Cybersecurity: it's important for more than just keeping checking accounts safe. Banks, government agencies, and online data bases all require strict cybersecurity. But what about heat treaters? What are cybersecurity requirements for heat treaters, and how can they become compliant?
Today's Technical Tuesday is a Cybersecurity Desk feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column series will have its debut in Heat Treat Today's September 2022 Trade Show print edition.
If you are a heat treater who provides services to a Department of Defense (DoD) contractor or downstream DoD requests, you are affected by this topic and need to read on to get more details. In some cases, you may have already been asked about compliance by some of your customers. In this article and in future articles, we will provide the answers to the most
frequent questions regarding how heat treaters can become and stay in compliance to cybersecurity specs and even improve compliance in cybersecurity health.
Discussions around DFARS compliance, NIST 800-171 implementation, and cybersecurity within federal defense contracting are becoming increasingly prevalent by the day. Although it seems like the conversation is only recently gaining steam, the DFARS mandate has been around longer than people realize.
The DoD is requiring all contractors, subcontractors, and suppliers to be DFARS 252.204-7012 and NIST 800-171 compliant. Don’t take a chance on losing current DoD contracts and losing future business because of noncompliance. Compliance is non-negotiable for heat treaters within the DoD supply chain.
Heat treaters implementing effective cybersecurity practices are facing particularly challenging circumstances because there are more devices (including mobile devices) than people, and attackers are becoming more innovative. Cybersecurity is the practice of protecting systems, data, networks, and programs from digital attacks (web/cloud based). These cyberattacks usually seek to access, change, or destroy sensitive information; extort money from users; or interrupt normal business processes. Therefore, the government is pushing cybersecurity more than ever before. All of us need to be sure critical data and systems are protected and secured.
Here are several eye-opening statistics of how cybercrime affected SMBs (small to mid-sized businesses) from 2021:
- Cyberattacks increased by nearly 300% since the beginning of the pandemic
- 58% of cyberattack victims are small and mid-sized businesses
- 60% of small companies go out of business within 6 months after a major security breach
- 55% of ransomware attacks involve companies with fewer than 100 employees
- 95% of cybersecurity breaches are a result of human error
What Is DFARS 252.204-7012?
DFARS 252.204-7012 is a DoD regulation that has become increasingly important for defense contractors and suppliers.
Originally implemented in 2016, DFARS 252.204-7012 requires safeguarding and “adequate security” of Covered Defense — which also includes CUI (Controlled Unclassified Information) — by implementing the guidelines found in NIST SP 800-171.
DFARS 252.204-7012 further requires contractors to follow certain procedures in the event of a cyber incident, report the incident to the government, and provide access to systems.
What Is NIST SP 800-171?
NIST SP 800-171 is a NIST (National Institute of Standards and Technology) Special Publication that provides recommended requirements for protecting the confidentiality of CUI in non-federal organizations or businesses. Defense contractors must implement the recommended 110 control requirements contained in NIST 800-171 to demonstrate their provision of adequate security to protect the Covered Defense Information (CDI) included in their defense contracts, as required by DFARS 252.204-7012. If a manufacturer is part of a DoD, General Services Administration (GSA), NASA, or other federal or state agencies’ supply chain, the implementation of the security requirements included in NIST SP 800-171 is a must.
The deadline to be fully compliant with NIST 800-171 was December 31, 2017. But it’s not too late.
Even if a heat treater is not a DoD contractor or in the DoD supply chain, NIST 800-171 is a great "best practice" standard for any organization to improve overall cybersecurity health. This will help in obtaining future orders because customers will know critical data is secure. Explaining NIST 800-171 in depth, and each of the specific control areas, is beyond the scope of this article, so, be on the lookout for a future article on this specific topic later in this series of articles.
Consequences of Failing To Comply With DFARS 7012 and NIST 800-171
Heat treaters willing to move forward with these cybersecurity initiatives by the DoD will have an overwhelming impact on the DoD supply chain and your business. If many heat treaters in the U.S. choose to not embrace the mandatory requirements, the DoD and DoD contractors will award contracts solely to the few heat treaters who do choose to become compliant. Poor cybersecurity practices can result in hacking, loss of company data and critical customer data, and attacks by malware, viruses, and ransomware. All of this can result in major damage to the business and loss of customers, not to mention being liable for all losses and paying significant fines.
Complying with DFARS 7012 and NIST 800-171 is a requirement for all DoD contractors, subcontractors, vendors, and suppliers. The DoD has now begun confirming that contractors and subcontractors are compliant before awarding additional contracts. Navigating NIST 800-171 and DFARS is a complex and challenging — but necessary — step in this process.
Watch for Future Articles in Heat Treat Today Covering the Following Topics:
- DFARS 252.204-7012 and NIST SP 800-171 Explained for Heat Treaters
- DFARS Interim Rule Explained (DFARS 252-204-7019, 7020, and 7021)
- General Cybersecurity Best Practices and What You Should and Should Not Do
- Performing Your Basic & Your Final NIST 800-171 Assessments
- Submitting Your Assessment Score(s) to the SPRS (Supplier Performance Risk System)
- CMMC 2.0: The New Changes and How To Become Certified
- How To Safely and Securely Work From Home and Work Remotely
- If You're Not Using 2FA or MFA, Your Data and Your Customer’s Data Is Not Secure
- . . . and many more cybersecurity topics curated for heat treaters
Can You Afford Compliance? Funding and Cost Sharing for Heat Treaters
With the huge push for cybersecurity by the government, cost sharing and funding sources have been identified that may cover a substantial percentage of the costs associated with these critical cybersecurity projects.
About the Author:
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Joe will be speaking at the Furnaces North America (FNA 2022) convention, presenting on DFARS, NIST 800-171, and CMMC 2.0. Contact Joe at joe.coleman@go-throughput.com.
Find heat treating products and services when you search on Heat Treat Buyers Guide.com