CYBERSECURITY

Heat Treat Radio #113: NIST and CMMC: What Heat Treaters Need To Know

Joe Coleman, cybersecurity officer at Bluestreak Compliance, discusses critical aspects of NIST 800-171 and CMMC with host Doug Glenn. Joe touches on how to become compliant, how long compliance takes, compliance pricing, and the limitations companies may face if not compliant. Learn more in this episode of Heat Treat Radio.

Below, you can watch the video, listen to the podcast by clicking on the audio play button, or read an edited transcript.




The following transcript has been edited for your reading enjoyment.

What Is CMMC? (03:34)

Doug Glenn: Let’s jump in. Cybersecurity, while it’s not unique to heat treaters, is across all manufacturing sectors. But there are some unique elements of it that tie into the metal treating industry.

Let’s start with some basic definitions for those who don’t know: What is CMMC and what’s the purpose of it?

Joe Coleman: CMMC stands for Cybersecurity Maturity Model Certification. And we’re currently on version 2.0. It’s a verification program to ensure that defense contractors and subcontractors are able to protect sensitive information from the DoD (Department of Defense). That includes FCI, which is federal contract information, and CUI — or some people call it “coui” — which is Controlled Unclassified Information.

Cybersecurity acronyms “cheat sheet” available as a free download. Click on the image for a link.

It’s going to affect about 300,000 companies in the U.S. Also, it’s going to start impacting companies later this year or early next year. That’s when it’s said to be fully released, and they’ll start adding it to contracts and RFQs and things like that.

Doug Glenn: So, in CMMC 2.0 version, the DoD is asking companies, “Do you comply with CMMC 2.0?”

Joe Coleman: Rather, it is saying you must comply by 2025 and at a certain level; there are three levels.

Doug Glenn: What are these requirements based on?

Joe Coleman: DFARS 252.204-7012 was implemented in 2016. In it, they were saying that people must be NIST 800-171 compliant by December 2017. If you’re not, you’re way behind the ball. They just haven’t pushed it until recently. Now they’re really pushing it. It’s based on NIST 800-171 recommendations — that’s Rev 2, and a subset of NIST 800-172.

Doug Glenn: You mentioned DFARS. Can you just briefly explain that?

Joe Coleman: DFARS is Defense Federal Acquisition Regulation Supplement.

Doug Glenn: Also, I’m kind of curious about this: Who’s actually pushing it? Is it the Department of Defense, or is it government in general, or is it controlled by (kind of like Nadcap and things of that sort) an independent organization outside of the federal government?

Joe Coleman: No, CMMC does cover other things, but it’s mostly by the DoD. They are the ones pushing itbecause of foreign adversaries stealing our information and ransomware attacks and things like that.

Doug Glenn: Right, okay. So that’s CMMC 2.0. Is NIST 800-171 is a sub part of that, or is NIST 800-171 something different?

Joe Coleman: That’s something different. NIST 800-171 is published by the National Institute of Standards and Technologies. DoD doesn’t have a lot to do with NIST. They are two different standards; the DoD is just borrowing NIST 800-171 for CMMC’s requirements.

Doug Glenn: I see. They’re using NIST’s package that’s already there as part of their requirement.

I think you’ve already kind of hit on it, but let’s just be explicit about it. What started the push by the DoD to require CMMC or require any type of enhanced security?

Joe Coleman: The DoD finally realized just how vulnerable defense contractors are and how vulnerable their computer systems and networks are to cyberattacks and to sensitive information being leaked by the DoD or contractors, that kind of thing. They’re trying to pull everything together to improve national security and to help secure this important data.

Doug Glenn: So, in a sense, it’s really the DoD just trying to cover their rear end, so to speak, and protect sensitive, national defense type information.

What Is DFARS? (08:45)

We talked about DFARs briefly. I’ve heard a DFARS interim rule mentioned. What is that?

Defining DFARS

Joe Coleman: That came about in November of 2020. It plays along with the DFARS 7012 — 252.204-7012. They came up with three new clauses to improve how cybersecurity is handled and enforced.

The first one is clause 252.204-7019. It mandates that you when you do your assessment: you come up with an assessment score based on 110 controls, and your score can be from a positive 110 (the perfect score) to a negative 203. That score needs to be turned into the SPRS, the Supplier Performance Risk System, so other companies can see what your score is.

So, 7019 mandates that you do turn in your score and that it can be no older than three years old. They are requesting that if they say you’re DFARS-required on a contract, things like that, you need to be NIST 800-171 compliant.

The next one is 252.204-7020. And that one states that you have to give full access to your company — your internet system, your IT, all of your information, and your employees, if they decide to come in and do a medium or high assessment or just an audit. You will have to turn over that control to them.

Doug Glenn: Who is “them” in this case?

Joe Coleman: It would be a DoD official.

Doug Glenn: All right.

Levels of Assessment (10:59)

Joe Coleman: There are three different levels of assessments that can be done under NIST 800-171. There is a basic level which you attest yourself. It’s all self-attestation for NIST 800-171. There’s a medium level which means you have to have a DoD official come in and do your final assessment. And then there’s a high, which you also need a DoD official to come in and do that. The majority of them are basics, which you can self-attest to.

Doug Glenn: How does a company know if they need to even have the CMMC?

Joe Coleman: If your company is a defense contractor, subcontractor, vendor/supplier, or if you’re in the DIB (the defense industrial base), you will need to be compliant if you process, store, transmit, or handle FCI or CUI in any way. If you handle CUI or FCI, you must become CMMC certified at one level or another.

Doug Glenn: Let’s just take an example. Say I’m almost third tier down in a supply chain, and the guy I’m doing business for is obviously doing defense work. Do I need to be CMMC certified at that point, even on the basic level?

Joe Coleman: Well, it depends on what type of data you’re handling. There is a flow down process. It starts with the prime contractor. Then it goes to the contractor and then on down the line. And if you are dealing with CUI or FCI, you need to have that same certification level as your client or as your contractor.

Doug Glenn: Would my client in that case, the person I’m doing business with, would it be incumbent upon them to tell me that I am dealing with FCI or CUI?

Joe Coleman: Yes. It would be in your contract.

Doug Glenn: If someone listening has a specific question about whether they’re required, I’m sure they could contact you and you could probably help them on that just to make sure.

Joe Coleman: Anytime. I also have an ebook that I made that is ready to be sent out, so I can always send them a free copy of that.

Doug Glenn: Now, I think you’ve already answered this question, but how many maturity levels are in CMMC and what are they?

