FEDERAL CYBER RULES MAY CATCH MANUFACTURERS UNAWARE
by UI LABS
November 11, 2016
A new set of federal cybersecurity regulations goes into effect at the end of next year, but many manufacturers remain unaware of the rules and their impact.
“They either haven’t heard of them at all, or they’ve heard of them but don’t think they apply,” says Jim Henderson, Vice President of Cyber, Engineering, and Technology for technology services firm Imprimis, Inc.
Henderson’s firm is leading a project through the Digital Manufacturing & Design Innovation Institute to evaluate the new requirements in a manufacturing environment. Firms are required to be in compliance by December 2017, yet many haven’t taken the steps to follow cybersecurity best practices and put the appropriate systems in place.
In the early stages of its project, Imprimis worked with a local Colorado Springs-based manufacturer to assess its compliance. The assessment was designed to provide a baseline estimate of how the new rules apply in a manufacturing setting.
“We found, not surprisingly, that they were not very compliant, which we’ve seen is the norm for a lot of companies, especially small and medium-sized businesses,” Henderson says.
Protecting Valuable Data
The cybersecurity rules are part of the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting.
Although not designed specifically for manufacturing, the rules were developed to protect information that’s valuable to the government, known as Controlled Unclassified Information. Many manufacturers don’t realize that the rules apply to them. But if they have a direct contract with the Department of Defense (DoD), are subcontractors on a DoD contract, or if they are producing something for a DoD contractor, it’s likely they have this clause in their contract, says Henderson.
The pressure to comply won’t come solely from federal regulators. As the deadline approaches, prime contractors are actively reaching out to check the status of the firms they’re working with. Those that don’t comply risk losing valuable business, or worse, compromising valuable intellectual property.
“If a prime contractor gets information from the government, passes it to a subcontractor, and the subcontractor loses it, the prime contractor is responsible. Naturally, they don’t want to be liable for weak cybersecurity in other networks, so they’ve started checking,” Henderson says.
While the DFARS rules focus entirely on protecting the confidentiality of government information, there are other cybersecurity concerns that are particularly relevant to manufacturers that factor into Imprimis’ evaluation. For one, maintaining the integrity of information and preventing its corruption is key. A company needs to ensure that the essential data to a manufacturing process doesn’t become altered or corrupted due to improper information management.
There’s also the issue of availability. For a manufacturer whose revenue depends on the number of widgets produced daily, for example, access to specifications and other data is essential for keeping an operation running and profitable.
Assessing Cyber Readiness
During the first phase of the project, Imprimis not only evaluated the Colorado Spring-based manufacturer’s compliance, but helped fix the problems identified—implementing policies and procedures and changing hardware and network settings, for example. The work provided a baseline for what it takes to comply with the new rules.
To generate more data about how the DFARS standards will impact manufacturers, Imprimis is currently seeking several more companies of various sizes to work with on cybersecurity assessments. Following the review, participating manufacturers will receive a customized remediation plan to help them achieve compliance.
Henderson estimates that for a manufacturer to work with an outside consultant, the cost of an assessment alone could range anywhere from $5,000 to $10,000, depending on the size of the company and its cybersecurity readiness. For assessments conducted as part of Imprimis’ DMDII project, there’s no cost for the manufacturer.
In addition to its assessments, Imprimis is distributing licenses for a tool it developed, which is used in the assessment to help manufacturers become compliant. Participants will receive licenses at no cost, valued at $1,500, and additional licenses are available to DMDII members to help them get started on an assessment on their own.
While complying with the DFARS is the immediate concern for the companies the rules apply to, undergoing an assessment has broader benefits, according to Henderson.
“We’ve found in our case and for any company we’ve worked with, going through an assessment is kind of a self-discovery process, if you will. It forces [companies] to think about their policies, in particular IT-related policies,” Henderson says. “A lot of companies are doing things because that’s how someone said to do it five years ago and they just kept doing it that way, whether or not it’s a good idea.”
To learn more about Imprimis’ project or to inquire about participating, please contact Amy Vermillion a tAmy.Vermillion@Imprimis-Inc.com.