In the aerospace and defense sector, the protection of critical and classified systems design and deployment information is a given. For companies dealing with the U.S. and allied countries, International Traffic in Arms Regulations (ITARs) and the Export Administration Regulations (EAR) have been a fact of life for decades (iBASEt is compliant with these guidelines). Given the increasing threat from aerospace manufacturing cybersecurity, the Department of Defense (DoD) introduced a new approach to protecting critical information, the Cybersecurity Maturity Model Certification (CMMC).
Historically, the U.S. security focus has been principally about limiting access to the classified design and performance information to friendly forces by limiting access to those with appropriate security clearances. However, recent incidents have caused the Department of Defense to re-think their approach to protecting both classified and unclassified material.
With the growing threat of foreign hacking and the greater degree of interconnection between manufacturing and engineering systems, suppliers will need to adhere to the new DoD Cybersecurity Maturity Model Certification (CMMC) requirements for DoD contracts starting in the second half of 2020.
CMMC is Both Broad and Different
Recent breaches of DoD contractor systems led to shifting the focus of their approach to cybersecurity from a pure compliance focus to one based on a risk assessment. The intent is to provide assistance to firms needing to improve their cybersecurity capabilities.
To do this, the DoD is adopting the classic 5-level maturity model approach developed at Carnegie Mellon University and has been used in many other aspects of the software and business process improvement.
The value of a maturity model approach to cybersecurity is that it allows for a risk-based assignment of appropriate security measures for DoD contractors based on their position in the supply chain. The certification process will utilize independent assessors to both determine appropriate required maturity levels for DoD contractors as well as provide guidance on how to achieve certification.
Most importantly, it is a dynamic model that can be adjusted as risks change or a contractor’s position in the value chain evolves. It brings continuous improvement thinking to the cybersecurity discipline.
CMMC is Mandatory
Currently the DoD is working with a variety of university research centers, federally funded R&D companies (such as MITRE and Rand), and industry experts to complete the program. Once it is fully defined the DoD will require certification for all DoD contractors and sub-contractors. Certification will then likely be valid for between one and three years.
Depending upon the size of your organization, various minimum levels of certification will be required. Larger businesses will need to meet higher levels of certification based on the risks associated with their activity within the defense value chain.
In light of the designation of the defense industry as “critical” during the COVID-19 crisis and the requirement for all defense contractors to comply with cybersecurity regulations, aerospace and defense manufacturers need to start prioritizing cybersecurity now. This applies to both traditional in-plant activities as well as remote access necessitated by COVID-19.
How iBASEt Can Help
As a long-time Manufacturing Execution System provider serving the A&D industry, iBASEt has long been committed to ensuring our solutions adhere to all DoD requirements and industry best-practices. In this instance, the evolving, dynamic nature of cybersecurity threats – both from a security and compliance perspective – has elevated the need for flexible systems that can easily accommodate change and effectivity across the digital enterprise.
iBASEt’s current and future portfolio – which now includes a microservices architecture – ensures the delivery of a secure platform with not only inherent security, but the ability for users to continue to securely modify as often as needed, such as adding new layers of security as appropriate for each of our customer’s organizations. iBASEt is committed to helping our end-user customers and partners achieve the CMMC level they need to remain part of their respective A&D value chain.
Further, the value to our non-aerospace industry clients is that they can reap the rewards of a more secure infrastructure, knowing that their vital product and production information is secure based on the highest industry standards.