Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Cybersecurity Requirements Raising the Stakes for Manufacturers

Guest blog post by Elliot Forsyth, Vice President of Business Operations at the Michigan Manufacturing Technology Center (The Center). 

Cybersecurity is paramount to our nation’s safety and our military’s viability. Having a sustainable plan in place to combat cyber threats also is critical to the survival of a small business because just one cyber-attack can be catastrophic. The following statistics underscore the severity of the issue:

As a result, government agencies are formalizing and instituting cybersecurity requirements for their contractors. Specifically, the Department of Defense (DoD), General Services Administration (GSA) and NASA require contractors to meet minimum security requirements detailed by the National Institute of Standards and Technology (NIST) in Special Publication 800-171 by December 31, 2017—or risk losing federal contracts.

In Michigan, home to more than 2,100 DoD contractors, the Michigan Manufacturing Technology Center (The Center) has launched an educational campaign for small to mid-sized manufacturers to inform them about the need to combat cybersecurity threats and how to comply with the NIST standards that encompass 14 areas:

  • Access Control
  • Awareness & Training
  • Audit & Accountability
  • Configuration Management
  • Identification & Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System & Communications Protection
  • System and Information Integrity

These requirements expand on initiatives that originated in 2009 when Congress began adding more information security requirements in the National Defense Authorization Act, and NIST started producing several iterations of cybersecurity standards. The DoD has implemented these measures through the Defense Federal Acquisition Regulation Supplement (DFARS), a component of the Federal Acquisition Regulations system that governs the process for acquiring goods and services.

NIST MEP’s Pat Toth speaks at a recent informational session on cybersecurity at The Center.
Today there are new standards for companies handling “Controlled Unclassified Information” or CUI, data that can be considered government-proprietary. It is information the government wants held secure, but is not vital to national security. DFARS now is implementing cybersecurity requirements on contractors handling CUI—a far broader set of companies than those doing classified work.

Implementing proper cybersecurity plans can be a daunting task—especially when time sensitivity is a concern. Many facets of the NIST requirements, including the need for data encryption and multifactor authentication, typically are not found in an everyday manufacturing environment. Why? Small to mid-sized manufacturers typically don’t have the internal IT resources and sizable budgets large enterprises may possess.

NIST MEP’s Pat Toth informed nearly 80 manufacturers about the need for the standards and explained why cybersecurity is more than just a manufacturing issue.
A NIST MEP affiliate, The Center is committed to providing cost-effective solutions that enable Michigan manufacturers to work smarter, to compete and to prosper. This mission led to the introduction of a four-step cybersecurity program to meet the requirements mandated in NIST Special Publication 800-171, which was part of a recent informational session hosted by The Center. Highlighting the meeting was special guest Pat Toth, the NIST MEP cybersecurity expert who was involved with the development of the NIST standards.

Toth informed nearly 80 manufacturers about the need for the standards and explained why cybersecurity is more than just a manufacturing issue—it’s an ongoing safety issue. She outlined tactics for guarding CUI and warned attendees about common cyber dangers including spoofing, snooping, social engineering, ransomware and more. Following her presentation, she led a Q & A discussion with the manufacturers.

Understanding the wide range of ongoing complex cyber threats remains a challenge, yet it is no longer optional. In our increasingly connected digital world, cybersecurity will continue to grow in importance and complying with NIST 800-171 could well become part of standard operating procedures.

About the author

Elliot Forsyth

Elliot Forsyth is Vice President of Business Operations at the Michigan Manufacturing Technology Center (The Center). He joined the organization in July 2014 and is responsible for leading strategy...

Related posts

When Business is Slow

Nobody likes business to be slow. If you’re in a fast-paced world like manufacturing, seeing your machines or employees idle can drive a person insane. If you

Comments

Per my publication in the NIST RIF, in October 2014, it will not be a cost-effective approach for SMEs to use NIST CSF unless the SMEs have transformed their system-of-systems into Net-Centric Operations and Supply Chains. Please see, Integrated Activity-Based Simulation Research, Inc. RFI in the link below: csrc.nist.gov/cyberframework/rfi_comments_10_2014.html
Deadline is getting close, hopefully everyone is ready on time.

Add new comment

  • This question is for testing whether or not you are a human visitor and to prevent automated spam submissions. Image CAPTCHA
    Enter the characters shown in the image.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Posts that violate our comment policy will not be posted.