As a Manufacturer, Are You Prepared to Deal With a Cyber-Attack?

Written by Gene Jones, Senior Program Manager of Cybersecurity and Defense

As we think about cybersecurity for small to medium manufacturers in its current state, I would like to clearly articulate the problem, the Department of Defense’s (DoD) response to the situation and resources for Indiana small businesses. While the DoD is leading the regulation/compliance implementation, a similar situation exists across many industries.

Most small to medium manufacturers are unprepared to deal with a cyber-attack.Defense manufacturing supply chain operations rely on an immeasurable number of touch points where information flows through a network – both within and across the many manufacturers’ systems that constitute the supply chain. Each of these supply chain touchpoints represents a potential vulnerability to the security of our nation’s defense production. According to data released in late 2019 by the U.S. Census Bureau, approximately 291,000 manufacturing establishments operate in the United States. Nearly 99 percent of those establishments are small and medium-sized manufacturers with fewer than 500 employees. Multiple data sources indicate that most small to medium manufacturers are unprepared to deal with a cyber-attack. This problem is acute within defense manufacturing supply chains, where small to medium manufacturers — often lacking basic cyber controls— constitute the bulk of the critical lower supply chain tiers. (1)

---

Thirty-five percent of all cyberespionage attacks in the U.S. are targeted at the manufacturing sector – second only to the financial sector. (1)

---

DoD is on track to implement “pre-award contracting regulations” in the first half of 2025. Although the acquisition requirements to implement Basic Safeguarding of Covered Contractor Information Systems (FAR 52.204-21) to receive Federal Contract Information and Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 252.204-7012) to receive Controlled Unclassified Information (CUI) have existed for many years, most contractors have not complied with these acquisition regulations. Additional defense acquisition regulations require DoD cyber assessment scores to be uploaded to the Supplier Performance Risk System (SPRS) and they require the Prime to confirm that an assessment has been completed before subcontracting covered DoD work. To date, compliance has relied on self-attestation, however, a recent DoD Inspector General report indicated that few contractors had implemented the required information security controls. After a few years of setbacks, DoD is on track to implement Cybersecurity Maturity Model Certification (CMMC) as an “audit” method to ensure compliance with the cyber contracting regulations prior to the award of DoD contracts.

---

The DoD is implementing CMMC (Cybersecurity Maturity Model Certification) to enforce compliance with cyber regulations.

---

Are you unsure of your CMMC compliance? Purdue MEP, supported by Purdue cyberTAP experienced professionals, can complete a variety of cybersecurity program support activities – assessments, technical system scans, training, policy and procedure development, information about the latest regulations, and much more. In previous years, Purdue MEP has obtained funding to support these efforts. Contact Gene Jones, Senior Program Manager for Cyber and Defense (jonesew@purdue.edu) to discuss the support that you need and if funding is currently available.

 

Sources/Citations: (1) FY20 Industrial Capabilities Report to Congress, OSD A&S INDUSTRIAL POLICY January 2021, pages 62-64 Cybersecurity for Manufacturing, https://media.defense.gov/2021/Jan/14/2002565311/-1/-1/0/FY20-INDUSTRIAL-CAPABILITIES-REPORT.PDF

Writer: Gene Jones, 765-496-7802, jonesew@purdue.edu