Upcoming cybersecurity regulations could catch manufacturers off guard and put at risk their ability to perform government contracts.
Industry insiders believe many manufacturers may have overlooked new federal guidelines issued under the U.S. Department of Defense that mandate suppliers adopt a variety of cybersecurity best practices, countermeasures and reporting standards to continue to qualify for contracts.
“I think the important part is people need to get moving,” said Elliot Forsyth, vice president of business operations at the Michigan Manufacturing Technology Center (MMTC). “The typical engagement for companies, assuming they’re starting from little to nothing, is six to nine months. We’re running out of time. My sense is there’s the majority of companies that do not meet this regulation.”
The new mandates take effect Dec. 31 this year and apply to contractors for the Department of Defense, National Aeronautics and Space Administration (NASA) and the General Services Administration.
While some manufacturers are accustomed to working with federal agencies on classified projects, these regulations are meant to safeguard sensitive information in unclassified material, particularly as the threat of cybersecurity breaches grows.
Cybersecurity attacks on manufacturers have continued to rise in recent years given the vast industry knowledge and intellectual property held on their computer servers. Manufacturing was the second most attacked sector in 2015, taking a backseat only to the health care industry, according to a 2016 cybersecurity intelligence index published by IBM X-Force Research.
While they were introduced in December 2015, the regulations have been slow to catch on among companies, something that Forsyth attributes to a lack of communication throughout the supply chain.
“I think the message hasn’t found its way from the top to the bottom really well,” he said. “There isn’t a sense of urgency. We have run five information sessions across the state. The majority of the people have heard about the standard from us.”
The new regulations encompass an array of requirements — 109 in total — including enhanced physical security of a company’s server room, system maintenance and access control protocols. The requirements are laid out in detail in the National Institute of Standards and Technology (NIST) Special Publication 800-171.
Forsyth noted that among the numerous mandates, manufacturers likely face the largest hurdles in complying with requirements to have documented cybersecurity policies and an action plan in place in the event of a breach.
“Once you’re awarded, you have to submit two plans” to the partnering company or to the governmental body, according to Forsyth.
“That is a system security plan and a monitoring and reporting plan,” he said. “Those are physical documents you have to deliver. The monitoring and reporting plan, the standard says that when I am breached — because chances are we’re all going to be breached at some point, you can’t completely protect yourself — you have to report it within 72 hours to your prime contractor and to the DOD with your remediation plan. The standard is written in a way that, depending on the severity of the breach and or the frequency of the breach, you could be subjected to audit.”
While the cost to implement these requirements varies vastly between companies, Forsyth estimates that it could cost manufacturers anywhere from a few thousand dollars to change company policies up to around $40,000 if their equipment is outdated.
“If my operating system is (Windows) XP, then my price is going to go up,” Forsyth said. “The important part is that everyone has to be compliant and has to make a business decision on how much this contract is worth to them.”
For its part, the MMTC has held several informational sessions on the new regulations in a bid to drum up awareness. The organization also offers cybersecurity assessment, monitoring and supporting services to manufacturers to ensure they are in compliance with the regulations. The assessment costs between $3,000 and $5,000, while the monitoring and reporting services are billed on a subscription basis, ranging from $750 to $1,000 per month.
The state also has attempted to raise awareness of the regulations. The Michigan Economic Development Corp. (MEDC) partnered with MMTC to provide resources and education on the upcoming cybersecurity standards.
“We’re looking to educate and inform and then say, ‘This is what you can do about it,’” said Mark Ignash, a program manager for defense operations at the MEDC. “To do that, we’re bringing together subject-matter experts in the field of cybersecurity that can provide these businesses one-on-one guidance for what this really means to them. The thing is that these regulations are going to fall out differently for any given company.”