The Need for Knowledge Management in Cybersecurity Programs

By Maria Proestou
CEO & Founder, DELTA Resources, Inc.

As a firm dedicated to assisting government clients in addressing emerging technical challenges, DELTA has been privileged to be on the ground floor of the development of cyber defense solutions for Department of Defense (DoD) clients. Thus, we are engaged in assisting our government clients in developing concrete approaches to implement the Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting). While the clause is designed to promote information security across the industrial base, its broad definitions within create a potential ocean of covered defense information (CDI) and a need for knowledge management in company cybersecurity programs, which can help improve acquisition outcomes.
The protection of CDI is something that all members of the defense industrial base take VERY seriously. We all know quite well the risks to national security that can be caused by an accidental or deliberate data breach.

The key to implementation is to ensure that any new compliance regime achieves the primary goal of protecting this sensitive data both within individual companies and throughout the supply-chain. Most of my colleagues in industry already have fully compliant programs, as do our subcontractors. For those in industry who still do not have good programs, there are several reputable companies that exist to assist with the implementation of high quality cybersecurity programs. The federal acquisition workforce is similarly engaged in ensuring the regulations are incorporated into all active contracts and our agency customers are also developing new ways to evaluate the monitoring and reporting that surrounds this important element of defense firms’ implementation programs.
One area, however, that requires additional work is the development of sound knowledge management regimes to define and manage the risks associated with specific covered data. Official definitions of CDI are very broad; generating a not-so- insignificant level of confusion surrounding the manner in which data should be protected. For example, should publicly available budget data be protected at the same level as sensitive technical design data? Not necessarily, but application of common sense isn’t currently afforded in the process. Contracting officers are forced to designate entire contracts as falling under the scope of the regulation, thus placing both mundane and highly sensitive data under the same umbrella of protection.

By casting the net so widely in the definitions of data, we may be creating unanticipated and unwelcome risks to the integrity of the entire program. Effective knowledge management needs to be part and parcel of the measurement of effectiveness of cybersecurity programs across the industrial base. Applying risk measures to specific types of covered defense information is the next important step in ensuring full implementation   of industrial base cybersecurity programs. This  will  allow the appropriate application of resources in this dynamic and evolving field to support federal government missions and
improve acquisition outcomes. 
This article appeared in the Fall 2018 Service Contractor magazine's Sounding Board feature. Click here to read the PDF article.