Manufacturers are used to compliance requirements. These requirements are a part of daily life; from safety to quality, manufacturers must constantly track and adhere to rules that ensure their products and processes meet certain standards.
For manufacturers that work with the Department of Defense, that includes meeting Defense Federal Acquisition Regulation Supplement cybersecurity requirements, including the highly anticipated “cybersecurity maturity model certification.”
The basics: CMMC is the U.S. Defense Department’s proposed method for checking that their suppliers have strong enough cybersecurity protections to safeguard the Department’s information. Whether it’s a prime, subcontractor or sub-tier supplier, every company doing business with the Defense Department will need to comply with CMMC to receive a contract.
The big picture: All manufacturers should secure their businesses against cyberattacks, whether or not they are obligated to under DFARS or other requirements. According to the National Institute of Standards and Technology Manufacturing Extension Partnership Cybersecurity Services Lead Celia Paulsen, one of the most important—and most often neglected—steps manufacturers can take is simply to understand the structure and information flow within their own companies.
- “A lot of companies don’t know how information flows in their companies and how their companies work,” said Paulsen. “Once you have that information, you’ll be able to scope out the rest of the compliance efforts.”
- “In some cases, you might find that all of your controlled information can be limited to one computer. If so, great! Keep it separate and you won’t need to worry as much about the rest of the business,” she added.
- “In other cases, you might find that there’s no easy way to cordon off CUI, and it might be cheaper to secure the whole business. That’s something you wouldn’t have known otherwise.”
All aspects of the business, from physical structures to software, should be considered when thinking about security. According to Paulsen, looking at your business from the outside-in can turn up problems that are easily fixed.
- “Think of it as if you were looking to protect your house,” said Paulsen. “Begin by looking at the business physically – are there locks on the doors and windows? Do you have backup power?”
- “Then look inside the house: Where are your jewels (i.e. computers) located? Are they protected from curious eyes? Are your home, guest and business networks separated?”
- “Last, go to the software and data level. Do you have backups? What do you have in your computers that keeps sensitive information secure?”
Sensitive information doesn’t just flow through an individual manufacturer; it often travels up and down the supply chain, reaching other businesses that may not be taking the proper precautions.
- It’s imperative for manufacturers to discuss these issues with their connecting businesses, Paulsen notes They should determine what requirements apply, whether access to sensitive information is needed for either business, and if so, how it can be protected.
- “When you’re integrating IOT devices onto the shop floor or implementing AI or going to the cloud—anytime you’re purchasing something that is smart, or that has a chip—you need to consider the security of it,” said Paulsen.
- “A lot of breaches happen because of supply chain attacks where the products aren’t developed with security in mind. That is key to a long-term strategy: making sure that whatever you buy, they’re considering security.
NAM resources: Are you prepared in the event of a ransomware attack? Built specifically for manufacturers, NAM Cyber Cover was designed to provide risk mitigation and protection. Find out more at www.namcybercover.com.