Industry’s Media Platform of Choice
Champion Your Brand in Front of Decision Makers and Extend Your Reach Get Featured in the SPOTLIGHT
Industry’s Media Platform of Choice
Champion Your Brand in Front of Decision Makers and Extend Your Reach Get Featured in the SPOTLIGHT
Large manufacturers are increasingly requiring compliance with cybersecurity protocols like NIST 800-171 and CMMC to win their business.
By Tom Sharp, Kelser Corporation
High-profile incidents involving foreign governments stealing strategic data or infiltrating defense-related organizations has resulted in unprecedented focus on cybersecurity in manufacturing. The Department of Defense recently issued an interim rule requiring compliance with incrementally increasing cybersecurity standards as a prerequisite for new contracts to be awarded.
Top-level or “prime” defense manufacturers such as Lockheed Martin, Northrop Grumman, Raytheon, Boeing, General Dynamics, Huntington Ingalls, BAE, General Electric and many more are being required to verify their compliance. As a result, they are now driving these requirements throughout their entire supply chain. The process can be daunting. Here’s how to get started.
Although there will be trial or pilot contracts that have Cybersecurity Maturity Model Certification (CMMC) requirements, most manufacturers in the DoD supply chain don’t yet need to achieve compliance with the new CMMC framework. For the moment, all that’s required to remain eligible for contracts with the prime manufacturers is an analysis and plan for complying with NIST 800-171, the foundation for CMMC.
Manufacturers who use, transmit, receive or store controlled unclassified information (CUI) are required to analyze their cyber systems, protocols and practices against NIST 800-171 and create a Plan of Action with Milestones (POAM) and System Security Plan (SSP), which will be submitted to the Supplier Performance Risk System (SPRS). While an assessment and plan may seem simple enough, there are 110 controls or criteria that need to be evaluated, in addition to follow-on questions.
The NIST 800-171 controls range from technical specs, like the type of firewalls your organization is using, to policies for employees on passwords and multifactor authentication, to the physical security of your building itself. Some of the controls need to be tracked or documented over time, so be sure to allow at least several weeks to complete the work needed to submit successfully.
In order to make the process efficient and cost effective, each manufacturer will need to take stock of their knowledge and capabilities. Some may have an IT team that can handle the entire POAM. Others may need assistance with all or some of the controls, or merely coaching in general. The controls can be evaluated remotely, which facilitates engaging outside help.
It’s uncertain when additional guidance will be issued requiring more than just a plan for NIST 800-171 compliance from manufacturers in the DoD supply chain. However, DoD has been clear that, by 2025, it will require CMMC Maturity Level 3 certification. What does that mean?
CMMC, which expands on NIST 800-171, has five levels of certification. Contracts that contain CUI will require Maturity Level 3, which includes components such as regular cybersecurity awareness training for all employees, use of a VPN (virtual private network) when accessing company systems from off site, and a protocol for keeping software patches up to date.
While cybersecurity is often considered the realm of IT and technology, buy-in from the user community is integral to the success of these programs. Abruptly announcing something as mundane as a new password policy can create pushback from employees and hurt adherence. Making the whole team aware of the importance of this process in order to win business from major customers is key.
Many of the controls for CMMC come down to cybersecurity habits; creating and sustaining them takes time and care. Getting things right in the planning stage can help ensure the process goes smoothly.
Creating a cybersecurity culture used to be something each manufacturer could do on their own timetable, depending on how they weighed the risk. For those in the DoD supply chain, the need to win business now dictates the timeline, and those that stay ahead of the rollout will have a competitive advantage.
Tom Sharp is vice president of operations at Kelser Corporation, an IT managed services provider in Connecticut. He leads Kelser’s manufacturing IT team and works directly with manufacturers throughout the US to align technology and business objectives.
Made To Stay: Attracting Gen Z Into Manufacturing
A childhood in Kansas, college in California where she met her early mentor, Leigh Lytle spent 15 years in the Federal Reserve Banking System and is now the 1st woman President & CEO of the Equipment Leasing & Finance Association. Join us to hear about her ambition to be a great leader.
Get In Touch
Google news and SEO compliant, Industry Today’s state-of-the-art digital media platform offers bespoke media campaigns that target key decision makers and buyers to achieve your marketing and promotional goals.
Contribute
Showcase your brand and promote your business to our highly targeted audience. We offer detailed Google Analytics with measurable ROI to assure success. Submit your content for review by our Editorial team who will contact you to discuss the project further.
About Us
Reach Your Targeted Audience and Grow Your Business. Learn more About Industry Today.
Contact Us
© 2024 Industry today. All Rights reserved.
