How much work does a DCMA Cybersecurity Audit take?
In the past, what cybersecurity standards you met was largely self determined. With these self-assessments and no follow-up for standards not met, cybersecurity across the defense industry was poor. As I’ve spoken about previously, keepings records is important for the eventuality of a DCMA cybersecurity audit. This new practice of having contractors security be checked and the contractors held accountable for weaknesses opens a whole new expense to worry about.
In Pivot Point Security’s interview with John Ellis, the head of DCMA’s cybersecurity policy efforts, John says “We’ve seen assessments go as fast as one-and-a-half days. We’ve seen them take the full week”.
More than a full day! The shortest audit is likely the one that has everything set up properly. To setup everything correctly to be checked takes an enormous amount of work, totally discounting the time it takes to set up the security in the first place.
With these new enormous amounts of specialized work brings new job opportunities. A quick search on Indeed yields 609 remote results! Someone needs to make the company compliant, and that compliancy needs to be rigorously documented. Aside from the company running the audit and it’s staff, it also opens up a whole field for people to run mock-audits or just verify that everything looks good.
This new subsection of IT workers has a similar set of skill requirements but with a hefty new title and paycheck attached. It will be interesting to see how this new standard works out over the course of its introduction.
The interview is available here:
https://podcasts.apple.com/us/podcast/the-virtual-ciso-podcast/id1498720073
And a writeup is available here: