Articles & E-Books


What manufacturers who supply products for the Department of Defense should know about an IT controls review

Dec 04, 2020

By Anna-Kay Sterling

In today’s cyber world, the manufacturing industry faces increasing attacks from cybercriminals attempting to gain access to critical systems and resources.

According to a 2020 Data Breach Report by Verizon, 64% of breaches faced by the manufacturing industry were a result of crimeware, web applications and privilege misuse. The report goes on to say that, while the majority of attacks are financially motivated, there was a sizable showing of cyber-espionage-motivated attacks in this industry as well. Internal employees misusing their access to abscond with data also remains a concern for this vertical. Out of 922 incidents, there has been a reported 381 confirmed cases of data disclosure (which also includes the theft of intellectual property).

The Department of Defense (DoD) mandated that DoD contractors (manufactures) who wish to supply products and services must meet and comply with a specific cybersecurity standard. The National Institute of Standards and Technology (NIST) created SP 800-171, which provides recommended requirements for safeguarding controlled unclassified Information (CUI). By implementing the NIST framework, your organization can help ensure compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.

How performing an IT controls review helps your compliance

To assess whether your company is in compliance with DFARS, you should consider having an IT controls review performed. Working with an independent consultant who understands the NIST SP 800-171 framework can provide valuable insight to your organization.

An IT controls review will not only help ensure your company is in compliance with the legal and regulatory standards but also evaluate your risk. It examines and evaluates your information technology environment, operations and policies — collecting and reviewing evidence and determining any gaps that may exist. In the end, it helps your management ensure proper safeguards have been implemented to protect your company’s assets.

Before the IT controls audit begins, the planning phase will help determine key systems and processes to include in the scope of the audit. This phase will also ensure areas with greatest risk are appropriately covered. Your auditor will meet with your management to gain an understanding of your company’s business objectives, strategies and the role technology plays to support your business model. This phase also helps determine the extent and type of testing that will be performed.

Audit-based risk assessment

To ensure proper audit coverage for an organization, performing an audit-based risk assessment is crucial. In this risk assessment, the auditor identifies your company’s data, application, technology, business activities and processes. Then they document associated risks along with controls for each category. Finally, they use a scoring system to rank the controls’ risk for each category.

Auditors often use three test methods during an IT controls review.

  1. Inquiry: Inquiry involves meeting with management from various departments to answer questions related to your company’s business processes. During this phase, the company achieves a better understanding of the controls present in the processes.
  2. Observation: During the audit, the physical observation of processes helps determine whether the presence of physical access controls are in place. Access controls are designed to protect your organization from unauthorized entry to restricted areas (e.g., computer rooms, wiring closets, etc.). Environmental factors — such as smoke detectors and sensors generators, just to name a couple — are also observed.
  3. Inspection: Auditors collect relevant and reasonable evidence to support conclusions regarding your company’s business functions and help determine whether controls are in place and are consistently performed and appropriately documented.

Measures to take to become compliant with DFARS

NIST SP 800-171 security requirements are broken into 14 main areas. Each area addresses the requirements related to the general security. Below is a summary of the controls you should have in place to be in compliance with DFARS.

1. Access control

Your company should have proper security administration guidelines in place that defines how user access is granted, changed and revoked to critical systems. This process should be a formalized to “close the loop” and include the documentation of approval from management.

In addition, you should have appropriate procedures in place to ensure access is set up appropriately based on job responsibilities.

Finally, user access recertification should be evaluated. User access must be reviewed at least annually or based on your company’s risks tolerance. Business owners must perform and complete documentation of the review and consider the following:

  • Determine whether user access is appropriate
  • Determine whether terminated user accounts have been removed
  • Determine whether administrative rights remain appropriate

2. Awareness and training

Your organization should carry out security awareness training across the board to ensure all levels of the organization are aware of security risks, policies and compliance. The content should include a basic overview explaining the need for information security, user actions to maintain security, and response techniques. It’s imperative that employees are educated about their roles and responsibilities. Training should also include the review of policies, procedures, tools and security roles.

3. Audit and accountability

You must have proper procedures and resources in place to review security and access logs. Organizations should first ensure logging has been enabled for systems that store and transmit CUI. The logs should help reveal the manipulation or any other unauthorized use of CUI. Some examples of what the audit policy should capture are:

  • Account logon (failure): Tracks successful login attempts
  • Account management (success): Logs when a user account or group is created, changed or deleted
  • Log-in events (failure): Records all attempts to log on to a local computer
  • Policy change (success and failure): Audits every incident of a change to user rights, assignment policies or audit policies

4. Configuration management

Configuration management is a process that securely maintains your technology by developing expected baselines for tracking, controlling and managing system settings. Management should ensure baseline configurations are kept up to date when changes are made based on security risks.

In addition, changes to the configurations should follow formal change control process. Make sure to document the change control process and include proposal for change, justification, implementation, testing, review and disposition of changes to the systems.