Joe Coleman: A little, there are three levels. There is level one, which is the foundational level, and that is for contractors or vendors or suppliers that deal with only FCI. They do not deal with CUI. So, there’s a much smaller set of requirements for level one. And about 60% of the 300,000 companies will be going for level one.

Then there’s level two, which is advanced, and that is for contractors and vendors and suppliers that deal with CUI in any way. It can come in an email and leave. But as long as they have access to CUI, they need to be at least a level two certification. And there are about 80,000 companies that are going to be impacted by that of the 300,000.

Level three is expert, and level three is based on the 110 controls in NIST 800-171 plus a subset of controls that are in 800-172. Level two mirrors NIST 800-171. It’s borrowing all the requirements from NIST 800-171, enhancing them a little bit, and putting them into CMMC. So, there are a few more hoops you have to jump through to be CMMC certified.

Doug Glenn: We’ve talked about two different sets of levels. We talked about a basic, medium, and high. And then we talked about level one, two, and three. Are these things the same or are they different? Can you help me understand the difference between those?

Joe Coleman: The basic, medium, and high is an assessment level that assesses your whole system and facility, and that’s based on NIST 800-171. CMMC, you have three different maturity levels, and that’s level one, level two, and level three.

Doug Glenn: When you say maturity levels, that shows the degree to which your company has gone to implement these things.

Joe Coleman: Yes. It is a certification.

On CMMC level one, you can self-attest your own certification. Level two and level three, you will have to have it’s called C3PAO (or a CMMC third-party assessment organization). They will have to come in and do your final assessment. Bluestreak Compliance can take you all the way to that assessment audit ready. But then you’ll have to have a C3PAO come in and do the final audit and the certification level.

Doug Glenn: That was going to be one of my questions because you guys mentioned that you’re a registered practitioner organization. You don’t actually do the assessments, but you can get everybody up to the door, right? You prepare them for it?

Joe Coleman: Yes. You would need a CMMC certified assessor to do that.

Doug Glenn: All right. And when is all this going to be required? Right now, it’s not required but it will be required?

CMMC: Mark Your Calendars! Companies will need to prepare for the eventual implementation of CMMC level two certification. A phased rollout is planned to simplify the process; however, a shortage of registered practitioner organizations (RPO) may lead to a backlog.

Joe Coleman: CMMC is not required currently. It’s in the last phase of being released for approval. Either late this year or early next year, it’s going to be a phased rollout. Later this year or early next year, you’re going to have phase one, which is that if you need to be level one certified, you will need to become certified right away. That’s the one you can self-attest.

Six months after that, they’re going to start requiring that CMMC level two is implemented. This means you’ll have to go through the process of getting a C3PAO. And that’s when it comes time to hire an RPO (registered practitioner organization), because they’ve got the training and the certification to get you there.

Now, one thing on the C3PAO: there are currently only 54 C3PAOs in the entire country. So, there’s going to be a huge backlog. You could be talking a year backlog, so plan accordingly.

Finally, at level three, an enhanced version of level two because it has more requirements, you’re also requiring a C3PAO for certification.

What’s Involved in Becoming NIST Compliant? (21:14)

Doug Glenn: Joe, let’s talk for a second about the process, if you will. What’s involved in becoming CMMC certified?

Joe Coleman: That all depends on if you are NIST 800-171 compliant already. If you are not NIST compliant already, you need to get NIST compliant as soon as possible. That has a big impact on your CMMC implementation.

Doug Glenn: Can you address that then: What do you have to do to become NIST compliant?

Joe Coleman: To become compliant, you have to do an assessment on your network and your facilities to come up with an assessment score. So, it’s the same as CMMC.

Then, you will have to do a gap analysis. You will come up with a POAM list (a plan of action and milestones); that is your to-do list based on your assessment, your shortcomings, or what you’re not compliant to. And you’ll need to come up with a system security plan (an SSP). That’s mandatory; you cannot be compliant without an SSP.

Once you get your SSP and your POAM list, then you need to take your score, your beginning score/baseline score, and submit that to the SPRS. And that is the library that holds all of the scores and shows your level.

From there, you start remediating and implementing your POAM list. But that also includes coming up with policies and procedures, plans, and a lot of documentation — everything gets documented based on where you stand and where you’re going, until the end when you do your final score.

Now, the SSP is a living document. It’s going to constantly change. If you have a change in your network, a major change, you’ll need to go in and update that right away.

How To Become CMMC Compliant? (23:46)

Doug Glenn: So that’s how you get to be NIST compliant. For CMMC, is there more to it?

Joe Coleman: There’s a few more requirements in CMMC, but the major difference is that with NIST 800-171 it’s all self-attestation. CMMC you will need to have a C3PAO.

Doug Glenn: That is, somebody’s going to need an outside validator, so to speak.

Joe Coleman: And they’re very expensive.

Now, another reason they came up with CMMC is because people were saying that they were compliant to NIST 800-171, and they really weren’t. That gets into the False Claims Act and things like that. They really go after people that do that.

Doug Glenn: Yeah. Any sense of the time frame for either becoming NIST compliant and/or CMMC compliant?

Joe Coleman: If you are not NIST compliant yet, that can take up to 6 to 12 months. I’ve seen it take more. You can do CMMC and NIST together if you need to because you’re using the same documents. If you’re not NIST compliant, that can take up to 18 months or more. If you are NIST compliant already, you’re talking 6 to 12 months to be CMMC certified.

Joe discusses the limitations of not being NIST compliant.

Doug Glenn: Okay. You just alluded to it, but I just want to make it clear. Can you do them both at the same time in parallel tracks?

Joe Coleman: Yeah, I’m working with clients that are not currently NIST compliant. So, we’re just rolling it into one using the same documents. It’s just that we’ll have to have a different assessor at the end.

Doug Glenn: Let’s say a company just decides they’re not going to be either NIST or CMMC compliant. You can still be a company, right?

Joe Coleman: Oh yeah, you can still do business; you just can’t do business with the DoD. A lot of companies base it on how much of their workload or how much of their business percentage is based on DoD work or from a contractor or subcontractor. If it’s 1%, 2%, 3%, 5%, you need to take a good hard look and say, is it worth putting a lot of money into?

Cost of Certification (26:52)

Doug Glenn: So, they can still be in business and doing well, but they just can’t do any DoD work. So, any ballpark figures? And I realize this probably varies widely depending on the size of the company and everything, but any ballpark sense of how much change we’re talking about here?

Joe Coleman: There’s no official word from the DoD on this, but there are some guesses out there. For NIST 800-171 compliance, depending on your current cybersecurity program that you currently have and how involved it is, I’ve seen it from $15,000 to $60,000.

Doug Glenn: Okay. That’s just for NIST?

