Conducting a cybersecurity assessment must be a top priority for manufacturers that are part of the Department of Defense supply chain.
On December 31, 2017, the Department of Defense, through the National Institute of Standards and Technology (NIST) and the Defense Federal Acquisition Regulation Supplement (DFARS), began requiring that all suppliers in the defense supply chain begin working toward compliance with cybersecurity standards as described in NIST Special Publications 800-171.
Suppliers must perform a self-assessment and create a plan to remediate areas where they fall short of meeting standards set by NIST and DFARS.
The NIST Manufacturing Extension Partnership has also published a self-assessment document, NIST Handbook 162, to help companies become compliant with cybersecurity requirements.
The Department of Defense is requiring that its contractors abide by these requirements, which will cascade through the supply chain. The prime recipients of Defense Department dollars, like Oshkosh Corporation here in Wisconsin, have begun pushing this down through all tiers of their supply chain.
Building awareness of the requirements can be a challenge. Frankly, some of these compliance issues are catching manufacturers by surprise. As a result, there is a large percentage of manufacturers in the Department of Defense supply chain that have not done much yet to address the standards, but they must. The importance of getting out in front of this issue can’t be stressed enough.
If your company does work in the Department of Defense supply chain and you have no plans in place for meeting the 800-171 standards, you are at risk of losing federal contracts and your information is vulnerable to cyberattacks.
Since this is starting out as a self-assessment, the Department of Defense isn’t likely going to go out and examine the supply chain of its primary suppliers. But it is performing audits of the primary contractors and working to develop guidelines about how these requirements are to be extended through the entire supply chain.
The requirement includes 110 elements with which suppliers must comply. Suppliers must assess their operations against those elements and begin a remediation program to address those areas where they fall short. Admittedly, things are a bit nebulous at this point. No scores are given out. It’s simply an assessment to get companies going in the right direction.
The Wisconsin Manufacturing Extension Partnership (WMEP) offers key services to companies seeking assistance in assessing the requirements and working to become compliant.
The WMEP does an assessment of the standard and helps manufacturers understand the 110 requirements and where they stand against them. A gap report is produced showing what requirements need to be addressed. In many cases, this comes in the form of a prioritized list of steps that need to be taken over time, since the process, understandably, can be overwhelming.
While the mandate for completing the initial assessment by Dec. 31, 2017, has passed, no time limit has been mandated for completing the required remediation. Some companies have indicated that they are going to take the next two years or so to do this. Some have said they will do it in six months. Many are taking an immediate stab at it to see where it goes and what things they can shore up right away. Obviously, major vulnerabilities should be addressed immediately.
Basically, if you develop a work plan and present that to the Department of Defense primary supplier with which you are contracting, they are likely to recognize that you are on the journey toward compliance and likely will award you a contract.
The key thing to remember, though, is that there’s a standard and manufacturers better start complying with it. They need to do the self-assessment and develop a work plan. Incremental progress reports will probably be required at certain intervals so that primary suppliers can examine the progress.
Although there are no fines for non-compliance at this point, contracts have been denied to manufacturers that haven’t addressed the requirements and the business has gone to other suppliers. That’s the short-term threat.
For now, there’s no external certification for companies that meet the requirements. Although it’s unlikely that that Department of Defense will perform any on-site audits of secondary suppliers, it’s likely that the primary contractor will. So, it’s vitally important that companies not fake the assessment and indicate that they are complying with a requirement when they aren’t.
It’s also highly likely that the Department of Defense won’t be alone in requiring that suppliers meet cybersecurity requirements. The Automotive Industry Action Group (AIAG) has indicated that a cybersecurity mandate will be forthcoming later this year and it, too, will be based on NIST standards, with some modifications.
It’s probable that an all-inclusive, integrated cybersecurity standard is on the horizon, much the same way that ISO-9001 serves as worldwide quality standard.
All are compelling reasons for manufacturers to immediately begin implementing a cybersecurity program.
Wil Cox is an account executive at the Wisconsin Manufacturing Extension Partnership and is a member of the NIST MEP Cybersecurity Working Group and the NIST MEP Cybersecurity Steering Committee.
608.335.3203 [email protected]