Hawaii soldier awarded State Medal of Valor for hurricane rescue

A Hawaii National Guardsman received the State Medal of Valor last weekend for his heroic actions that saved the lives of six people during a hurricane.

Staff Sgt. Gregory A.Y. Lum Ho, of Bravo Company, 777th Aviation Support Battalion, was given the prestigious award on Feb. 9 by Hawaii Gov. David Ige at Wheeler Army Airfield.

"You epitomize the citizen-soldier and are a shining example of what valor is,” Ige said at Saturday’s ceremony honoring Lum Ho.

A State Medal of Valor is given to “individuals who distinguish themselves through a performance of an uncommon act of personal heroism involving the voluntary risk of his/her own life,” according to an Army release.

Lum Ho was assigned to Task Force Hawaii, which was created in response to the eruption of the Kilauea volcano. On Aug 23, 2018, Task Force Hawaii’s mission changed to one of flood support with the advent of Hurricane Lane, which would produce the second highest amount of rain of any hurricane in the U.S. since 1950.

While Lum Ho and Pvt. Justin Dejesus were on a security patrol, they came across a family who were cut off from assistance by flood water and whose house was on the verge of collapse. Lum Ho worked with first responders to drive them to the family in his Humvee.

Lum Ho executed “a series of very difficult decisions … that would save the lives of a family of six, and one family pet,” Ige said at the ceremony.

During Lum Ho’s acceptance speech, he credited both the leadership training he received in the National Guard for preparing him for emergencies and his fellow service members for always having his back.

It was a team effort, he said. “[From] my co-driver who helped me navigate through the debris ... to the mechanics that actually got my Humvee ready every night and kept it safe for me, without those guys, none of this would happen.”

NIST 800-171 Compliance for Small Business

Small organizations that are working on military platforms…or hope to in the future…face a difficult challenge.   Late last year, the Department of Defense (DOD) implemented a DFARS clause (204.252-7012) that requires compliance with a cyber security standard called NIST 800-171.

The standard is focused on a specific set of data referred to as Controlled Unclassified Data (CUI).  At a high level this data includes design specifications, product material data, and procedures used to engineer, test, and manufacture both land and air-based military platforms.   It has 110 requirements that include a mix of technical and process controls focused on protecting CUI.   An organization’s inability to comply with the requirements effectively serves as a barrier to entry for working in the industry.  Many proposal solicitations are requiring compliance with the standard as a qualifier for bidding on a project. 

No-Nonsense Approach

So, where do you begin?  For small companies, meeting NIST 800-171 requirements can be especially difficult…but there are a few simple steps that can simplify the process.

1)     Minimize the “footprint” of CUI data.  In other words, try to keep the physical and virtual versions in common storage areas.   Keep it off individual desktops/laptops and on a consolidated server.

2)     Do not use email to exchange CUI data with partners, vendors, or customers.   Utilize secure data exchange frameworks that are available from most tier 1 vendors.

3)     Leverage commercially available templates for process content (policies, incident response plan, awareness training, System Security Plan). 

4)     Have a 3rd party help you with areas of the NIST standard that require clarification.  Most consulting firms are open to answering some questions without charging for a full engagement.   Be honest and tell them that you don’t really need help but had a few questions you were hoping they could answer (but keep it to 1-3 total questions).  

Immediate Action Items

Near term, the most important details to complete are the system security plan (SSP) and plan of action (POA).  The SSP defines scope and approach for compliance while the POA provides a timeline for addressing identified gaps.  Both items were due for completion at the end of 2017.  Online resources like the CSET self-assessment tool can help with identifying compliance gaps and developing the remediation plan.   There are also online templates available for the SSP and POA, which can speed up the process of developing and completing the document.    

Keep in mind that the goal of NIST 800-171 is to protect information that is largely digital so many of the required controls will deal with computer and network technology.   If an organization does not have internal expertise to help sort through the technical details, this part of compliance is where money is best invested with external (consulting) assistance to identify gaps and develop a plan to address them.  

Planned Implementation

Once the SSP and POA are completed, the balance of NIST 800-171 compliance is reliant on following the defined implementation plan.  As the project evolves, any unforeseen obstacles or delays will necessitate updates to the POA.  Stay on top of the schedule and track progress accordingly.  Store all related documentation in a common network folder and when the program is fully implemented, plan on conducting an annual audit, risk assessment, and security assessment.   

By Guest Blogger: Rob Cote of Security Vitals