Joe Coleman: Just for NIST. For CMMC, and again depending on if you’re NIST compliant, if you are not NIST compliant you’re going to do them together, it could be over $200K (probably easily) to become CMMC certified because you’re also becoming NIST compliant.

Doug Glenn: I’m curious. How come it’s going to cost you maybe 3x as much?

Joe Coleman: One of the main reasons is that with CMMC, you’ll want to hire a registered practitioner organization to guide you through the process and to do the documentation for you. The other is the C3PAO. There are only 54, and they can name their own price.

I can imagine it’s going to be over $100K just for the final assessment.

Doug Glenn: Right, that’s helpful. I think that gives everybody a pretty good sense of what we’re talking about here with CMMC 2.0 and NIST 800-171.

What Can a Registered Practitioner Do for You? (29:02)

Your division of your company, which is Bluestreak Compliance (you’ve already mentioned you’re a registered practitioner), can you give a brief summary of what it is? What do you guys bring to the table?

Joe Coleman: A registered practitioner organization has been certified by the Cyber Accreditation Board (Cyber AB), or CMMC accreditation body. A registered practitioner organization (RPO) works with and hires RPs (registered practitioners) or RPAs (registered practitioner advanced). I happen to be an RPA. And we’ve gone through all the training that we need to have so that the Cyber AB says, okay, you are qualified to do this.

So, when I quote a job, I usually quote it two different ways. One way is just guiding you through the process, so you’re going to do all the heavy lifting. I can supply you with templates and things like that for your documentation and guide you through each step. Or I can quote it where we manage the whole process. We will do all your documentation for you.

Joe Coleman: “You’re going to have at least 1 or 2 full-time employees doing nothing but this.”

Your team will have to be involved in the implementation process. And that’s true both ways. But we normally quote it two different ways, and they choose which one they want based on their budget and things like that.

Doug Glenn: It sounds like what you’re bringing to the table is the ability to get that company from where they are now, wherever they self-assess to start with, up to the point where they can bring in one of the third-party auditors and actually have a reasonable shot at passing the CMMC 2.0 assessment.

Joe Coleman: Correct. And it’s going to take a lot of input from the client or from the companies, too, because you’re going to have at least 1 or 2 full-time employees doing nothing but this. You’ve got to build that cost into it.

That’s what I tell people when we say we can quote it either guiding you or leading the project. It’s not as much work if I am leading the project. But if I’m not leading the project, you’re going to need a team of people to do this. It’s a lot of work.

Cybersecurity Areas To Be Aware Of (31:48)

Doug Glenn: I’m not sure there is an easy answer to this question, but can you give a list of top 3 to 4, or 4 to 5, areas that a company needs to look at when they start doing the NIST and CMMC checklists? Where do you see most companies falling down, or what are the areas they need to be aware of?

Joe Coleman: A lot of the smaller companies do not have a robust cybersecurity program. That is going to be a big pitfall. That’s going to be a big jump for them, not just the work that they have to put into it, but the expense; a lot of small companies just can’t afford that.

Doug Glenn: So, for example, what does that program involve? I mean, is it best practices for handling emails?

Joe Coleman: Everything.

Doug Glenn: What are some of those things?

Joe Coleman: Some of the things are making sure that your network is totally secure and locked down, firewalls. Along with that, you’re going to need endpoint protection on all your devices, mobile device manager. You’re going to have to track every device that has access or could have access to CUI. You have to have a full inventory of that. Your IT system has to be locked down.

Now, this also includes your facility; it includes physical security. That’s talking about your door locks, your alarm systems, things that are going to protect CUI. Camera systems, your server rooms have to be locked down. It’s a lot of physical security, too.

Doug Glenn: Interesting. As well as the protocols for how you handle emails, how data is transferred, where it’s stored, and backups, stuff like that?

Joe Coleman: Yes. And you need to have a policy and a procedure for each one of those. They have to be fully documented every step of the way.

Doug Glenn: Wow. Okay. Sounds like fun, Joe.

Joe Coleman: It is. I enjoy it, but it’s a lot of work.

Doug Glenn: I’m glad somebody enjoys it. I think I’d be swinging from a rope somewhere; you know?

Joe Coleman: I eat, sleep, and drink it.

Doug Glenn: Well, that’s good, I appreciate it. The columns and things that you’ve written for our publication have been helpful to people, I know. And I think this podcast will also be helpful to them. But do you know, for those who are listening and might be attending Furnaces North America, do you know when your talk is?

Joe Coleman: It’s going to be on the 16th at 8:50 a.m., and it’s in room 222.

Doug Glenn: All right.

All right, Joe. Thank you very much. I appreciate your time. We’ll look forward to more of your input.

Thanks everyone for listening.

About The Guest

Joe Coleman
Cyber Security Officer
Bluestreak Consulting

Joe Coleman is the cybersecurity officer at Bluestreak Compliance, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Joe will be speaking at the Furnaces North America (FNA 2024) convention, presenting on DFARS, NIST 800-171, and CMMC 2.0.

Contact Joe at joe.coleman@go-throughput.com.


Search Heat Treat Equipment And Service Providers On Heat Treat Buyers Guide.Com


Heat Treat Radio #113: NIST and CMMC: What Heat Treaters Need To Know Read More »

Cybersecurity Desk: Artificial Intelligence and Heat Treating

op-ed

Artificial intelligence remains a hot topic for every industry, not least heat treating. Understanding the how and why of AI’s potential impacts on the industry, however, is not so easily apparent.

Today’s article, written by Joe Coleman, cybersecurity officer at Bluestreak Consulting, breaks down the pros and cons of implementing AI, to help you decide if artificial intelligence might be a beneficial addition to your heat treat operations.

This article was originally published in Heat Treat Today’s December 2023’s Medical and Energy Heat Treat magazine, and can be read in fullness here.


Introduction

Joe Coleman, cyber security officer, Bluestreak Consulting

As all of you are aware, artificial intelligence (AI) is getting more and more attention, and companies are beginning to use AI to help with many aspects of running their businesses. I’m sure you’ve heard of ChatGPT and other intelligent user interfaces (IUI). You may be one of those businesses considering the idea or experimenting with it to access its potential benefits for your business.

Like any industry, there are quite a few pros and cons associated with using AI to improve the heat treating processes. This article will outline some of these advantages and disadvantages. Always make sure you do your own research before jumping into the AI world because it’s not always what it seems.

What Is Artificial Intelligence (AI)?

