Featured Image

DoD Suppliers Get a Cybersecurity Wake-Up Call

Suppliers throughout the Department of Defense supply chain received memos this fall from their biggest customers mandating they demonstrate steps taken toward obtaining cybersecurity certification, or lose out on new contracts. For many small...
Jan 25, 2021

By: Tom Sharp, IndustryWeek

December 16, 2020

What's behind this push, and how to be proactive.

Suppliers throughout the Department of Defense supply chain received memos this fall from their biggest customers mandating they demonstrate steps taken toward obtaining cybersecurity certification, or lose out on new contracts. For many small manufacturers, it was a wakeup call to beef up their cyber defenses. Even those operating outside the DoD supply chain can benefit from looking at what’s behind this push and how they can be proactive.

“If you are unable to comply with new mandatory requirements,” says one of the memos, “GE Aviation will be unable to continue to do business with your company.”

This wasn’t GE’s call, or Raytheon’s, or any of the other major manufacturers who sent out similar messages in recent months. DoD issued an interim rule effective November 30, 2020, stipulating that top-level defense manufacturers must require all of their suppliers to document assessment action towards complying with NIST 800-171, the baseline of the new Cybersecurity Maturity Model Certification (CMMC) framework. CMMC is being phased in between 2020 and 2025 and represents one of the strongest cybersecurity protocols in any industry.

A Long Time Coming, a Long Way to Go

While this mandate may seem abrupt, it is not. On the heels of Chinese cyber spies stealing U.S. military designs, DoD first required adherence to NIST 800-171 by December 31, 2017. However, the rule had no teeth. Manufacturers were expected to self-assess their systems and bring themselves into compliance. Many saw the writing on the wall and brought their systems up to date. Without any real incentive or enforcement to do so, others did not. The memos that went out this fall are the first steps toward consequences for noncompliance.

While the language of the memos manufacturers just received is fairly strong, what they’re being asked to do at this stage is somewhat minimal: complete an assessment. Specifically, they need to complete a DoD Assessment Methodology and submit the results (no more than three years old) through the Supplier Performance Risk System (SPRS). Part of this submission will include a plan and estimated date for achieving full compliance with NIST 800-171. At this point, that’s all it takes to remain eligible to receive new or renewed contract awards under DoD supply agreements. However, additional interim rules are likely to be issued in the coming months requiring additional milestones.

Getting on the Level

CMMC, which builds upon NIST 800-171 adding other policies and best practices, has five levels of certification. By 2025, Maturity Level 3 compliance will be required to be part of the DoD supply chain. ML 3 includes 130 criteria, or “practices” to use the language of CMMC, so obtaining certification may seem daunting. However, many of the practices are common-sense steps most manufacturers have already taken. Oftentimes, to check off an item may simply entail quantifying or detailing a measure already in place in order to ensure there aren’t any gaps.

For example, multi-factor authentication, or MFA, is a CMMC practice familiar to most internet users. It’s a means of creating login security that’s stronger than a lone password. Users are texted a code (or receive one via an app) that they need to enter along with their password to log in. MFA can also include a physical object, like a fob, that has to be near a machine for the password to be accepted.

For an organization that takes cybersecurity seriously—for instance, one that handles plans and specs for military aircraft or submarines—MFA needs to be required for every user on every device in order to be effective. What a CMMC assessor is looking for is not just the presence of MFA, but the thoroughness and effectiveness with which it has been implemented.

Cybersecurity-awareness training is another example of a CMMC practice that has to be executed in a particular way. All employees have to train, and training needs to occur on a regular, ongoing basis. However, it can be quite brief—10 or 12 minutes a month completed on employees’ own schedule both checks the box and helps your team spot red flags and keep hackers out.

Physical security is intertwined with cybersecurity and part of CMMC as well. Since an unauthorized person inside your facility would have an easier time accessing sensitive data, identification badges and secure entrances and exits to your building are CMMC practices. When your employees are off-site, they must use a VPN (virtual private network) to access company systems. Mobile devices need to be locked and there has to be a way to wipe them remotely if lost. Patches. You have to patch your systems. No more out-of-date Windows.

Some manufacturers have all or many of these practices and other CMMC requirements in place, so the 2025 deadline provides plenty of time to obtain level 3 CMMC certification. It’s those manufacturers who haven’t started this process who are in for an uphill climb. One hurdle every manufacturer will face in the CMMC compliance process will be the requirement of an independent 3rd party auditor (C3PAO) to “certify” the Maturity Level achieved by the supplier. Like a financial auditor, the C3PAO will evaluate the practices in place and deliver either a remaining set of gaps or a confirmed certification which is valid for 3 years.

A Roadmap to Cybersecurity for Non-DoD manufacturers

If you don’t make something that at some point is used by the U.S. military, you’re off the hook for CMMC certification. Hackers, however, still want your data in order to sell it or withhold it for extortion. More than a third of cyberattacks against manufacturers cause over $1 million in damage. Even if your biggest customers aren’t demanding it, CMMC provides a top-notch playbook for preventing cybercrime.

With the exceptions of healthcare and financial services, most industries have nothing like CMMC to guide them in creating a defense-in-depth approach to cybersecurity. Manufacturers outside the DoD supply chain can truly benefit from seeing how they stack up against the CMMC standard. While they may not need to obtain a specific level of CMMC certification, the 171 practices it takes to achieve level 5 provide 171 potential layers to a defense designed to keep your company’s data safe and your production lines running.

Recent intelligence News
May data signaled a slightly softer, but nonetheless severe, contraction in U.S. manufacturing output. The decrease in output was largely driven by a further weakening of client demand and lower new order inflows from both domestic and foreign customers...
Jan de Nijs oversees Lockheed Martin’s manufacturing production data collection and management at the F-35 plant in Ft. Worth, Texas and is team leader within the Lockheed Martin Digital Transformation Program. In 2019, he was awarded the prestigious...
"The challenges are not necessarily capturing and analyzing data, rather what to analyze in the first place,” says ABI Research. Data management and data analytics continue to become an essential part of how manufacturers conduct business...
IHS Markit compiles data from the Purchasing Managers’ Index (PMI) for more than 40 economies worldwide. Monthly reports are derived from survey data collected from senior executives at private sector companies. This month, private sector firms in the...
The University of Michigan’s Consumer Confidence Index fell from 101 in February to 72 in April. University analysts state that a collapse in confidence stemmed from concerns around personal finances and the national economy – both related to fallout...
Similar News
By External Contributor | Jan 25, 2021

Cary Wood, chief executive of Grede Holdings LLC, saw business plunge 90% earlier this year as the auto plants and heavy equipment producers that use his metal parts shut down, followed by a bumpy recovery. But he’s upbeat these days and, in the last...

3 min
By External Contributor | Jan 06, 2021

There’s no shortage of articles that will opine about how tumultuous 2020 was for the economy, jobs, and industry as the world grappled with the impact of COVID-19 on business and daily life. However, there’s reason to be optimistic, especially in manufac

4 min
By AMT | Jan 05, 2021

If you missed it, check out the IMTS spark interview with Jim King, President and COO, Okuma America Corp. He talked about a number of subjects, including the growth of transformative technologies, his expectations for rebuilding supply chains...

3 min