How to Share Files Within the Defense Industrial Base (DIB)

A Small Business Operations Perspective

Securely sharing data with suppliers and customers poses several challenges. This blog series provides insight into file sharing operations from a Defense Industry Base (DIB) small business perspective; Here are some common challenges, use-cases, and industry solutions for consideration when operating within small business resource constraints.

Data Privacy and Compliance:

Regulatory Compliance: small businesses are required to comply with data protection regulations such as GDPR, HIPAA, or industry-specific standards related to CUI or ITAR data-handling. Non-compliance can result in legal consequences, damage to a business’s reputation, or even the total collapse of a business.

Data Ownership: determining who owns the data and how it can be used is vital. Clear agreements and contracts should outline the rights and responsibilities of all parties involved. This is essential for the success of all businesses.

When data is shared between a large prime customer or government buyer to a small business supplier, this information should be flowed into the contract or purchase order.  In a manufacturing environment, for example, the data could take the shape of an engineering file meant to be transmitted into a machine such as a CNC mill.  Or it may be a ‘.pdf’, illustrating a part designed by an engineer and provided to a manufacturer to create a product.  In other cases, the data itself is what is being created by the small business. 

For the DIB, data identification is often one of the most challenging steps in the process, arguably because there is no single source of authority or sole repository that allows for simple reference or crosscheck.  Agencies all have different standards; similar terms can mean different things to different authorities.

Because identification is key to understanding the protection of data in the flow of business operations, it’s understandable why this step is often one of the most frustrating.

Cybersecurity Risks:

Data Breaches: small businesses often lack the robust cybersecurity infrastructure that larger enterprises have. This makes them more vulnerable to data breaches, which can have severe financial and reputational consequences.

Secure Transmission: Ensuring that data is securely transmitted between parties is crucial. The use of encryption protocols and secure communication channels is essential.

In the DIB, small businesses are often at the mercy of their customer as to how data is transmitted between the organizations.  This could mean using a third-party website like Sharepoint or applications like Kiteworks.  Depending on the data classification, using non-FedRAMP solutions may be problematic. 

FedRAMP solutions are not plentiful, and to a small business, can be outside a budget. There is also the matter of businesses lacking the understanding about where to find or vet FedRAMP solutions as part of the overall process.

Perhaps just as important to the big picture of securely transmitting files between parties is the number of solutions a small business may have to manage.  Because not all customers will use the same platform, it is up to the small business to keep track of the number of platforms and solutions – that may look like having to manage a password vault, as well as keeping track of a list of employees with authorization to access the various customer solutions.

Vendor Management:

Assessing Supplier Security Measures: Small businesses should assess the security measures implemented by their suppliers. This includes understanding how suppliers store and transmit data and what measures they have in place to protect against breaches.

Third-Party Security Audits: Regular security audits of suppliers can help ensure that they meet the necessary security standards.

Oftentimes, file sharing does not stop once a customer sends something to the small business supplier.  The small business supplier may need to subcontract specific processes out to other authorized parties. 

It is not as simple as implementing one of the secure file-share platforms and coming up with a process for employees to follow – although, that’s a good first step.  The small business must also consider how the supplier will handle the data once received.  While there is only so much a small business can do once the data has left their environment, it’s still important to follow due diligence in ensuring that the supplier can responsibly manage the data once received.

Technology Infrastructure:

Outdated Systems: Using outdated software and hardware can expose vulnerabilities. Small businesses should invest in up-to-date technology and regularly update software to patch known security flaws. This can be accomplished directly by the business, or through a third party managed service who is in tune with government compliance requirements.

Secure Cloud Storage: If utilizing cloud services, it’s important to choose reputable providers with robust security measures in place.

It is not uncommon in many “mom and pop” small shops for employees to share an email address via Hotmail, Yahoo, AOL, or any number of public webmail services. If a small business is sending data to a shop like one of these, it is important to consider the risks to the data. Is the small shop able to access data from a secure file share site instead of receiving it through an unencrypted email? Or, perhaps it makes more sense to FedEx a hard copy of the data.

Employee Training and Awareness:

Insider Threats: Employees can unintentionally or maliciously compromise data security. Regular training programs that educate employees on best practices for handling sensitive information are crucial.

Access Controls: Implementing strict access controls ensures that only authorized personnel have access to sensitive data.

It probably comes as no surprise that in a small business, administrative access is often granted to anyone wearing multiple hats. While this is convenient when a software program needs to be updated, or when a printer driver needs to be installed, it can also be the kiss of death to a business if a nefarious party gains access to a single user’s workstation. 

Additionally, in an environment like a machine shop, USB flash drives can be commonly used.  A USB flash drive can be used for data transfer from computer workstation to CNC machine.  A policy control with restriction of use of an unknown USB flash drive source is a good idea, but a technical control over port access is even better.

Communication and Collaboration Tools:

Secure Communication Channels: Utilizing secure communication tools for sharing sensitive information is vital. This includes email encryption, secure file-sharing platforms, and virtual private networks (VPNs).

User Authentication: Implementing strong user authentication processes ensures that only authorized individuals can access shared data.

Sharing data within a company is simply part of doing business.  What good is the .pdf of the blueprint the customer sends to be manufactured, if the .pdf cannot be accessed by the machinist who develops the g-code for the CNC machine to make the physical part?  Accessing that data and determining the appropriate business process is key to understanding how to protect the data that flows.

The customer data may also exist on a specific file server for the machinist to access.  Or, that data may be printed on large plotter paper, and marked appropriately.  If the machinist accesses the file electronically, are they doing so from a computer where they are logged in securely?  In a small business manufacturing environment, it is not uncommon for machinists to share a computer as data is sent to and from machines.  In a secure environment, it can be challenging to balance security and efficient business processes.

Backup and Recovery:

Data Backups: Regularly backing up data is critical in case of accidental deletions, data corruption, or cyberattacks. It ensures that business operations can resume quickly after a data loss event.

A small business should consider what makes most sense for its environment.  Many small businesses operate a file server on premise, or have a hybrid solution that allows for cloud collaboration and email tools apart from software like their ERP instance on-premise.  It’s just as important to routinely test the backups as it is to back up the data in the first place.

Budget Constraints:

Limited Resources: Small businesses often have limited resources for implementing advanced cybersecurity measures. Balancing security needs with budget constraints is a common challenge.

Addressing these challenges requires a comprehensive approach that includes a combination of knowledge and understanding, technology, policies, and employee training to create a secure data-sharing environment. Regular assessments and updates to security measures are essential in the ever-evolving landscape of cybersecurity threats.

In a small business environment, it can be challenging enough to keep up core business functions. For example, in a small business manufacturing environment, that may be: shop floor technology, workforce development and hiring focuses, supply chain management and cash flow; – the minutia of managing data with intent can be easily put on the backburner. This is a commonality we all share and can relate to.  Add the many layers of security considerations that fold into the simple practice of file-sharing, it can overwhelm at best.

File sharing within and between DIB companies is not something easily managed with a check-the-box solution.  It must be done intentional and with business processes in mind.  With these key considerations, small businesses are on the right path to securer processes, practices, and environments that will enable a more successful and long-lasting agency/prime/sub collaboration.

Sentinel Blue is a managed security service provider (MSSP) that works daily with the DIB tackling operational and security challenges designed to streamline effective agency/prime/sub collaboration, secure architecture and IT environments, mitigate threats and implement incident response best practice.