Artificial Intelligence is the simulation of human intelligence in machines that are programmed to think and learn like humans. It includes a wide range of techniques and approaches, including machine learning, allowing computers to perform tasks that typically require human intelligence, such as understanding natural language, recognizing patterns, solving problems, and making decisions. AI systems are designed to learn from data, improving their performance over time without direct programming. These technologies find applications in many areas, from virtual assistants and language translation services to autonomous vehicles and industrial diagnostics, revolutionizing industries and helping to shape the future of technology

Pros of AI in Heat Treating

Quality Improvement:

  • AI systems can monitor and help control the heat treatment process in real time, ensuring you have consistent quality and to minimize defects.
  • Predictive analytics in AI can anticipate potential defects, allowing for corrective actions before they occur.

Increased Efficiency:

  • AI algorithms can optimize processing parameters and reduce bottlenecks, leading to faster and more efficient heat treating processes.
  • AI-driven automation can improve employee labor throughput and increase overall production speed.

Cost Reduction:

  • By optimizing utilities usage and resources, AI can help reduce the plethora of operational costs within heat treating facilities.
  • Predictive maintenance generated by AI can prevent costly equipment breakdowns and production downtime.

Customization and Personalization:

  • AI algorithms can analyze customer requirements and tailor heat treating processes to their specific needs.
  • Improved data analysis can lead to the development of new and specialized heat treatments for different metals and alloys.

Data Analysis and Information:

  • AI systems can process enormous amounts of data generated during heat treatment, collecting valuable information that can be used for process improvements and better-quality management.
  • Pattern recognition and statistical process control (SPC) analysis by AI can identify trends and correlations that could normally be overlooked.
Click image to download a list of cybersecurity acronyms and definitions.

Cons of AI in Heat Treating

Initial Investment:

  • Implementing an AI system requires a significant initial investment in the technology, training, and infrastructure, which may be a showstopper for smaller businesses.

Dependency on Technology:

  • Dependencies on AI systems can be a problem if there are technical glitches or breakdowns, disrupting the entire heat treating process.

Data Security and Privacy:

  • AI systems rely heavily on data. Ensuring the security and privacy of sensitive data is critical, especially when dealing with Controlled Unclassified Information (CUI), your proprietary heat treating processes, and sensitive customer information.

Ethical Concerns:

  • AI decision-making processes raise ethical questions, especially if the technology is used in critical applications, ensuring fairness, transparency, and accountability in AI decision-making is essential.

Skilled Workers Replaced:

  • Automation using AI might reduce the need for certain manual tasks, potentially leading to skilled workers losing their jobs without the necessary skills to operate or maintain AI systems.

Here’s the bottom line: You should always do your own research to see if AI is a good fit for your business. AI is not always better. There are upsides of using it, and there are definitely downsides to using it. You can’t always trust AI to give you the best information, so always make sure you confirm the information it is giving you through V&V (verification and validation).

At the Metal Treating Institute’s (MTI) national fall meeting, held October 9–11 in Tucson, AZ, Jay Owen gave an excellent presentation entitled, “Artificial Intelligence: Be Afraid or Be Excited.” Contact MTI by visiting www.heattreat.net.


Find heat treating products and services when you search on Heat Treat Buyers Guide.Com

Cybersecurity Desk: Artificial Intelligence and Heat Treating Read More »

Don’t Be the Next Ransomware Victim: How To Detect, Protect, and Recover

op-ed

Ransomware is a threat to all industries, and heat treating is no exception! This article is here to give heat treaters the "how-to" of responding to ransomware, to help keep operations safe and running smoothly. 

Today's read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column was first released in Heat Treat Today's November 2023 Vacuum Heat Treat print edition.


Introduction

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

Today, the threat of being infected with ransomware is everywhere. Ransomware attacks have grown increasingly sophisticated and widespread, leading to substantial financial harm, emotional distress, and damaged reputation to those unfortunate enough to become victims.

In this article, we’ll cover ransomware — describing what it is, how it works, and most importantly, how you can protect yourself from becoming its next target. Equip yourself with the knowledge and proactive strategies required to protect your digital assets, data, and systems.

What Is Ransomware?

Ransomware is a cyber threat that wreaks havoc on businesses by encrypting computer files and extorting a ransom from victims for their release. Once your system falls victim to this malicious software, it can spread to connected devices, such as shared storage drives and other network-accessible computers. Even if you comply to the ransom demand, there’s no guarantee of full data recovery, because cybercriminals may withhold decryption keys, demand additional payments, or even delete your data. It’s important to note that the federal government strongly discourages paying ransomware demands, as it fuels criminal activity.

Click on the Image for a full list of Cybersecurity Acronyms

What Can I Do To Prevent Ransomware Attacks?

Frequent and Routine Backups: Perform regular backups of your system and essential files, and consistently verify their integrity. In the case that your computer or system is infected with ransomware, you can restore them to a previous state using these backups.

Keep Software Updated: Ensure that your applications and operating systems are up to date with the latest software/security patches. Most ransomware attacks target vulnerabilities in outdated software.

Secure Backup Storage: The best practice is to store your backups on a separate device that is not connected to the network, such  as an external hard drive. Even better, consider storing your backups offsite at a different location. After completing the backup, disconnect the external hard drive or isolate the device from the network or computer.

Exercise Caution with Links: Exercise caution when dealing with links and entering website addresses. Be especially vigilant when clicking on links in emails, even if they appear to be from familiar senders. It’s advisable to independently verify website addresses. You can do this by reaching out to your organization’s helpdesk, searching the internet for the sender’s organization website, or researching the topic mentioned in the email. Pay close attention to both directly clicking the link to and manually entering the address of a website, as malicious sites often mimic legitimate ones with slight spelling variations or different domains (e.g., .com instead of .net).

Cybersecurity Awareness Training: Businesses should prioritize providing cybersecurity awareness training to their personnel. Ideally, organizations should conduct regular, mandatory cybersecurity awareness training sessions to ensure their staff stay well informed about current cybersecurity threats and techniques employed by threat actors. These training sessions should occur at least once a year. Additionally, organizations can enhance workforce awareness by testing their personnel with phishing simulations that replicate real-world phishing emails, as well as different types of face-to-face social engineering to try to get usernames/ passwords.

Responding To a Ransomware Attack

Isolate the Infected System: Disconnect the infected system immediately from the network to prevent the spread of the infection.

Identify Affected Data: Determine what data have been affected. Sensitive data, such as customer’s electronic CUI (controlled unclassified information), may require additional reporting and mitigation measures.

Check for a Decryption Key: Explore on the internet to see if a decryption key is available. Online resources like www.nomoreransom.org can be helpful.

Restore from Backups: Restore your files from regularly maintained backups.

