Sunday, October 06 2024
As a Manufacturer, Are You Prepared to Deal With a Cyber-Attack?
Written by Gene Jones, Senior Program Manager of Cybersecurity and Defense
As we think about cybersecurity for small to medium manufacturers in its current state, I would like to clearly articulate the problem: the Department of Defense’s (DoD) response to the situation and resources for Indiana small businesses. While the DoD is leading the regulation/compliance implementation, a similar situation exists across many industries.
Most small to medium manufacturers are unprepared to deal with a cyber-attack. Defense manufacturing supply chain operations rely on an immeasurable number of touch points where information flows through a network – both within and across the many manufacturers’ systems that constitute the supply chain. Each of these supply chain touchpoints represents a potential vulnerability to the security of our nation’s defense production. According to data released in late 2019 by the U.S. Census Bureau, approximately 291,000 manufacturing establishments operate in the United States. Nearly 99 percent of those establishments are small and medium-sized manufacturers with fewer than 500 employees. Multiple data sources indicate that most small to medium manufacturers are unprepared to deal with a cyber-attack. This problem is acute within defense manufacturing supply chains, where small to medium manufacturers — often lacking basic cyber controls— constitute the bulk of the critical lower supply chain tiers. (1)
Thirty-five percent of all cyberespionage attacks in the U.S. are targeted at the manufacturing sector – 2nd only to the financial sector. (1)
DoD is on track to implement “pre-award contracting regulations” in the first quarter of 2025. Although the acquisition requirements to implement Basic Safeguarding of Covered Contractor Information Systems (FAR 52.204-21) to receive Federal Contract Information and Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 252.204-7012) to receive Controlled Unclassified Information (CUI) have existed for many years, most contractors have not complied with these acquisition regulations. Additional defense acquisition regulations require DoD cyber assessment scores to be uploaded to the Supplier Performance Risk System (SPRS) and they require the Prime to confirm that an assessment has been completed before subcontracting covered DoD work. To date, compliance has relied on self-attestation, however, a recent DoD Inspector General report indicated that few contractors had implemented the required information security controls. After a few years of setbacks, DoD is on track to implement Cybersecurity Maturity Model Certification (CMMC) as an “audit” method to ensure compliance with the cyber contracting regulations prior to the award of DoD contracts.
The DoD is implementing CMMC (Cybersecurity Maturity Model Certification) to enforce compliance with cyber regulations.
Indiana small businesses have a unique opportunity to access state-funded resources. The Indiana Economic Development Corporation (IEDC), funded by a Small Business Administration (SBA) grant, has contracted Purdue MEP to conduct CMMC Level 1 and Level 2 assessments, and to provide some Chief Information Security Officer (CISO) training/consulting for Indiana small businesses, regardless of DoD affiliation. The assessments are a great way to develop a concrete action list to comply with the federal and defense acquisition requirements and the CISO hours support movement on the compliance path. Again, this program is open to any Indiana small business, not just companies in the defense industrial base!
Contact Gene Jones, Senior Program Manager for Cyber and Defense (jonesew@purdue.edu) to get started.
Sources/Citations: (1) FY20 Industrial Capabilities Report to Congress, OSD A&S INDUSTRIAL POLICY January 2021, pages 62-64 Cybersecurity for Manufacturing, https://media.defense.gov/2021/Jan/14/2002565311/-1/-1/0/FY20-INDUSTRIAL-CAPABILITIES-REPORT.PDF
Writer: Gene Jones, 765-496-7802, jonesew@purdue.edu