6 MiMfg Magazine March 2017
New Cyber Security Requirements Impact Michigan Manufacturers
By Elliot Forsyth • Michigan Manufacturing Technology Center
The risks are enormous and potentially devastating . According to IBM , small and mid-sized businesses are hit by cyber-attacks about 4,000 times a day . The U . S . National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyber-attack .
As a result of increased concerns about cyber-attacks , manufacturers with contracts with the Department of Defense ( DOD ), General Services Administration ( GSA ) or NASA must be compliant with defined cyber security requirements no later than 12 / 31 / 17 .
Since 2009 , Congress has added more information security requirements in the National Defense Authorization Act , and the National Institute of Standards and Technology ( NIST ) has produced several iterations of cyber security standards . The DOD has implemented these measures through changes to DOD policies and the Defense Federal Acquisition Regulation Supplement ( DFARS ).
Today there are new standards for companies handling “ Controlled Unclassified Information ,” or CUI . CUI is data that can be considered government-proprietary . It is information the government wants held secure , but is not vital to national security . DFARS now is implementing cyber security requirements on contractors handling CUI — a far broader set of companies than those doing classified work .
What represents adequate security for CUI under DFARS ? The set of minimum cyber security standards is described in NIST Special Publication 800-171 and broken down into 14 areas :
• Access Control
• Awareness & Training
• Audit & Accountability
• Configuration Management
• Identification & Authentication
• Incident Response
• Maintenance
“
As a result of increased concerns about cyber-attacks , manufacturers with contracts with the DOD , GSA or NASA must be compliant with defined cyber security requirements
”
no later than 12 / 31 / 17 .
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment
• System & Communications Protection
• Systems & Information Integrity
In each of these 14 areas , there are specific security requirements that contractors MUST implement . Full compliance is required by 12 / 31 / 17 .
Companies with fewer than 100 employees generally are very capable in the manufacturing and / or fabrication of products . However , they often lack resources in information technology and physical security , particularly associated with cyber-attacks that clearly pose a threat to the viability of SMMs .
According to the Ponemom Institute , the average price for small businesses to clean up after they have been hacked stands at $ 690,000 ; and , for middle market companies , it is more than $ 1 million .
Cybercriminals target small businesses because there are easy , soft targets to penetrate . They steal information to rob bank accounts via wire transfers , steal customers ’ personal identity information , file for fraudulent tax refunds and commit health insurance fraud .
In addition to the fundamental financial threat of cyber-attacks , SMMs now face the double threat of losing their respective government contracts should they not conform to the NIST 800-171 standards by 12 / 31 / 17 . 6
Elliot Forsyth is vice president of business operations for the Michigan Manufacturing Technology Center . He may be reached at 734-451-4212 or eforsyth @ the-center . org .