Report the Incident: Report ransomware incidents. Consider reporting to your local Federal Bureau of Investigation (FBI) field offices or the Internet Crime Complaint Center (IC3) at www.ic3.gov.

Do Not Pay The Ransom: Emphasize the importance of not paying the ransom as it can encourage additional criminal activity.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.


Find heat treating products and services when you search on Heat Treat Buyers Guide.com


Don’t Be the Next Ransomware Victim: How To Detect, Protect, and Recover Read More »

Cybersecurity Desk: NIST SP 800-171 Is Changing But Don’t Panic . . .

How can increased cybersecurity measures benefit today’s heat treaters and their clients? Find out more with an exploration of the coming changes in CUI and the way these changes could affect heat treating companies. 

Today’s read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column was first released in Heat Treat Today’s September 2023 People of Heat Treat print edition.


Introduction

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

This 10th article in the series from Heat Treat Today’s Cybersecurity Desk will explain some of the changes that are being proposed in the IPD (Initial Public Draft) of NIST SP 800-171 Revision 3. On May 10, 2023, the National Institute of Standards and Technology (NIST) released a draft version of Rev. 3 for Special Publication (SP) 800-171, the foundational framework of requirements for protecting controlled unclassified information (CUI). The final version of NIST SP 800-171 Rev. 3 is expected to be released in early 2024.

Don’t panic about these proposed changes in Rev. 3. If you handle CUI and you are working towards your compliance, continue to implement Rev. 2. Don’t wait until Rev. 3 is fully released to start. Remember, DFARS mandates that if you are a DoD prime contractor or subcontractor with CUI, you need to be compliant with NIST 800-171 Rev. 2 as well as CMMC Level 2 or 3 certified. CMMC certification deadline is in 2025 and it’s fast approaching.

Modifications & Additions to Rev. 3

The changes in Rev. 3 should have a positive impact on your ongoing compliance management program. They simultaneously made the requirements easier to understand and implement while also preserving and even adding flexibility that allows companies to make risk-based decisions about their environments and the data managed in those environments. These include the merging, addition, removal,
and clarification of several different requirements. The most obvious difference is that the requirements went from 110 controls down to 109. This was because they had withdrawn 27 of the original controls (most are migrated into another existing control) and added 26 new requirements.

Categories of Changes

• 18 Controls with “No Significant Change”: Editorial changes to requirement; no change in outcome.
• 49 Controls with “Significant Change”: Additional detail in the requirement, including more comprehensive detail on foundational tasks for archiving the outcome of the requirement.
• 18 Controls with “Minor Changes”: Editorial changes. Limited changes in the level of detail and outcome of requirements.
• 26 Controls with “New Requirements”: Newly added requirement in IPD SP 800-171 Rev. 3.
• 27 Controls with “Withdrawn Requirements”: Requirement withdrawn.
• 53 Controls with “New Organization-Defined Parameter (ODP)”: New ODPs can apply to all change types with the exception of withdrawn requirements. Each requirement includes one or more new ODPs.

Chart with Cybersecurity Acronyms
Click on the Image for a full list of Cybersecurity Acronyms

Implications for Heat Treaters

What has not changed is that companies that handle CUI must comply with the NIST 800-171 cybersecurity standards. Failure to comply can result in significant consequences, including loss of contracts and damage to the company’s reputation. With the release of Rev. 3, heat treaters must ensure they are up to date with the latest security requirements. One of the most significant changes in Rev. 3 is the addition of new security requirements. Heat treating companies must review these new requirements and ensure they have implemented the necessary controls to meet them. Also, organizations must review the updated requirements to ensure they meet the latest best practices. The reorganization of the security requirements may also impact heat treaters. The alignment with the NIST Cybersecurity Framework provides a more comprehensive approach to security. However, some companies may need to adjust their current security programs to align with the new structure. By staying informed and implementing the necessary controls, heat treat organizations can ensure they are adequately protecting CUI and meeting their compliance obligations to their clients.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.


Find heat treating products and services when you search on Heat Treat Buyers Guide.com


Cybersecurity Desk: NIST SP 800-171 Is Changing But Don’t Panic . . . Read More »

Cybersecurity Desk: Not Using 2FA or MFA? Your Data Is Not Secure

How can increased cybersecurity measures benefit today's heat treaters and their clients? Find out more with an exploration of 2FA and MFA!

Today's read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column was first released in Heat Treat Today's August 2023 Automotive Heat Treat print edition.


Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

Introduction

This 9th article in the series from Heat Treat Today’s Cybersecurity Desk will explain the significance of 2FA (2-Factor Authentication) and MFA (Multi Factor Authentication), their benefits, and how they can help secure your data and your clients’ data.

2FA and MFA have proven to be effective methods to enhance online security. And, if you provide any products or services to a DoD (Department of Defense) contractor, this is mandatory for all users accessing your computer systems and critical data. Implementing 2FA is a minimum requirement and is better than just a username/password combination. MFA takes your security to a whole new level.

What Is 2FA?

2FA adds an extra layer of security to the usual username/password combination. It requires users to provide a second authentication factor, typically something they possess, in addition to their password. Common examples include a one-time verification code sent via SMS, email, or generated by an authentication app like Google Authenticator or Authy. By requiring the combination of something known (password), along with something possessed (authentication factor), an additional level of security is provided.

What is MFA?

The strengths of Multi-Factor Authentication (MFA) take security a step further by incorporating multiple authentication factors beyond the customary two. These authentication factors can be categorized into three main types: something you know (password or PIN), something you have (smartphone or security token), and something you are (biometrics like fingerprints or facial recognition). MFA offers increased security as it requires multiple factors to be verified before granting access.

Is MFA Better than 2FA?

In terms of security, the more the better should be the correct mindset. MFA is a more secure method than 2FA, because a user must respond to more checkpoints, especially if authentication factors disperse through different access points that aren’t available online (like a token or security key) and require a physical presence. Proving user identity multiple times instead of just submitting items of proof twice (i.e., 2FA), lowers the chance of a breach and helps achieve security compliance requirements.

Implementing 2FA or MFA

Enabling 2FA and MFA is becoming a more and more accessible option across many platforms and services. The most popular websites, email providers, social media networks, and online banking institutions offer 2FA and/or MFA options. Users can typically find the necessary settings in their account security or privacy preferences. It is crucial to follow the provided instructions for setting up and managing these authentication methods properly. In an age where cyber threats are always rising, protecting our online presence is critical. 2FA and MFA have proven to be effective methods in safeguarding our digital lives. By implementing these extra layers of security, companies can enhance their defenses and protect their data and their clients’ data.

What About Your Outside Personnel Support?

