Large manufacturers are increasingly requiring compliance with cybersecurity protocols like NIST 800-171 and CMMC to win their business.
By Tom Sharp, Kelser Corporation
High-profile incidents involving foreign governments stealing strategic data or infiltrating defense-related organizations has resulted in unprecedented focus on cybersecurity in manufacturing. The Department of Defense recently issued an interim rule requiring compliance with incrementally increasing cybersecurity standards as a prerequisite for new contracts to be awarded.
Top-level or “prime” defense manufacturers such as Lockheed Martin, Northrop Grumman, Raytheon, Boeing, General Dynamics, Huntington Ingalls, BAE, General Electric and many more are being required to verify their compliance. As a result, they are now driving these requirements throughout their entire supply chain. The process can be daunting. Here’s how to get started.
Plan of Action with Milestones
Although there will be trial or pilot contracts that have Cybersecurity Maturity Model Certification (CMMC) requirements, most manufacturers in the DoD supply chain don’t yet need to achieve compliance with the new CMMC framework. For the moment, all that’s required to remain eligible for contracts with the prime manufacturers is an analysis and plan for complying with NIST 800-171, the foundation for CMMC.
Manufacturers who use, transmit, receive or store controlled unclassified information (CUI) are required to analyze their cyber systems, protocols and practices against NIST 800-171 and create a Plan of Action with Milestones (POAM) and System Security Plan (SSP), which will be submitted to the Supplier Performance Risk System (SPRS). While an assessment and plan may seem simple enough, there are 110 controls or criteria that need to be evaluated, in addition to follow-on questions.
The NIST 800-171 controls range from technical specs, like the type of firewalls your organization is using, to policies for employees on passwords and multifactor authentication, to the physical security of your building itself. Some of the controls need to be tracked or documented over time, so be sure to allow at least several weeks to complete the work needed to submit successfully.
In order to make the process efficient and cost effective, each manufacturer will need to take stock of their knowledge and capabilities. Some may have an IT team that can handle the entire POAM. Others may need assistance with all or some of the controls, or merely coaching in general. The controls can be evaluated remotely, which facilitates engaging outside help.
It’s uncertain when additional guidance will be issued requiring more than just a plan for NIST 800-171 compliance from manufacturers in the DoD supply chain. However, DoD has been clear that, by 2025, it will require CMMC Maturity Level 3 certification. What does that mean?
CMMC, which expands on NIST 800-171, has five levels of certification. Contracts that contain CUI will require Maturity Level 3, which includes components such as regular cybersecurity awareness training for all employees, use of a VPN (virtual private network) when accessing company systems from off site, and a protocol for keeping software patches up to date.
While cybersecurity is often considered the realm of IT and technology, buy-in from the user community is integral to the success of these programs. Abruptly announcing something as mundane as a new password policy can create pushback from employees and hurt adherence. Making the whole team aware of the importance of this process in order to win business from major customers is key.
Many of the controls for CMMC come down to cybersecurity habits; creating and sustaining them takes time and care. Getting things right in the planning stage can help ensure the process goes smoothly.
Creating a cybersecurity culture used to be something each manufacturer could do on their own timetable, depending on how they weighed the risk. For those in the DoD supply chain, the need to win business now dictates the timeline, and those that stay ahead of the rollout will have a competitive advantage.
Tom Sharp is vice president of operations at Kelser Corporation, an IT managed services provider in Connecticut. He leads Kelser’s manufacturing IT team and works directly with manufacturers throughout the US to align technology and business objectives.