skip to Main Content

Welcome

Stronghold Cyber Security is a veteran-owned cyber security company located near historic Gettysburg, Pennsylvania that provides cutting-edge security services to businesses throughout the country. Service offerings include regulatory compliance, penetration testing, advanced cyber risk management, along with customized cyber security programs.

Get In Touch

Email: info@strongholdcybersecurity.com
Phone: 1-800-378-1187
Phone: 717-549-4009
Address: Gettysburg, PA

Our Location

Gettysburg
Stronghold Cyber Security CEO Authors Cover Story On NIST 800-171 For Metals & Manufacturing Outlook Magazine

Stronghold Cyber Security CEO authors cover story on NIST 800-171 for Metals & Manufacturing Outlook Magazine

“Cyber Security… Be Concerned or be Crushed.”

Cyber security is an increasingly pressing topic in the manufacturing vertical.  Jason McNew, CEO of Stronghold Cyber Security, recently authored the cover story for the June 2018 edition of Metals & Manufacturing Outlook magazine.  Titled “Cyber Security… Be Concerned or Be Crushed”, McNew discusses the need for manufacturers to implement a cyber security plan because not only is it best practice to safeguard valuable intellectual property, but for many, a cyber security framework known as NIST 800-171 has actually been required by the government since before the December 31, 2017 implementation deadline.    This compliance framework is required for government contractors and sub-contractors, as well as anyone in the DoD supply chain.  It is ideal for manufacturers of all sizes, and NIST 800 is the base framework for what is starting to become implemented on both state and local levels, as well as various industry verticals.

American manufacturers of all shapes and sizes have a very serious security problem, because economic and strategic competitors to the U.S. have been actively targeting our companies with the objective of stealing their intellectual property. The biggest of these cyber threats is undoubtedly China. If you want to know what China is after, just look a look at their most recent “Five Year Plan.” As there are thousands of manufacturers who make parts for the DoD, the federal government decided to take a proactive approach to this problem, by helping American manufacturers to protect their information with a framework known as NIST 800-171. The framework is ideal for non-DoD manufacturers as well.

Cyber Security... Be Concerned or Be Crushed - NIST 800-171 Compliance for Manufacturers

Cyber Security… Be Concerned or Be Crushed – NIST 800-171 Compliance for Manufacturers

American manufacturers of all shapes and sizes have a very serious security problem, because economic and strategic competitors to the U.S. have been actively targeting our companies with the objective of stealing their intellectual property.  The biggest of these cyber threats is undoubtedly China.  If you want to know what China is after, just look a look at their most recent “Five Year Plan.”  As there are thousands of manufacturers who make parts for the DoD, the federal government decided to take a proactive approach to this problem, by helping American manufacturers to protect their information with a framework known as NIST 800-171.  The framework is ideal for non-DoD manufacturers as well.

 

How Did NIST 800-171 Come About?

President Obama issued Executive Order (EO) 13556, Controlled Unclassified Information on November 4, 2010.  This Executive Order laid the groundwork for NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”  The ultimate intent of this publication is to protect the entire Department of Defense (DoD) supply chain from end to end, as well as those of NASA and the federal Department of Transportation.

As of December 2015, DFARS (Defense Federal Acquisition Regulation Supplement) 225.204-7012 required DoD contractors to implement NIST 800-171 “as soon as practical, but not later than December 31, 2017”.  This deadline is now almost 180 days passed, and many manufacturers are not complaint.  What is worse, is that many have not taken any steps to comply, putting their business at risk.

There are endless pages on the Internet trying to explain who is impacted by this, and many small manufacturers think they do not have to comply because they are sub-contractors, or they think they don’t hold any CUI.  However, the problem is that the big, multibillion dollar DoD prime contractors such as Lockheed and Northrup are not taking ANY chances with NIST 800-171 at all, because billions of dollars are at stake.

Here is the BLUF (Bottom Line Up Front): if you have a Commercial and Government Entity Code (CAGE Code), https://www.fsd.gov/fsd-gov/answer.do?sysparm_number=kb0011119 and you fall anywhere within the DoD (or NASA or DoT) supply chain (whether its materials or labor/knowledge), it is HIGHLY probable that you need to comply with NIST 800-171.  If you are still not sure, it would be best to discuss this with the COR (Contract Officer Representative) for the prime contract you fall under, and additionally seek legal counsel.  If your business does not comply with NIST 800-171, the prime contractors will, at some point, remove you from their list of suppliers.

Sadly, it is well known in the InfoSec community that 800-171 is going to convert countless formerly thriving small businesses into corpses, when they choose not to comply and then lose their contracts.

 

What is NIST 800-171?

NIST 800-171 is a cyber security framework which prescribes 110 controls over 14 sections.  These sections are:  Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.  The framework can be found here:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf

The good news is that NIST 800-171 was designed with the needs of small and mid-sized manufacturers in mind.  Like ISO 9000, NIST implementation will improve the valuation of your business.  Also like ISO 9000, in a few years’ time the marketplace will simply expect manufacturers (whether they are DoD or not) to have a cyber security program of some kind. The NIST standards are very highly regarded in the cyber security community.  If you are a manufacturer and are concerned about cyber security, there is no need to reinvent the wheel; the DoD has invented it for you – follow NIST 800-171.

While compliance isn’t easy and must be done organizationally top-down, it is manageable for most companies, even very small ones.  Many manufacturers, even those with in house IT staff, will choose to bring in cyber security experts to help them comply.  There are two basic portions of compliance – gap analysis, and remediation.

During the gap analysis phase, the needed documentation including the SSP (System Security Plan) and the POA&M (Plan of Action and Milestones) will be created.  The SSP is a high-level description of your network, and how you are meeting the 110 controls.  The POA&M is a progressive plan to implement unmet controls over a period of time. For small manufacturers having a few dozen employees and a small vanilla network, this should cost eight to ten thousand dollars.

The remediation phase however, is another story and can vary wildly.  For example, if you don’t have any physical security or have network equipment from Best Buy, remediation can get expensive.

Every federal government contractor or subcontractor was supposed to comply with NIST 800-171 by December 31st, 2017.  If you have not started on your compliance efforts, do not wait any longer – not only will it help you avoid losing contracts, doing so will also go a long way toward reducing your business risks.

 

 

Previously, McNew has discussed the NIST 800-171 compliance framework, along with cyber security threats to U.S. manufacturing, in an interview with Manufacturing Talk Radio.

 

To have one of our NIST compliance experts contact you with a free consultation, please fill out the form below.

 

Back To Top