Chart with Cybersecurity Acronyms
Click on the Image for a full list of Cybersecurity Acronyms

Many companies have outside vendor support, and maintenance personnel access their network and systems on a regular basis. For example, they may use VPN access that requires the user to “punch a hole” in the firewall, making it much more vulnerable to unauthorized access. Additionally, it is typically a configuration nightmare for your network and the IT folks to get it working properly.

There is a better way. Through much research and testing, we have found that BeyondTrust is a great tool to use to allow outside vendors secure access to the information they need to see without connecting to your network. It is currently used by 20,000+ organizations worldwide with much success and security. BeyondTrust also records their entire online session so you can see exactly what they accessed and did during the online session. Check out www.beyondtrust.com for more information.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.


Find heat treating products and services when you search on Heat Treat Buyers Guide.com


Cybersecurity Desk: Not Using 2FA or MFA? Your Data Is Not Secure Read More »

Cybersecurity Desk: Not Using 2FA or MFA? Your Data Is Not Secure

How can increased cybersecurity measures benefit today’s heat treaters and their clients? Find out more with an exploration of 2FA and MFA!

Today’s read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column was first released in Heat Treat Today’s August 2023 Automotive Heat Treat print edition.


Introduction

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

This 9th article in the series from Heat Treat Today’s Cybersecurity Desk will explain the significance of 2FA (2-Factor Authentication) and MFA (Multi Factor Authentication), their benefits, and how they can help secure your data and your clients’ data.

2FA and MFA have proven to be effective methods to enhance online security. And, if you provide any products or services to a DoD (Department of Defense) contractor, this is mandatory for all users accessing your computer systems and critical data. Implementing 2FA is a minimum requirement and is better than just a username/password combination. MFA takes your security to a whole new level.

What Is 2FA?

2FA adds an extra layer of security to the usual username/password combination. It requires users to provide a second authentication factor, typically something they possess, in addition to their password. Common examples include a one-time verification code sent via SMS, email, or generated by an authentication app like Google Authenticator or Authy. By requiring the combination of something known (password), along with something possessed (authentication factor), an additional level of security is provided.

What is MFA?

The strengths of Multi-Factor Authentication (MFA) take security a step further by incorporating multiple authentication factors beyond the customary two. These authentication factors can be categorized into three main types: something you know (password or PIN), something you have (smartphone or security token), and something you are (biometrics like fingerprints or facial recognition). MFA offers increased security as it requires multiple factors to be verified before granting access.

Is MFA Better than 2FA?

In terms of security, the more the better should be the correct mindset. MFA is a more secure method than 2FA, because a user must respond to more checkpoints, especially if authentication factors disperse through different access points that aren’t available online (like a token or security key) and require a physical presence. Proving user identity multiple times instead of just submitting items of proof twice (i.e., 2FA), lowers the chance of a breach and helps achieve security compliance requirements.

Implementing 2FA or MFA

Enabling 2FA and MFA is becoming a more and more accessible option across many platforms and services. The most popular websites, email providers, social media networks, and online banking institutions offer 2FA and/or MFA options. Users can typically find the necessary settings in their account security or privacy preferences. It is crucial to follow the provided instructions for setting up and managing these authentication methods properly. In an age where cyber threats are always rising, protecting our online presence is critical. 2FA and MFA have proven to be effective methods in safeguarding our digital lives. By implementing these extra layers of security, companies can enhance their defenses and protect their data and their clients’ data.

What About Your Outside Personnel Support?

Chart with Cybersecurity Acronyms
Click on the Image for a full list of Cybersecurity Acronyms

Many companies have outside vendor support, and maintenance personnel access their network and systems on a regular basis. For example, they may use VPN access that requires the user to “punch a hole” in the firewall, making it much more vulnerable to unauthorized access. Additionally, it is typically a configuration nightmare for your network and the IT folks to get it working properly.

There is a better way. Through much research and testing, we have found that BeyondTrust is a great tool to use to allow outside vendors secure access to the information they need to see without connecting to your network. It is currently used by 20,000+ organizations worldwide with much success and security. BeyondTrust also records their entire online session so you can see exactly what they accessed and did during the online session. Check out www.beyondtrust.com for more information.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.


Find heat treating products and services when you search on Heat Treat Buyers Guide.com


Cybersecurity Desk: Not Using 2FA or MFA? Your Data Is Not Secure Read More »

Cybersecurity Desk: Work-From-Home Cybersecurity Tips and Best Practices

Work-from-home benefits and challenges extend to work-from-travel occasions! Access corporate networks and systems with 8 cybersecurity best practices.

Today’s read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™This column is in Heat Treat Today’s June 2023 Heat Treat Buyers Guide print edition.


Introduction

In this eighth Cybersecurity Desk installment, understand the benefits and challenges associated with working from home or accessing corporate networks and systems while traveling.

Why Are So Many People Working from Home?

The COVID pandemic forced many companies to adapt to remote working and work-from-home (WFH)

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting
Source: Bluestreak Consulting

policies. Even though these policies have provided employees with more flexibility, they have also highlighted cyber risks that companies must consider. As of March 2022, work-from-home and working remotely have increased by 238% compared to pre-pandemic numbers. Although that number has reduced somewhat recently, it has changed the way companies operate and view WFH.

Several benefits of WFH include:

  1. Increased employee retention and productivity
  2. Reduced distractions and interruptions by coworkers
  3. Reduced company overhead costs
  4. Increased family time by eliminating commute

One of the first challenges most companies face when shifting to a WFH model is ensuring every employee has high-speed internet access. Most employees will use home Wi-Fi network or cell phone/wireless carrier as an internet “hot spot.” The first common sense rule of thumb is always try to avoid public Wi-Fi and public charging stations. Any way you choose to access high-speed internet, it must be secure. By now, most companies should have WFH or remote work policies and procedures in place, with employee awareness and training, because they MUST be followed to reduce cybersecurity risks.

