understand the FIPS 140-2 standards nor where they need to be. They don’t realize the requirements for FIPS 140-2 encryption for data in transit and at rest.
One point around which there’s a log of confusion is that every place in NIST that CUI is required to be encrypted, requires FIPS 140-2, but when encryption can be used to protect CUI, but is not required, neither is FIPS 140-2 required.
When is FIPS 140-2 encryption required?
When is FIPS 140-2 required?
FIPS 140-2 validated encryption must be used when required by NIST 800-171R2 inside the assessment boundary of the Covered Contractor Information System. CUI must be encrypted in transit on all devices or when stored at rest on mobile devices.
When is FIPS 140-2 not required?
CUI may be stored at rest on any non-mobile device or data center, unencrypted, as long as it is protected by other approved logical or physical methods. FIPS 140-2 validated encryption is an option not a requirement for CUI at rest for non-mobile devices that “organizations may employ different mechanisms to achieve confidentiality protection, including the use of cryptographic mechanisms and file share scanning.”
What is the definition of a mobile device?
NIST defines mobile devices as devices such as smart phones, tablets and E readers.
Note: If the device only has storage capability and is not capable of processing or transmitting/receiving information, then it is considered a portable storage device, not a mobile device.”
So, when we ask what encryption they are using to protect CUI, most of them don’t know the answer. The implications of this are particularly serious for email where often messages are going back and forth on Commercial O365. On Drive, they may have some sort of FTP process for accessing or retrieving emails but that’s a really bulky process and doesn’t fit well into a company’s workflow.
I tell them that as an interim methodology, PreVeil can get them started as they move off of O365 Commercial and into an encrypted platform.
Regan Edens: The supply chain is an important challenge that DTC has been focused on as well. In order to protect the supply chain, you need to protect the Primes and their subcontractors. What I am trying to do is revolutionize the coalition of the willing and create an ecosystem approach. The next major defense program will be won by the organization that secures their supply chain.
This ecosystem approach means I look at large primes and take their suppliers and essentially simplify the technology offerings to a common set of tools and licensing. And then create a cafeteria-style menu where there are technologies for small, medium and large defense contractors.
Some will see Microsoft’s GCC High as their solution but that’s probably only a very small percentage due to price and budget constraints. Additionally, there are only a dozen or so Microsoft integrators and there’s no possible way for them to service the whole DIB.
Most organizations don’t understand what they are doing and they need to make the process affordable then a menu type option is ideal. If an organization needs to make quick and easy choice, then PreVeil is a good choice.
PreVeil: Well thank you for talking to us, Regan.
Learn more about how PreVeil protects the DoD supply chain. Download our whitepaper.