13 Feb Cyber security. Click to keep reading…
Over the past two or three years we have participated in many discussions and several contract negotiations which required that the involved parties comply with some level of Cybersecurity. I did not realize that this initiative dated back to Executive Order 13556, which was signed by the President on November 4, 2010.
As we stretch our Cyber Systems to the nth degree and utilize the Internet for exceedingly more functionality everyday, we expose ourselves and our databases to increased cyber threats and risk of contamination or theft. In an effort to address these concerns in industry, NIST and DOD (along with Industry partners) have been compiling two systems to provide a framework for “best practice” Cybersecurity.
What is it?
NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (CUI) intends to protect the confidentiality of unclassified data, documents and files. It helps to identify deficiencies in the handling, management, transfer, storage and disposal of said materials. The CUI Framework provides common definitions and terminology, as well as
outlines standard procedures or processes. The hope is to build a Cyber System that is secure as possible for each level of user.
This will affect all of us in one way or another. Please read on.
NIST 800-171 is too extensive for me to discuss in this article, but for those of you unfamiliar with it here are a couple of excerpts:
Chapter 2 addresses the “ Assumption and Methodology for Developing Security Requirements”. One of the “basic assumptions” made is that “Safeguards implemented to protect CUI are consistent in both Federal and Nonfederal systems and organizations.” (WOW, I hear costs associated with that, if you are a small or mid sized business owner).
Chapter 3 describes fourteen families of security requirements. To name a few: training, audit and accountability, identification and authentication, incident response, personal security, risk assessment, system and information integrity and protection.
To date, NIST 800-171 is voluntary, self-audited and regulated. Companies utilizing NIST 800-171 are “compliant” but not certified.
Who needs it?
All of the DOD Prime contractors currently have some level of Cybersecurity, including some that are very sophisticated. DOD contractors have been aware of this need for years, and experienced the DOD’s increasing pressure to implement robust systems. That said, Primes have been investing dollars and the resources necessary to build infrastructure. This means that like all other certifications and specs it will “flow down” to some portion of the supply chain – that includes many of you reading this article.
Don’t be misled that this is a “DOD only” initiative. Many commercial sector companies are getting onboard in order to protect their IP. I am aware of at least two large medical equipment manufacturers that are requiring their supply chain to be actively working on 800-171. Tier 1 and Tier 2 Contract Manufacturers are being required by DOD Primes to address security concerns. If the CM’s are compliant, their supply chain will need to be compliant.
As we have spoken about Cybersecurity with many privately held SMB’s, some have an understanding of the forthcoming requirements and some look at us as if we’re speaking Klingon. Several of these companies are utilizing their outsourced IT support teams to assist in establishing a framework and roadmap. Of course, this translates once again into cost.
Months of time and tens of thousands of dollars can be spent gaining an understanding of the requirements, on boarding infrastructure, then managing and overseeing procedures.
Industry analysts are predicting “Security” will become a measurable metric just as cost, delivery, and performance are today.
Not really a fair question because “what’s next” is already here.
CMMC – “Cybersecurity Maturity Model Certification” is currently at Model v1.0 which was released Jan. 31,2020. This program is driven by the Office of the Undersecretary of Defense for Acquisitions and Sustainment and goes well beyond NIST 800-171. CMMC establishes Cybersecurity as the foundation for future DOD acquisitions.
CMMC and NIST 800-171 have several commonalities, but also some very significant differences. For example, NIST 800-171 is not currently “required” on many DOD contracts, in the near future CMMC will be “required.” All participants on a DOD contract will be required to be certified to some level of Cybersecurity. The 5 Levels of security are defined in CMMC.
Another main difference is that NIST 800-171 is self audited and regulated. CMMC will require a 3rd party certification with re-certification (audits) performed at specified intervals. The intent of CMMC is to “flow down” Cybersecurity requirements to all participants in the supply chain. Prime contractors with exposure to top level integrated systems documentation will be required to maintain Level 4 or 5 certification. A small business which plates or paints discrete pieces of hardware may only be required to maintain Level 1 certification, but certification nonetheless. CMMC Level 1 is defined as “Basic Cyber Hygiene” (17 practices outlined) while Level 5 is “Advanced / Progressive” (171 practices outlined). There are 17 “Capability Domains” listed in v1.0. Level 3 most closely aligns with NIST 800-171.
I have seen mentioned in a few DOD presentations that the Primes and Tier 1 contractors are not the major concern. The majority of Cybersecurity concerns are in the Tier 3 and Tier 4 level of contractors. Companies which are large enough to have access to higher level documentation, files and data but not conscientious enough (or profitable enough) to recognize the need for enhanced Cybersecurity measures. These are the companies which present the greatest Cyber risk. For that reason CMMC will be a “go / no go” decision on contracts. If your company is not CMMC certified you will not be considered for participation in the supply chain.
A major role in this entire process which has been identified but not defined or allocated is the certification and accreditation body. DOD has not defined who will conduct all of the certification audits. An RFI has been solicited, but no clear path forward has been determined. As of this writing DOD is targeting full implementation of CMMC by 2025.
All of the manufacturing partners whom Lupton Associates represents that are in DOD / Military supply chain are aware of NIST 800-171 or CMMC. If you should require manufacturing partners that are familiar with these requirements and that have already begun implementation of enhanced Cybersecurity measures, please contact one of us.
There are many documents available online which speak to CMMC. The official DOD website is https://www.acq.osd.mil/cmmc/. Another good resource to help in understanding CMMC is to view a YouTube webinar (https://youtu.be/1tnaeEU6Az8).
Good luck to all of us on this journey.
“Roads? Where we’re going, we don’t need roads”. Dr. Emmett Brown, Back to the Future.