Cybersecurity Best-Practices for Securing Remote Workers

If your company has employees that work from home and you’re wondering what cybersecurity measures you should put in place, here are some best practices to help you:

  1. Secure your work sessions: Using a single room that has a door that can lock is the ideal situation when possible. Many WFH employees are either sitting at their kitchen table or in the living room. In those cases, make sure to have your monitor facing a wall to prevent family or guests from viewing your work session and lock your computer when you’re away.
  2. Separate your home and business networks: Separate your Wi-Fi network so company-approved devices will be separate. Even better, use a secure network and a company-issued Virtual Private Network (VPN) to access your business accounts. You can also use BeyondTrust for secure remote access. Home routers should always be updated to the current software version when it becomes available.
  3. Separate work and personal devices: When accessing your corporate network, only use company-approved devices. Unless your company allows Bring-Your-Own-Device (BYOD), never use an unapproved device to access your company network.
  4. Think before you click: Hackers use phishing and other social engineering methods to target employees with legitimate-looking emails and social media messages. These can trick users into providing confidential data, such as usernames, passwords, credit card numbers, social security numbers, account numbers, etc. SLOW DOWN.
    Don’t click on links sent from an unknown or untrusted source. Resist the urge to click links in a suspicious email. You can hold your cursor over a link, and it will show you (in the bottom left corner of your screen) the website that it will go to if you click on it. If it’s an unknown or suspicious site, DO NOT click on it.
  5. Click the Image TO Download More Than 350 Cybersecurity AcronymsAntivirus with real-time scanning: Antivirus software detects the presence of malware on your computer. A dynamic scanning feature repeatedly checks for computer infiltration by a malicious threat. Always keep your antivirus up to date and active.
  6. Update programs, applications, and operating systems: Vulnerabilities in applications and operating systems are continually being found and exploited. Cybercriminals often use these vulnerabilities to exploit data and infiltrate devices and networks. Application vulnerabilities are a cybersecurity challenge of remote working. Make sure you are regularly performing updates as they are released.
  7. Use 2-Factor Authentication (2FA) or Multi-Factor Authentication (MFA): If you’re not using 2FA or MFA, you are NOT secure. You should use 2FA or MFA wherever it’s available. Your company should have this requirement in its policies and procedures.
  8. Use strong PINs/passwords on your devices: Strong passwords should contain a good mixture of upper/ lowercase letters, numbers, and symbols (or special characters). Passwords should also not be based on dictionary words and should contain at least twelve characters (the longer the better). Never use the same password for multiple accounts and use a password generator and a password manager.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.


Find heat treating products and services when you search on Heat Treat Buyers Guide.com


Cybersecurity Desk: Work-From-Home Cybersecurity Tips and Best Practices Read More »

Cybersecurity Desk: What Should Heat Treaters Be Doing NOW?

op-ed

This seventh article in the series from the Cybersecurity Desk  helps you determine if CMMC applies to your business, learn about what changes were made to CMMC 1.0., know what you should be doing NOW to prepare for CMMC 2.0., and more.

Today’s read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today’s May 2023 Focus on Sustainable Heat Treat Technologies print edition.


Introduction

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

Along with determining if CMMC (Cybersecurity Maturity Model Certification) applies to your business, this 7th article in the series from Heat Treat Today’s Cybersecurity Desk will give you a better understanding of what the certification is all about and the requirements to become certified. Also, we will cover the changes that were made to CMMC 1.0, the current status of CMMC’s proposed rule, and what you should be doing NOW to prepare for when the CMMC 2.0 rule is finally released.

What Is Changing in CMMC 2.0

In November 2021, the Department of Defense (DoD) announced a major update to the CMMC program. To safeguard sensitive national security information, the DoD launched CMMC 2.0, a comprehensive framework to protect the Defense Industrial Base’s (DIB’s) sensitive unclassified information from frequent and increasingly complex cyberattacks. Manufacturers or suppliers that handle sensitive or Controlled Unclassified Information (CUI) in any way or those within the DIB need to pay attention. CMMC 2.0 condenses the original 5 CMMC maturity levels into 3 levels, eliminating levels 2 and 4, and removing CMMC unique practices and all maturity processes. They have also revised the number of controls required for each of the three new levels. Level 1 includes 17 controls, Level 2 has 110 controls, and the total number of controls in Level 3 is still to be determined. There are also several other changes made that somewhat relax the requirements from CMMC 1.0.

Who Does CMMC Impact?

Manufacturers in the DIB are going to be held accountable to safeguard sensitive information and must comply with CMMC 2.0. Any contractor, subcontractor, supplier, or manufacturer that provides parts or services to the DoD or anyone within the DIB (no matter how minuscule) will need to comply with one of the three levels of CMMC compliance.

What Should Heat Treaters Be Doing Now?

Although CMMC 2.0 is still in the rulemaking phase, the new CMMC proposed rule is expected to be released sometime in mid-2023. This will give some much needed clarity on how to move forward and will help streamline the implementation of CMMC. Warnings will be issued to the DIB through DoD primes and will be passed down through the supply chain. Manufacturers that do not comply will be at risk of losing contracts.

If you (or your clients) are doing work for any DoD primes (or NASA), such as Raytheon, Lockheed Martin, McDonnell Douglas, Northrup Grumman, or L3Harris (and many more), then this applies to your business. If you are unsure, check the fine print in your contracts, and/or ask your clients about their requirements.

If you handle CUI in any way, you need to be at a CMMC Level 2 or Level 3. The most common level is Level 2. If you don’t handle CUI in any way, but you do handle FCI (Federal Contract Information), you will need to be certified at a Level 1.

On average, it can take a company of up to 100 employees between 12 to 18 months for NIST 800-171 (CMMC Level 2) implementation. Meaning, even though CMMC 2.0 is not completed yet, don’t wait until it is. You’re already a year behind if you haven’t started your NIST 800-171 implementations and you want to be ready for when the CMMC 2.0 rule is released

CMMC certification requires government oversight whereas NIST 800-171 compliance can be self-attested. You should always hire a qualified CMMC consultant to ensure that you’re “audit-ready” for your certification audit.

What’s the Difference Between FCI and CUI?

FCI is information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service. CUI and FCI share important similarities and a particularly important distinction. Both CUI and FCI include information created or collected by or for the government, as well as information received from the government. However, while FCI is any information that is “not intended for public release,” CUI is information that requires safeguarding and may also be subject to dissemination controls. In short: All CUI in possession of a government contractor is FCI, but not all FCI is CUI.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.


Find heat treating products and services when you search on Heat Treat Buyers Guide.com


Cybersecurity Desk: What Should Heat Treaters Be Doing NOW? Read More »

Cybersecurity Desk: Have You Entered Your NIST 800-171 Self-Assessment Score into SPRS Yet?

op-ed

This sixth article in the series from the Cybersecurity Desk will give you a better understanding of how to submit your basic NIST 800-171 self-assessment score into SPRS (Supplier Performance Risk System).

Today’s read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today’s March 2023 Aerospace Heat Treating print edition.


Introduction

This sixth article in the series from the Cybersecurity Desk will give you a better understanding of how to submit your basic NIST 800-171 self-assessment score into SPRS (Supplier Performance Risk System).

Why Should You Do This?

