NIST 800-171 is coming, and everyone in defense manufacturing needs to be compliant.
If you’re not ready, you’re setting yourself up to lose a key part of your business – and putting national security at risk.
In America, we project our power and defend ourselves with military technology. The Department of Defense and Intelligence Community rely on having a technological edge in all of their weapons systems. Think about carriers, jets, subs, and the satellites and sensors that protect them. Those need to stay ahead of the adversaries. We have invested trillions of dollars into these systems, and protecting this intellectual property is core to the mission of national security.
We talk to a lot of job shops who don’t think they’re a target because they’re small and not very well known. But owners need to realize this is exactly what makes them an attractive target to cyber attacks. Think about every part a typical shop makes on a government contract or subcontract. Drawings and 3D models for these parts describe dimensions, manufacturing instructions, part numbers and descriptions, and information about higher-level assemblies. Stealing this information makes reverse engineering and re-creating the technology much easier to a foreign government. Are attackers going to try to get this information from a state-of-the-art military network or are they more likely going to target a small business with limited IT resources?
Protecting defense technology is critically important to American manufacturers. We see American flags on the wall in every shop we visit, and we know this industry cares deeply about the mission. Moreover, defense work comprises 10% of the entire American manufacturing market. So even if a shop hasn’t won a defense contract or subcontract yet, competing for this work needs to be part of the business model.
The ABCs of Cyber Security and Defense Contracts
When it comes to cyber security and defense contracts, a lot of acronyms get thrown around. We’ll break them down here.
All government spending is subject to the Federal Acquisition Regulations (FAR), which are about 2,000 pages of rules dictating how government contracts must be structured. This helps prevent waste and corruption, but it also makes doing business with government complicated. When a contract is for the Department of Defense (DoD), another 1,600 pages of rules apply — these are called the Defense Federal Acquisition Regulations Supplement (DFARS). These supplemental rules are far reaching, mandating everything from how classified information needs to be handled, to detailed military specifications for materials and products, to what kind of paperwork needs to be retained and for how long. Thousands of people build their careers around understanding these regulations and keeping up with their frequent changes. It’s wild.
On top of that, a different government department, the Department of State, through its Directorate of Defense Trade Controls (DDTC) piles on some more rules. They have determined that “defense articles” — anything from a rifle to a nuclear warhead — cannot be exported to another country unless expressly allowed by the government in the form of an export license. These are the International Traffic in Arms Regulations (ITAR). While the ITAR obviously means a job shop can’t ship a weapon overseas without a license, it also means anyone working in the supply chain can’t share technical information about defense articles with foreign nationals, even if they are on US soil. In other words, according to the ITAR, showing a print or 3D model of a defense part to someone who is not a US citizen could be an illegal export. (In fact, we’ve designed our product around handling ITAR data.)
The most sensitive defense articles are classified (for example, at the “secret” or “top secret” level), and this information is managed in special networks and facilities. However, most defense items in the supply chain are not classified, yet technical data about these items are still considered sensitive by the DoD and deemed illegal to export by the Department of State. This technical data is called Controlled Unclassified Information (CUI).
Starting in 2016, DFARS started including rules about how CUI needs to be protected in the supply chain. Because those thousands of pages of rules do not spell out what information security protections must be used to protect CUI, the government turned to yet another agency in yet another department for guidance: the National Institute of Standards and Technology (NIST). Doing what they do best, NIST created a standard for protecting CUI, and they called that standard NIST SP 800-171.
The standard is freely available on NIST’s website. But a standard is not a law. The fact that NIST published a cyber security standard, even if you make defense parts, does not by itself mean you need to follow it. However, DFARS now mandates that new defense contracts include language requiring contractors and their subcontractors to be compliant with NIST SP 800-171 when handling CUI.
The New Rules of the Game
Since 2016, defense contracts have been getting increasingly strict about cyber security compliance. For job shops that haven’t had to deal with this yet, it’s coming soon. Today’s typical contract allows the government to audit the contractor and requires the contractor to verify that all subcontractors are also compliant. The government must determine that a contractor’s compliance program is acceptable before awarding a contract, and there are stiff penalties for not following the standard. Manufacturers who don’t take this seriously are setting themselves up to lose a lot of business.
So what’s in NIST SP 800-171? It’s a list of 110 “controls”, or requirements, split into 14 categories. These cover physical security, cyber security, company policy, internal assessments, and more. A lot of the controls are not technical and can be implemented by documenting policies and procedures and by conducting regular staff training. However, other controls will likely require changes to your IT systems and purchasing third-party software tools. Some of the more technical controls require certain password policies, screen locks, the use of certain data encryption standards, and role-based permissions that give users access only to the functionality and data they need.
Even within the government, this is all still new and confusing. The DoD issued guidance to its own contracting officers, most recently in November 2018, spelling out how to determine if a contractor’s compliance program is acceptable. The key elements of a compliance program are the System Security Plan (SSP) and Plan of Action and Milestones (PoAM). NIST provides templates for these documents online (SSP and PoAM). The SSP describes how an IT system is or is not compliant with each of the 110 controls, and the PoAM details the steps an organization will take, along with a schedule, to be fully compliant. This guidance is essential to the supply chain right now. These rules are still relatively new, and we see shops of all sizes scrambling to become compliant. At the moment, the fact that a shop’s compliance program can be deemed acceptable even with a PoAM (in other words, a compliance to-do list) is a saving grace. However, creating a detailed PoAM can take quite a bit of work and expertise, and don’t expect the DoD to accept long PoAM’s forever.
What are Job Shops Doing?
While some shops are still sticking their heads in the sand, most business owners are taking action. If you’re a tech savvy business owner, you can try conducting a self-assessment on your own with the help of this official handbook. Most businesses are reaching out for help, and many states offer grants to help with the process. To learn more, you can find your local Manufacturing Extension Program Parter.
Paperless Parts helps you achieve compliance by taking care of a lot of the technical requirements for handling CUI, like storing and transmitting CUI using compliant encryption, providing role-based authentication and permissions, and giving your customers a way to submit files for quotation without emailing them. We’ve seen shops spend $100K or more on IT consultants trying to solve all these problems on their own. We are not compliance consultants, but our team is always happy to point you in the right direction. If you’d like to chat, request a demo with our team!