How the DOD Cyber Security Program Impacts Contractors

How the DOD Cyber Security Program Impacts Contractors

Military contractors are usually poised at the cutting edge of DOD cybersecurity programs. Their contributions help the US maintain the most impressive standing army in the world. Because of their position, they have always needed to have top-notch cybersecurity.

Before now, the US Government hasn’t had to put guidelines in place to enforce robust cybersecurity. That changed in June 2020, with the Cyber Security Maturity Model Certification (CMMC). According to the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)), the CMMC combined several security standards and industry best practices to reduce the risk of threats to contractor systems.

The implementation of this certification has changed the way contractors do business. In this article, we’ll look at the measures that the DOD has implemented to ensure governmental data safety when working with contractors. We’ll also delve into how contractors can figure out if they comply with current standards.

No Longer an Honor-Based System

In the past, contractors needed to sign a document that stated that they followed industry best-practices regarding their Cyber Security. Unfortunately, recent events have forced the government to reconsider its stance. In March 2019, NBC News reported that Iranian-backed hackers gained access to contractor systems, acquiring sensitive data on government-funded projects. Because of the potential fallout associated with sensitive information, the Pentagon decided to take action. The CMMC resulted from consultation, which was designed to ensure that contractors complied with the security standards the government has come to expect from its contractors.

The Cyber Security Obligations for Contractors

The DOD Cyber Security program focuses on one specific clause. The Defense Federal Acquisition Regulation Supplement (“DFARS”) clause 252.204-70122, also known as the “7012 clause.” It has also been referred to as the Safeguarding Covered Defense Information and Cyber Incident Reporting clause. It’s an addition that puts the onus for identifying sensitive information on the contractor. Additionally, the contractor is responsible for ensuring the data they’ve deemed as sensitive remains secure.

Contractors need to be aware of the information they will receive. Typically, the 7012 clause deals with “covered defense information” (CDI). CDIs include unclassified controlled technical data and any information inside the controlled classified information registry. If interaction with a CDI is contained within the contract, the company needs to verify that its practices meet the demands of the DOD Cyber Security program recommendations.

DOD Cyber Security Program Guidelines

Among the guidelines that the DOD suggests for contractors are:

  • Security Standards: At a minimum, contractors should implement the National Institute of Standards and Technology Special Publication 800-171 (“NIST SP 800-171”). This implementation includes putting together a system security plan and an action plan. Both of these plans must be approved by DOD personnel.
  • Rapid Incident Reporting: After an incident occurs, contractors have up to seventy-two (72) hours to submit a report. Reportable incidents have an expansive definition. All accounts must be made to the Defense Industrial Base (DIB) portal and require contractors to have a DOD-approved Medium Assurance Certificate. Because of how tiny the reporting window is, contractors should apply for this certificate in advance.
  • Cloud Computing Standards: The DOD Cyber Security program has its own recommendations for cloud-based solutions. If the business has its own in-house cloud solution, it must implement the NIST SP 800-171. For those using third-party cloud suppliers, the vendors must align with the Federal Risk and Authorization Management Program (“FedRAMP”) Moderate baseline. Vendors must also comply with all obligations related to forensic analysis, media preservation, malicious software, and incident reporting, and damage assessment.

Relying On Your Business Practices

Contractors already have their own standards for operation regarding their cybersecurity departments. However, it doesn’t hurt to have a fallback position. Sync Resource has an understanding of the NIST cybersecurity framework that both the CMMC and the standard DOD cyber security program obligations require. If you’d like a third-party audit of your systems or just advice on how to improve them, give us a call. We’ll be glad to ensure that you’re fully compliant with the DOD Cyber Security standards.

How-the-DOD-Cyber-Security-Program-Impacts-Contractors 2 logo

ISO/IEC 27001 Implementation — Step By Step Guide

ISO/IEC 27001 Implementation — Step By Step Guide


If you are planning to integrate and implement ISO 27001 within your organization, you will probably look for an easy way out. Unfortunately, there isn’t any “easy-way-out” for the successful implementation of  ISO/IEC 27001 Standard.

However, to make it easier for you we have compiled a step-by-step implementation guide for ISO 27001 Standard to successfully implement the ISO 27001 – Information Security Management System Standard. Below are the required steps that you should be following for the upright implementation of ISO 27001 (ISMS).