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7020 is one of the three newly released clauses (after the original 252.204-7012) of the DFARS 252.204-70 series (7019, 7020, 7021) in November 2020. DFARS 252.204-7019 is the “Notice of NIST 800-171 DoD Assessment Requirements”; whereas DFARS 7020 consists of the requirements alone. DFARS 7020 requires you to submit your basic NIST 800-171 self-assessment score to SPRS. Contractors and service providers are to provide the government access to its facilities, systems, and personnel any time the Department of Defense (DoD) is renewing or conducting a Medium or High assessment.

Once your self-assessment score has been submitted and accepted into SPRS, you will be eligible to be awarded contracts. Your score must remain in SPRS throughout the duration of the contract(s). You’ll need to show that you are working towards full compliance.

If a self-assessment score submitted to SPRS is required in order to win a contract, and you don’t have a self-assessment score in the system because you don’t have CUI, does that mean you will lose the contract? Maybe.

The requirement for NIST SP 800-171 DoD self-assessment is being enforced whether or not you have CUI. So, it makes sense to get started on this ASAP to position your company for additional business. Plus, having better cybersecurity controls in place is definitely a business best-practice.

How To Submit Your Basic Self-Assessment Score to SPRS

There are two ways to submit your basic self-assessment score to SPRS.

Option 1: Using email to send the information. Submitting your self-assessment score via email to SPRS includes the following steps:

  • Get an accurate NIST 800-171 Self-Assessment and Score. Conduct the self-assessment and obtain your score using cybersecurity professionals that carefully follow the required DoD Assessment Methodology for NIST Special Publication (SP) 800-171A.
  • Identify your SPRS “Scope of Assessment.” Your SPRS score submission will fall into one of three categories: Enterprise, Enclave, or Contracts.
  • Determine your expected completion date. The “Plan of Action Completion Date” must be determined according to your compliance project timelines.
  • Find your commercial and government entity CAGE codes. Your CAGE codes represent the part(s) of your organization included in the assessment and represented in the final System Security Plan (SSP) document.
  • Provide a brief description of the SSP format and system architecture.
  • Submit your self-assessment score to SPRS. To submit your score, send an email (optionally encrypted and signed) to webptsmh@navy.mil with the subject line “SPRS Self-Assessment Score Submission” in the exact format specified below:
    • Assessment date
    • Assessment score
    • Scope of assessment
    • Plan of action completion date
    • Included CAGE(s) codes
    • Name of System Security Plan (SSP) assessed
    • SSP version/revision
    • SSP date
    • Wait for email confirmation

Option 2: Using the PIEE (Procurement Integrated Enterprise Environment). 

Register a PIEE account at https://piee.eb.mil/. Once your business is registered, choose the SPRS link and follow all instructions. You will need to provide all the same information as shown in Option 1.

Funding & Cost Sharing May Be Available for Heat Treaters

With the huge push for stricter cybersecurity practices by the government and many businesses, cost sharing and funding sources have been identified that may cover a substantial percentage of the costs associated with these critical cybersecurity projects. Every state has at least one MEP (Manufacturing Extension Partnership). Many states are more than willing to help out with the cost of implementation.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.


Find heat treating products and services when you search on Heat Treat Buyers Guide.com


Cybersecurity Desk: Have You Entered Your NIST 800-171 Self-Assessment Score into SPRS Yet? Read More »

Cybersecurity Desk: Performing Your Basic & Final NIST SP 800-171 Self-Assessments

op-ed

For any heat treater interested in getting these high-security contracts, review the following steps that will help you successfully complete your basic and final self-assessment.

Today’s read is a Cybersecurity Desk feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today’s February 2022 Air & Atmosphere Furnace Systems print edition.


Introduction

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

Do you have plans to perform your NIST SP 800-171 self-assessment, but need more clarity about what’s involved? DFARS 252.204-7012 and the DFARS Interim Rule, including DFARS 252.204-7019, state that all DoD contractors in the Defense Industrial Base (DIB) that process, store, and/or transmit CUI (Controlled Unclassified Information) and want to be eligible for any contract award must complete a self-assessment (or basic assessment) using the DoD’s NIST SP 800-171 Assessment Methodology and generate a points-based score. This score will then be uploaded into the Supplier Performance Risk System (SPRS). At the time of contract award for a DoD contract containing the new 7019 clause, a DoD contracting officer will verify that a score has been uploaded to the SPRS.

For any heat treater interested in getting these high-security contracts, review the following steps that will help you successfully complete your basic and final self-assessment.

Identifying and Defining Your Organization’s CUI

Your NIST 800-171 basic self-assessment should start by identifying CUI sources and flows and mapping them within your organization’s IT systems. Organizations need to understand that CUI is an information category that includes Covered Defense Information (CDI) and Controlled Technical Information (CTI).

Define the Scope of the Self-Assessment

When finished identifying all CUI, you’re ready to scope the environment. To scope the environment correctly, first, determine what systems, applications, and business procedures that process, store, or transmit CUI. Second, define details of how data moves through your network.

NIST 800-171 Self-Assessment Procedure

You can find the self-assessment procedure for all compliance requirements in NIST SP 800-171A. Basically, a self-assessment is performed evaluating all 320 assessment/control objectives. Assessment/control objectives include the determination statements related to a particular security requirement. The 320 assessment/control objectives are divided among 110 separate controls which are included in 14 different control families.

Self-assessment methods include:

  • Examining: reviewing, inspecting, observing, or analyzing assessment objects
  • Interviewing: discussing with individuals to facilitate understanding, clarification, or gather evidence
  • Testing: confirming that assessment objects under specified conditions are met

Organizations are not expected to use all assessment methods and objects in NIST 800-171A. Instead, they have the freedom to determine which methods and objects are best for them to get the desired results.

Must Have a System Security Plan (SSP)

One of the most important requirements for a successful self-assessment is having a System Security Plan (SSP). Not having an SSP is a definite obstacle.

The SSP describes the system boundaries, how the IT system operates, how the security requirements are implemented, and the relationships with, or connections to other systems. It also includes information on security requirements.

Plan of Action & Milestones (POA&M)

To best protect CUI, organizations need to implement the CUI security requirements to the fullest extent possible. But, when some of the requirements are not completely implemented, a POA&M must be generated. The POA&M includes the tasks needed to resolve deficiencies, along with the resources and timelines required.

The purpose of the POA&M is to identify, assess, prioritize, and monitor the progress of corrective actions, allowing the organization to achieve the desired assessment score.

Next month we will discuss: “Submitting Your Basic Self-Assessment Score(s) To The SPRS.”

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.


Find heat treating products and services when you search on Heat Treat Buyers Guide.com


Cybersecurity Desk: Performing Your Basic & Final NIST SP 800-171 Self-Assessments Read More »