Upcoming cybersecurity regulations could catch manufacturers off guard and put at risk their ability to perform government contracts.
Industry insiders believe many manufacturers may have overlooked new federal guidelines issued under the U.S. Department of Defense that mandate suppliers adopt a variety of cybersecurity best practices, countermeasures and reporting standards to continue to qualify for contracts.
“I think the important part is people need to get moving,” said Joe Genet, vice president of the Oklahoma Manufacturing Alliance “The typical engagement for companies, assuming they’re starting from little to nothing, is six to nine months. We’re running out of time. My sense is there’s the majority of companies that do not meet this regulation.”
The new mandates take effect Dec. 31 this year and apply to contractors for the Department of Defense, National Aeronautics and Space Administration (NASA) and the General Services Administration.
While some manufacturers are accustomed to working with federal agencies on classified projects, these regulations are meant to safeguard sensitive information in unclassified material, particularly as the threat of cybersecurity breaches grows.
Cybersecurity attacks on manufacturers have continued to rise in recent years given the vast industry knowledge and intellectual property held on their computer servers. Manufacturing was the second most attacked sector in 2015, taking a backseat only to the health care industry, according to a 2016 cybersecurity intelligence index published by IBM X-Force Research.
While they were introduced in December 2015, the regulations have been slow to catch on among companies, something that Genet attributes to a lack of communication throughout the supply chain.
“I think the message hasn’t found its way from the top to the bottom really well,” he says. “There isn’t a sense of urgency.”
The new regulations encompass an array of requirements — 109 in total — including enhanced physical security of a company’s server room, system maintenance and access control protocols. The requirements are laid out in detail in the National Institute of Standards and Technology (NIST) Special Publication 800-171.
Genet notes that among the numerous mandates, manufacturers likely face the largest hurdles in complying with requirements to have documented cybersecurity policies and an action plan in place in the event of a breach.
“Once you’re awarded, you have to submit two plans” to the partnering company or to the governmental body, according to Genet.
“That is a system security plan and a monitoring and reporting plan,” he says. “Those are physical documents you have to deliver. The monitoring and reporting plan, the standard says that when I am breached — because chances are we’re all going to be breached at some point, you can’t completely protect yourself — you have to report it within 72 hours to your prime contractor and to the DOD with your remediation plan. The standard is written in a way that, depending on the severity of the breach and or the frequency of the breach, you could be subjected to audit.”
While the cost to implement these requirements varies vastly between companies, Genet estimates that it could cost manufacturers anywhere from a few thousand dollars to change company policies up to around $40,000 if their equipment is outdated.
“If my operating system is (Windows) XP, then my price is going to go up,” he says. “The important part is that everyone has to be compliant and has to make a business decision on how much this contract is worth to them.”
“The Oklahoma Manufacturing Alliance is looking to educate and inform and then say, ‘This is what you can do about it,’” says Genet. For more information on, contact the Manufacturing Alliance at 918-592-0722 or firstname.lastname@example.org