Step 1 – Identify the Objectives of your Business

It is important to identify and prioritize objectives in order to gain full management support. To start off, the primary objectives of the organization can be extracted from but not limited to the company’s mission, IT goals, and other strategic plans. Some prominent objectives of the organization can be:

  • Amplified marketing potential
  • Assurance and confirmation to other business partners of the company’s status in compliance with information security and security.
  • Increased total company’s revenue and profits by providing the utmost security to the client’s data and information.
  • Reassurance to the company’s clients and stakeholders about the company’s commitment towards information security, data and information protection along with privacy.
  • Proper compliance with industry regulations and guidelines

Step 2 – Obtain Management Support

The involvement of Management is important to successfully commit to, in compliance with planning, implementation, monitoring, operation, detailed reviews, continuous maintenance and iterative improvement of ISO 27001 (ISMS). Consistent commitment must incorporate activities, for example, guaranteeing that the correct assets are accessible to deal with the ISMS and that all representatives influenced by the ISMS have the best possible training, know-how, and competency.

Step 3 – Define the Scope

According to ISO 27001 (ISMS), any scope of implementation may be applied to all or any part of the organization. If you are a small organization, implementing it in all parts of the organization would help you lower down the risk occurrence.

According to section B.2.3 of ISO 27001 – Scope of the ISMS, only the procedures, business units, and external vendors or contractors falling within the “scope of implementation” must be specified for certification to occur.

The scope of the project/organization should be kept manageable and it is advised to add only those parts of the organization – logical or physical within the organization.

Step 4 – Write a brief ISMS Policy

In your organization’s ISMS, an ISMS policy is the highest level and most important document. It doesn’t have to be extensive, however brief information about the basic issues of information security management framework within your company. The purpose of having an ISMS Policy is for the management to explain your employees and resources about what needs to be achieved and how it can be controlled.

Step 5 – Define Risk Assessment Methodology & Strategy

Prepare a list of information assets and services that need to be protected. To do that, it is important to formulate a risk assessment methodology to follow in order to assess, resolve and control risks as per their importance.

The different risks associated with resources, alongside the proprietors, present locality, practicality, and substitution estimation of such assets, ought to be identified and distinguished separately.

Step 6 – Create a Risk Treatment Plan & Manage those Risks

Through a risk treatment plan, as an organization, you will be able to distinguish and categorize risks as per their impact and sensitivity. To successfully control the impact related to different risks associated with assets, the organization should follow risk mitigation by accepting, avoiding, transferring, or reducing the risks to a certain level of acceptance.

The plan will brief you on who will do what, with whom, with what budget in the organization in terms of risk assessment and treatment. This is a crucial step to follow for a successful implementation of ISO 27001.

Step 7 – Set Up Policies and Procedures to Control Risks

The organization regardless of its size will need to have a detailed procedure or statements of policy for the controls adopted along with a user responsibility document. This would allow the organization to identify user roles and responsibilities for the consistent, effective and actual implementation of those policies and practices.

The accurate documentation of policies and procedures is required by ISO 27001. However, the list of policies and procedures and their applicability depends on the organization’s location, assets, and overall structure.

Step 8 – Allocate Required Resources and Implement Training plus Awareness Programs

If you want your employees and workers to adopt and implement all new procedures and policies, then first you need to brief them about what it is and why these policies are important, and further train your personnel to have the required skills and capacity to perform and execute the policies and procedures. An absence of such required exercises is yet another important reason behind ISO 27001 project failures.

Step 9 – Carefully Monitor the ISMS

As an organization, you should be aware of,

  • What’s happening in your integrated ISMS?
  • What incidents have occurred so far and of what type?
  • Are all the procedures and policies are carried out properly as described?

This a point where the objectives of monitoring, control, and measurement methodologies come all together. This is where you should evaluate and monitor if the achieved goals are met in accordance with the set objectives or not.

If you are not achieving goals as per your set standards then it is an indicator that there is something wrong and you should perform some corrective actions to make it right.

Step 10 – Prepare for an Internal Audit

Most of the time, in any organization employees, perform certain acts knowingly or unknowingly that is wrong and affect the organization’s performance and reputation. In order to pinpoint such existing and potential problems, it is important to perform an internal audit. The point of an internal audit is to take required preventive or corrective actions rather initiating any disciplinary actions against the employees.

