Composites One

Share

Cybersecurity

By nature, data and communications surrounding products manufactured for use in defense applications must involve some level of heightened security. But what exactly does this look like, and what measures are necessary? In January 2020, the United States government’s National Institute of Standards and Technology (NIST, Gaithersburg, Md., U.S.) introduced the second revision of NIST 800-171, a document outlining cybersecurity requirements for protecting the confidentiality of controlled unclassified information (CUI) — information considered sensitive but not entirely classified — held by organizations and companies outside of the federal government. Important for the composites industry, the new standards affect companies working under contract with the U.S. Department of Defense (DOD), as well as suppliers to those companies.

NIST 800-171 Revision 2, which supersedes the Revision 1 document released in 2018, was released for a preliminary comment period between January and March 2020, partially phased in this spring and is scheduled for widespread rollout this fall. According to Michael Flavin, director of IT sales and marketing at consultancy firm Saalex Information Technology (SaalexIT, Camarillo and Temecula, Calif., U.S.), there may be as many as 300,000 companies, including composites fabricators or suppliers, within the scope of NIST 800-171 by 2025.

Goals of the new protocol, according to Flavin, include:

  • Enforcement of better “cybersecurity hygiene” — or cybersecurity best practices;
  • protection of sensitive data from foreign hackers; and
  • protection of intellectual property considered vital to national security.

In addition, the new protocol does not just require stricter cyber monitoring, but also documentation of that monitoring. 

NIST 800-171 categorizes its recommendations into 14 families: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communication protection and system and information integrity.

Common cybersecurity issues include inadequate firewalls, poor password use and inadequate training.

However, according to Flavin, not all companies are required to comply to the same level of cybersecurity. Requirements are divided among five levels, arranged in descending order according to the sensitivity of the information involved, with Level 1 indicating the most sensitive information requiring the most stringent cybersecurity measures, says Flavin. Moreover, the compliance level is based on the DOD contract and affects all companies associated with that contract — in other words, both the company with the direct contract and all relevant suppliers for that project are required to comply to the same level of cybersecurity.

A failure to comply, Flavin adds, could lock a supplier out of future contracts, so the protocol will likely result in “weeding out” of suppliers with weak cybersecurity practices.

Most common cybersecurity issues

“The last thing you want is to find out from the FBI that you’ve been breached. Which has happened,” says Flavin. 

According to Flavin, large companies tend to have sophisticated IT systems that can meet the requirements of NIST 800-171, but smaller firms may not have this in place. The vulnerability presented by smaller companies shouldn’t be underestimated, he adds: “Everyone thinks big companies, like Bank of America, are the target, but if an intruder can break into several small, weak targets, they will do it, and it can be just as destructive.”

Common cybersecurity issues that companies have, says Flavin, include inadequate firewalls, poor password use and inadequate training that puts employees at risk for phishing scams or ransomware. In addition, Flavin says, many company IT systems use connected network systems that should be segregated, to separate data into segmented networks, with sensitive information only accessible by certain users.

Becoming NIST 800-171 compliant

What can a company do to assess whether it is in compliance with NIST 800-171, and to make any needed adjustments?

Compliance with NIST 800-171 will require some planning for many companies, says Flavin. For example, compliance could cost a company $500-$2,000 per employee per year, depending on the level of security needed. On top of that, an annual cybersecurity audit may be necessary.

The first step is to consider both the kind of work that your company currently does as well as what kind of work you might do in the future that could have potentially more sensitivity concerns involved with it. “It’s better to raise the bar on cybersecurity proactively, and not try to catch up after the fact,” says Flavin .

cybersecurity and composites manufacturing

Source | SaalexIT

The next step, he says, is to get a third-party assessment of data security from a company like SaalexIT. If you are unsure what the data security requirement level is, he recommends targeting Level 3 compliance as a baseline. Flavin adds that looking to third-party assessment companies — many of which perform assessments remotely given current pandemic-related travel restrictions — should not be seen as a sign that a company does not trust the measures put in place by its in-house IT team: “The goal is not to denigrate current IT staff, but to understand and fix vulnerabilities. This requires cooperation of IT.”

SaalexIT helps companies by performing a “gap assessment” to illuminate potential problem areas and suggest a course of action toward certification. “We look at the type of work being done and the access to classified information under the contract and the level required. We then make recommendations to the customer about their data weaknesses and what must be done to come into compliance with the level,” says Flavin. This gap assessment looks at policies and procedures, employee data security training and data authentication procedures such as logins and passwords. For example, says Flavin, companies need to consider whether employees are accessing files outside their area of work or responsibility. Ultimately, SaalexIT is then able to present a project plan with milestones for better site security, a roadmap for compliance and related costs.

Finally, Flavin says that to fully comply with NIST 800-171, companies can be certified by a third-party certification assessor organization (C3PAO) appointed by the DOD. The system is still in the planning and organization stages, but certification will adhere to the Cybersecurity Maturity Model Certification (CMMC, see image above) outlined by the DOD.

Before the requirements go into full effect, Flavin recommends that affected companies start now and seek out cybersecurity experts for third-party assessment. “Mindset should be when, not if, you will be attacked,” he says. “And you must mitigate that risk.”

Compression Molding
Precision Board Urethane Tooling Board
Janicki employees laying up a carbon fiber part
Wickert Hydraulic Presses
Composites One
ViRTEK IRIS 3D
Park Aerospace Corp.
CAMX 2024
CompositesWorld
Carbon Fiber 2024
Airtech
KraussMaffei Metering Systems

Related Content

Lockheed Martin expands development, production of ultra-high temp CMCs with facility expansion

Targeting current and future needs in hypersonic and aeronautics applications, Lockheed Martin Skunk Works’ Allcomp team is increasing and digitizing its capabilities in ceramic matrix composite (CMC) materials and parts fabrication.

Read More
Hi-Temp Resins

Materials & Processes: Resin matrices for composites

The matrix binds the fiber reinforcement, gives the composite component its shape and determines its surface quality. A composite matrix may be a polymer, ceramic, metal or carbon. Here’s a guide to selection.

Read More
Aerospace

Parker Hannifin completes acquisition of Meggitt PLC

With the acquisition, Parker Aerospace Group aims to expand its portfolio with Meggitt’s global defense and aerospace technologies.

Read More
Weaving

Materials & Processes: Fibers for composites

The structural properties of composite materials are derived primarily from the fiber reinforcement. Fiber types, their manufacture, their uses and the end-market applications in which they find most use are described.

Read More

Read Next

Wind/Energy

Composites end markets: Energy (2024)

Composites are used widely in oil/gas, wind and other renewable energy applications. Despite market challenges, growth potential and innovation for composites continue.

Read More
Trends

CW’s 2024 Top Shops survey offers new approach to benchmarking

Respondents that complete the survey by April 30, 2024, have the chance to be recognized as an honoree.

Read More
Thermoplastics

From the CW Archives: The tale of the thermoplastic cryotank

In 2006, guest columnist Bob Hartunian related the story of his efforts two decades prior, while at McDonnell Douglas, to develop a thermoplastic composite crytank for hydrogen storage. He learned a lot of lessons.

Read More
Precision Board Urethane Tooling Board