The aerospace and defense industry supports the Department of Defense’s (DOD) efforts to protect against the proliferating cyber threat. As we strive to improve the security of the nation’s aerospace and defense cyber architecture, we need to avoid static, check-list solutions to a problem that requires dynamic, risk-based assessment and solutions.
These solutions vary widely in their purpose, their cost to implement, and the value they provide in enhancing contractors’ cybersecurity. Current DOD-directed solutions continue to pose challenges for smaller companies, who may lack the IT expertise and infrastructure to fully comply. Above all, while we support having standards and reporting breaches, we have long argued that the DOD’s implementation of the NIST SP 800-171 constitutes a static solution to a dynamic problem.
Complicating the issue is the absence of a unified federal approach to cybersecurity policy stemming in part from the lack of an overarching Federal Acquisition Regulation cybersecurity rule. Without such a unifying rule, each agency and department has made its own interpretation, creating various rules, policies, and standards that industry must follow. This ambiguity leads to conflicting policies among DOD, the Department of Homeland Security, and other departments with which our member companies work.
Government standards must adapt to a risk framework supported by collaborative forward-thinking & dynamic protection strategies that take action and measure effectiveness. The basic framework for true supply chain cybersecurity lies in building awareness, understanding the risk and threat posture, developing plans, taking action on those plans, and engaging with others to share lessons learned and best practices.
To this end, the Aerospace Industries Association (AIA) has developed a national aerospace standard (NAS9933) that can supplement DOD requirements to achieve a ‘state of security’ beyond minimum compliance. We believe the AIA standard can be utilized as part of an enterprise-wide DOD approach.
Key cybersecurity priorities include:
- Industry-government collaboration to ensure government-generated controls are based on modeled guidance without placing an unacceptable burden on aerospace and defense contractors and subcontractors.
- The means to assess the actual threat and develop threat-based defenses which will ensure risk is managed, tracked, and reported.
- Tailoring of the NIST SP 800-171 through a Risk Management approach based on threats to individual companies/networks.
- Ensuring that DOD contracting officials know they have the responsibility to designate and mark CDI.
- Identifying ’platinum/most important’ CDI for protection.
To purchase the standard, please visit our National Aerospace Standards store.