Step 11 – Periodic Management Review

Management is not required to create and work on building a firewall for information security rather they should know what is going on within ISMS and how efficiently and effectively the policies and procedures are being dealt with. Management review includes whether the policies of ISMS are being followed or not and if desired results have been achieved or not. On the basis of such factors, management takes crucial decisions.

iso 27001 implementation guide infographic


ISO 27001 can be achieved by its proper alignment with the set business objectives and efficiency in comprehending those goals. Information Technology and other departments of an organization play a significant role in employing ISO 27001 (ISMS).

Looking to get ISO 27001 certification for your business?

What questions do you have and how can we help?


ISO 27001 Information Security In Project Management

ISO 27001 Information Security In Project Management

ISO 27001 Information Security ensures security in any project. Project Managers are certainly not expected to be experts in information security, however by including and integrating ISO 27001 Information Security within different phases, procedures and processes of each project, most importantly in project initiation and planning, project communication and project deliverable Project Managers can avail a secured opportunity and platform to deliver more secure and safe systems.

Considering the latest edition ISO 27001:2013, the inclusion of information security is a totally new feature which aims to integrate within different Project Management processes and procedures. Get further information and understanding of ISO 27001 (ISMS) Information Security Management System to grasp the in-depth understanding of its procedures. ISO 27001 integration and implementation of security needs within Project Management irrespective of the type and size of a project as per Annex A.6.1.5 – Information Security in Project Management.

What is needed to establish ISO 27001 Information Security in Project Management?

All projects whether internal or external needs resources, activities to progress and estimated time for completion of each project as per assigned milestones. Information Security can be integrated and implementation in different Project Management activities such as:

  • Include and properly integrate information security within project objectives and deliverables. It is important to set measurable security objectives in order to have a well-secured plan with minimal lope holes for security breach or threat. Specific deliverables will indicate as measurable. Having measurable objectives such as; the company aims to decrease the information security threats, breaches and incidents by 50% at the end of 2018. This is a specific goal, where the project manager understands what is required and when is it required.
  • Implementation of risk assessment in the initial stages of the project. Risk Assessment is considered as the most difficult yet very important part of any Information Security Project. If you have the standard tools, resources and clear objectives of what is needed than having a clear and extensive risk assessment at the start of the project can reduce the chances of failure in the project. The main aim of information security in project management is to minimize the occurrence of incidents by assessing risks throughout the project baseline. As a project manager, you also need to categorize those risks on the basis of their severity and importance so that each risk can be handled as per its importance to the project.
  • Identify and apply treatment for the identified risks during the initiation phase and make sure to implement required security measures for each identified risk.
  • Make sure to make the information security policy an obligatory part of all the phases and stages of a project.

Please note that it is crucially important to include and integrate ISO 27001 information security management in different project activities, especially of those projects which directly deals with sensitive information and target confidentiality and integrity.

What are the benefits of ISO 27001 Information Security in Project Management?

If you follow and implement information security within your organization it will always stay a part of your management and thus will be implemented in all of your projects. Thus, the organization will also be accountable to and comply with all the clauses and requirements set forward by ISO 27001.

This immediate control will also help to provide required significance and presence to the information security within the organization, which works as a positive set point for any project.

Since it isn’t viewed as a basic necessity of a standard, however as a basic parameter in addressing to and executing any project within the organization. Some prominent benefits of Information Security in Project Management are:

  • It helps the project managers secure the information available in any form within the project including, the company secured documents, digital database, data and information devices and cloud servers etc.
  • It increases resilience to different security threats, including data breaches and cyber-attacks.
  • ISO 27001 provides a single platform or database to manage information security of all projects under one roof while keeping the sensitive information of your organization safe.
  • By implementing ISO 27001 Information Security Management System within the projects especially through the initiation phase, organizations can detect and identify potential risks and respond accordingly. Thus, provides a more secure way to reduce threats of reoccurring risks.


Generally, it is accentuated that information security is a process and not a separate project. However, it is important to understand that each part or component of information security should be taken as a project and must be treated and applied accordingly within the organization and its projects.

The establishment of information security must be taken as a core pillar or basic foundation of any organization and must be integrated seamlessly into the project objectives, activities, and deliverable. Establishment of a successful and secured development policy should be taken as a basic pillar for a secure service.

Looking to get ISO 27001 certification for your business?

What questions do you have and how can we help?

ISO 27001 Information Security In Project Management