Cybersecurity is a common concern for any business. Every company needs to protect confidential information — from internal employee and financial data to customer information and trade secrets.
For metal fabrication companies that perform work for the United States Department of Defense (DoD), the stakes are even higher.
The threats of cyberattacks are among the top concerns in Washington, especially in light of recent government agency cyber incidents stemming from foreign entities. These and other threats have prompted new cybersecurity filing protocols and compliance requirements for DoD subcontractors, including metal fabricators.
Like other industries, phishing scams are the most common types of cyberattacks among metal fabrication manufacturers. Hackers send emails that may look legitimate in an attempt to trick employees to open them and click on links. If they do, the cybercriminals may gain access to networks where they mine for data, sometimes going undetected for months. Others may install ransomware to hold a company’s systems hostage by shutting down their IT infrastructure until ransom is paid.
While the types of cyberattacks waged against DoD-qualified metal fabricators are not unique, the types of data they try to steal or hold hostage may be of greater significance than private sector or commercial information. Data associated with defense contracts and the products being produced may contain highly sensitive information that could have an impact on national security. As such, the DoD refined the cybersecurity requirements for its supply chain to enhance the protection of unclassified information in late 2020.
To become a qualified defense subcontractor requires more than simply providing metal fabrication that meets design specifications, timelines, and budgets. Strict compliance with cybersecurity regulations is laborious, yet understandably necessary. While there are many intricacies involved in compliance, there are three overarching areas to consider:
The Defense Federal Acquisition Regulation Supplement (DFARS) requires that the acquisition of raw materials used on products intended to protect the U.S. defense industry is not overly dependent on foreign sources. For example, DFARS supplement 252.225-7008 requires that specialty steel be melted and manufactured in the United States.
In regards to cybersecurity, DFARS clause 252.204-7012 requires DoD contractors to use certified cloud providers and ensure adequate security to:
The National Institute of Standards and Technology (NIST) has issued standards based on best practices from several security documents, organizations, and publications. Consisting of three parts, the NIST framework “focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes.”
As technology and cyberthreats evolve, so does the framework. Currently, DoD contractors must measure their performance based on more than 100 security requirements. Some recent updates to NIST standards include reporting NIST 800-171 self-assessment results to the DoD via the Supplier Performance Risk System. This assessment serves to safeguard Covered Defense Information (CDI) and Controlled Unclassified Information (CUI), and it needs to be less than three years old.
The Cybersecurity Maturity Model Certification (CMMC) is a framework that consists of five levels of cybersecurity processes and practices. New DoD certification procedures build upon existing requirements and aim to improve cybersecurity throughout their supply chain. Metal fabrication defense contractors require CMMC certification and, for the time being, need to achieve level three by practicing “Good Cyber Hygiene.”
CMMC goes far beyond existing provisions. The first step to becoming CMMC compliant is to become compliant with NIST 800-171 in addition to many DFARS requirements. CMMC has many more nuances and requires a third-party audit, and finding a certified auditor can take some time, as they are in short supply.
What does compliance look like for a metal fabricator? Robust and repeated training for all employees is paramount in thwarting hackers’ number one tactic: email phishing scams. Some organizations go so far as to randomly test employees by sending fake phishing emails to ensure compliance, and use their findings to provide even further training.
The use of highly skilled third-party IT professionals in addition to internal efforts help to secure networks. They will implement many measures, including:
A qualified DoD metal fabrication facility should be a controlled environment that is equipped with secure doors, windows, security cameras, etc. Visitor access should be monitored by security cameras and require sign-in and ID proving U.S. citizenship.
Equipment inside the facility that has IIoT capabilities should be connected through a secure network, monitored, and locked down to job-specific functions. The computers, devices, and equipment in the facility need to have their USB ports blocked to ensure information, including CUI, cannot be downloaded to an external device.
In addition to third-party CMMC audits, internal audits are conducted. Government certification requires reporting of the results to confirm compliance. In addition to reviewing internal processes, a metal fabricator must also consider its responsibility when outsourcing any elements of its production, such as sending out a project for a chem film coating or machining. Any information needs to be transferred and maintained in a secure, controlled environment.
As a certified DoD metal fabrication company, Fox Valley Metal-Tech strives to exceed current compliance standards and is continually improving in anticipation of further updates to CMMC requirements. Determining whether your metal fabrication project requires certification is just one step in submitting an accurate request for quote (RFQ). To understand additional RFQ specifications, including commonly overlooked items, view our helpful RFQ guide below. As always, contact our metal fabrication experts with questions.