MEP National NetworkTM
If you’re part of the Department of Defense (DoD) supply chain, you may have heard about the requirements for Covered Defense Information (CDI). In short, manufacturers or any other entities with DoD contracts must comply with cybersecurity stipulations that dictate how they handle certain types of content — i.e., CDI.
More specifically, as of December 31, 2017, all contractors working for the DoD, regardless of their size, must make their internal systems comply with the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 and must at minimum implement NIST SP 800-171 security requirements, which encompass 14 categories. Fundamentally, DFARS Clause 252.204-7012 is about providing “adequate security” to CDI.
Manufacturers understandably want a clear definition of “Covered Defense Information” that they can refer to in order to avoid violating their DoD contracts. CDI is:
Additionally, CDI falls into four categories:
For manufacturers, information considered CDI might range from process sheets to data sets, among many other types of information. Additionally, complying with the requirements for CDI and NIST SP 800-171 is a team effort. It extends to every department — not just the IT professionals — at an organization.
After manufacturers learn to answer the question, “What is covered defense information?” the next question on their minds likely involves what the DoD means by “adequate security.” The most straightforward definition is that it means meeting the NIST SP 800-171 security requirements mentioned earlier.
Within the 14 categories of security requirements comprising the NIST SP 800-171, there are 110 basic and derived security requirements. Many of the specifics relate to controlled unclassified information (CUI), of which CDI is a part. Moreover, you’ll notice a substantial overlap in several categories.
Here’s a breakdown of the 14 categories and some of the matters that fall within each one:
Together, DFARS Clause 252.204-7012 and NIST SP 800-171 requirements may seem overwhelming, especially to smaller manufacturers or those who have not received government awards before. Start by evaluating your current level of cyber risk with the Cybersecurity Self-Assessment Tool and go from there.
Following that assessment, think about establishing a risk management system that can help identify what information your organization currently has, how it is currently being used, and what is being done to protect it. Understanding this helps to uncover not only areas of potential risk but also potential opportunities for business process improvements.
Documenting current efforts and creating and adhering to policies and procedures not only is a requirement to meet many of the NIST SP 800-171 requirements but also helps to provide evidence of an organization’s attempts to provide adequate security and can reduce the effort involved in ongoing protection of information.
If manufacturers want assistance with that part of the process, get in touch with your state’s Manufacturing Extension Partnership Program (MEP) Center. Your local MEP Center is connected to NIST and cybersecurity experts well-versed in NIST SP 800-171 and can help you navigate the specifics of creating a security program that meets the DoD’s requirements.
Elliot Forsyth is Vice President of Business Operations at the Michigan Manufacturing Technology Center (The Center). He joined the organization in July 2014 and is responsible for leading strategy, marketing, and business development, including the formation and implementation of The Center’s cybersecurity practice area. Prior to joining The Center, Elliot had more than 20 years of broad, global business experience with an outstanding record of leading Operations, Strategy, and HR functions.
Tune in to hear from Chris Brown, Vice President of Sales at CADDi, a leading manufacturing solutions provider. We delve into Chris’ role of expanding the reach of CADDi Drawer which uses advanced AI to centralize and analyze essential production data to help manufacturers improve efficiency and quality.