Furthermore, you should have physical and logical access restrictions in place, and you should only allow qualified and authorized individuals to initiate changes to systems.

5. Identification and authentication

You should have proper authentication methods in place to ensure that sophisticated tools used by hackers cannot easily break into systems using week passwords. Password configurations should follow industry standards and should be consistent throughout the environment.

Organizations should consider implementing the use of multifactor authentication in order to provide increased security over CUI. To establish accountability, organizations should require usernames to be unique. Organization should also ensure that whenever usernames are no longer required, they are appropriately disabled.

6. Incident response

You should have incident response policy and procedures in place and provide guidance on the steps to take for detecting, handling, containing and responding to incidents. You should also provide incident response training and involve key personnel to ensure you include appropriate content and level of detail.

In addition, you should train employees on how to recognize and report an incident. It’s important to properly document incidents and include relevant information that would be beneficial to forensics investigator. In order to determine whether the incident response plan is effective, you should conduct tests to identify weaknesses.

7. Maintenance

Perform proper maintenance for system components that store or transmit CUI as well as systems that do not retain data such as printers and copiers. For assets that require maintenance offsite, ensure you complete proper sanitation procedures and the asset does not contain CUI. Before restoring a system back onto the organization network, complete a scan to detect malicious code.

8. Media protection

Media that contain CUI should have proper physical controls in place. If media assets must be taken off company premises, management should ensure these media assets are transported in locked containers and have cryptographic mechanisms enabled. Management should have procedures in place for maintaining and updating an inventory of media assets. Media assets that contain and maintain CUI should be limited to individuals who require access to carry out job duties. When media assets reach end of life, management should have proper procedures in place to sanitize these assets so that information cannot be retrieved.

9. Personal security

Conduct proper due diligence procedures for individuals before you provide access to organization assets. In the event an individual is terminated, management should ensure their removal from systems components gets carried out in a timely manner. When conducting exit interviews, it’s important that management reminds terminated individuals of nondisclosure agreements and potential limitations on future employment. Put a process in place for position changes to ensure the employee no longer has access to system accounts that is no longer needed.

10. Physical protection

Restricted areas that store and transmit CUI should be physically secured and limited to authorized users. Put proper monitoring techniques in place and provide continuous coverage of the area to prevent and deter theft. In the event visitors require access to restricted areas, keep a log of those visits, and escort visitors to these areas.

11. Risk assessment

A risk assessment is a living document that will frequently change as developments in technology, environmental factors or regulatory standards change. The risk assessment should consider various components such as external threats, vulnerabilities, likelihood of occurrence, impact to organizational operations and organizational assets. The objective of the risk assessment is to identify and evaluate risks related to information security and information technology assets while assessing the risks to your company’s business objectives.

12. Security assessment

It’s imperative that your organization have a process in place to periodically test information security controls. Doing this will help you determine what vulnerabilities are present. As you obtain results, make sure you keep track of the remediation efforts and ensure gaps are closed timely. Implementing an effective vulnerability management program in your organization will help you proactively assess and understand risks. Continuous security monitoring of your network will help your organization have ongoing awareness of threats, vulnerabilities and risks.

13. System and communication protection

Monitor and secure data that gets transferred both internally and externally. Ensure proper security measures are in place for boundary systems such as gateways, routers, firewalls and virtual private network (VPN) tunnels. Of these systems, it’s important to keep track of those who have access and restrict access to those required to perform daily job duties.

For servers or devices that are public-facing, ensure these components are both physically and logically separated from the internal networks. Review firewall rules and ensure it’s properly configured to protect the network from unauthorized activities. The rules should be defined to allow or disallow traffic if certain conditions are met.

14. System and information integrity

Put a process in place to identify systems that are affected by vulnerabilities. In addition, implement a patch management program to ensure security updates are applied timely. To prevent malicious activities from taking place on the network, implement antivirus/antimalware or reputation-based technologies. These technologies will help to limit or eliminate the effects of malicious code.


At the conclusion of the audit, your auditor will prepare a report that describes the procedures performed and provides a summary of findings along with any recommendations for enhancing controls. Risk ratings can be assigned for each stated recommendation. The intent of the risk rating is to help management prioritize corrective actions. Before the final report is prepared, management will have the opportunity to respond to each finding identified.


To decrease the number of cyberattacks against manufacturers, the industry will need to stay secure, vigilant and resilient. It’s more important than ever to ensure you have the proper controls in place to protect CUI. An IT controls review can assist you in evaluating systems and ensuring compliance with DFARS. Click here to learn more about Wipfli’s IT controls review service.

Related content:

New interim rule continues DoD push to increase the security and resilience of the Defense Industrial Base sector

DoD adds critical verification component to defense contractor cybersecurity requirements

Information security and the employee exit checklist: Part I