Transcription
Results of theAIA Membership Survey:DFARS Cyber Security ComplianceAEROSPACE INDUSTRIES ASSOCIATIONThe Voice of American Aerospace & DefenseNational Security Policy Division
AIA recently released a survey to its members to assess their EOY2017 readiness to DFARS Cyber Security compliance Intended to formulate an AIA advocacy position, and communicate the challengesof industry compliance with senior DOD officialsFindings: NIST SP 800-171 R1Industry compliance is incomplete.Wide range of responses: ‘fully compliant’ to ‘not compliant’Tier 1 primes are in better shape than the rest of the supply chain and spending the most .Tiers 2-4 get progressively further behind in number of controls left to implement.Data indicate a correlation between the number of controls yet to implement and the cost to comply.Results also indicate that companies are finding additional controls difficult to implement.MFA & FIPS-validated encryption controls are shown as the costliest & hardest to implement.Ongoing Actions: Results highlighted that 3rd party tools are effectively being used to aid in preparing for compliance. AIA is working to develop ‘how to’ guides and best practices. AIA has an active Cyber Security Committee and AIA’s Supplier Management Council has a CyberSecurity Working Group centered on lower-tier members and assistant to compliance. Industry remains engaged with the DOD through: (1) DIB CS/IA meetings, (2) Internal AIA meetings,forums, panels and discussions, (3) letters, and (4) dissemination of an initial awareness package forthe AIA supply chain.Overview: Cyber Security Survey
Submittal to DOD CIO For Approval Of‘Alternative Yet Equally Effective Measures'Survey Responses By AIA TiersTierRevenue# of ResponsesTier# Submitted# Approved1 7B 151202 1B - 7B122003 100M - 1B103004 100M26410Average Controls Yet To Implement &Approximate Implementation & Mx CostsHave You Changed Your Business MixDue To The Cyber Requirement?TierAvg. ControlsApprox. CostTierYesNoN/A110̴ 2M10.0%86.7%13.3%243̴ 1M20.0%83.3%16.7%337̴ 750K30.0%0.0%0.0%447 250K43.8%96.2%0.0%Do You Have A Get Well Plan ForUnimplemented Controls?Have You Considered Exiting The DODMarket Due To The Cyber 3.8%Details: Cyber Security Survey
CSETArcher DatabaseCIS-Configuration Assessment ToolExostarSCM, Zscaler, Carbon Black, SophosAlienVault Unified Security Management Nexpose, CIS BenchmarksSANS “Top 20” CSC and ISO 27002 FrameworkSplunk, Microsoft System CenterDarkTrace and BeyondTrustFPA Technology Services, Inc.3rd Party Tools: Cyber Security Survey
Top 5 1 Hardest Controls:#12345 1Control 53.11.1Control DescriptionUse multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or denyall, permit-byexception (whitelisting) policy to allow the execution ofauthorized software.Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout therespective system development life cycles.Protect the confidentiality of CUI at rest.Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.Limit use of organizational portable storage devices on external systems.Create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, orinappropriate system activity.Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocalmaintenance is complete.Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from theoperation of organizational systems and the associated processing, storage, or transmission of CUI.Top 5 1 Costliest Controls:#123Control #3.5.33.13.113.4.83.3.145 13.6.13.1.193.3.53.1.33.7.53.8.63.13.16Control DescriptionUse multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or denyall, permit-byexception (whitelisting) policy to allow the execution ofauthorized software.Create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, orinappropriate system activity.Establish an operational incident-handling capability for organizational systems that includes adequate preparation, detection, analysis, containment, recovery, and userresponse activities.Encrypt CUI on mobile devices and mobile computing platforms.Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.Control the flow of CUI in accordance with approved authorizations.Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocalmaintenance is complete.Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physicalsafeguards.Protect the confidentiality of CUI at rest.AIA Position: MFA 3.5.3 – A&D should support MFA for remote access & internet facing networks.Top 5 1 Controls: Cyber Security Survey
We welcome the security requirements. We generally concur with AIA's stated positions/concerns regarding DFAR cybersecurity control mandates and associated implementation challenges. We don't know how to comply or who can help us. Primarily we work for the supply chain (foundries, machine shops) of the primes, andhave not yet been told about needing compliance. Clause should clearly state the Government will identify specifically what is CDI on acontract. PCOs seem to be looking for contractors to identify the CDI. The FIPS certified crypto requirement provides virtually no benefit compared tocommercial grade crypto yet imposes a significant burden. The same applies to theMFA requirement. Additional time, a phased approach, and assistance to achieve compliance would bebeneficial. Requirements are not clear with regards to expected solutions as well as what meetsthe criteria for CUI.These are individual AIA member company comments and do not reflect the position of AIA.Member Comments: Cyber Security Survey
The topic of CUI is a costly burden to industry. Our company strives to find a balancebetween being secure, productive, and competitive. The controls in NIST SP 800-171are designed to cover security at the lowest common denominator due toproliferation of cloud environments employed in industry. These blanket guidelinesshould not apply to companies like ours who exclusively keep all data on-site wherethere is inherently more security as opposed to the cloud. More clarity and substantive information is needed from the government to supportIndustry's DFARS compliance. DFARS cybersecurity requirements require pervasive changes and investments thatnegatively affect our overall cost basis as a diversified industrial manufacturer. This is burdensome & expensive for small business. I sincerely doubt most smallbusinesses will truly comply due to insufficient resources to build & maintain thesystems required. DoD should offer assistance to small businesses trying to meet the DFAR requirement.It is very costly, and a significant investment for a small business to comply.These are individual AIA member company comments and do not reflect the position of AIA.Member Comments: Cyber Security Survey
More clarity and substantive information is needed from the government to support Industry's DFARS compliance. DFARS cybersecurity requirements require pervasive changes and investments that negatively affect our overall cost basis as a diversified industrial manufacturer. This is burdensome & expensive for small business.
