The US Department of Defense (DoD) collaborates with the high-tech manufacturing industry, which often consists of companies in the Defense Industrial Base (DIB), an extensive, multi-tiered global supply chain. Most DoD-focused manufacturing companies are tasked with extracting and refining primary materials, manufacturing components, and integrating sensitive defense mechanisms to support critical defense systems, such as satellites, advanced weapons, and communications technologies.

As a result of the mission-critical nature of DoD-focused manufacturing operations, cybersecurity attacks could directly impact US national security efforts. Therefore, DoD introduced an interim rule aimed at amending portions of the Defense Federal Acquisition Regulation Supplement (DFARS). This amendment allows the DoD to implement a risk-based approach to the Cybersecurity Maturity Model Certification (CMMC) framework to assess the cybersecurity risk posture of DoD-focused manufacturing companies.

This article explores how consistent security risk assessment helps critical manufacturing companies attain DFARS compliance and maintain a robust, risk-based security posture.

Brief description of the CMMC Interim Rule

The CMMC interim rule amends the DFARS for phased implementation of the DoD assessment methodology and the CMMC framework. The CMMC Framework is a DoD certification process overseeing the implementation of cybersecurity processes and practices beyond the NIST SP 800-171. Its goal is to close any loophole between security and compliance for the DIB and provide a measured enhancement for unclassified information within the U.S defense supply chain.

The interim rule specifies the policy and procedures for awarding a contract or exercising an option on a contract, including a requirement for a CMMC certification. There are five levels of CMMC certification. First, companies must demonstrate process institutionalization, maturity, and implementation of security controls or practices consistent with each CMMC level. Next, accredited CMMC Third Party Assessment Organizations assess organizations’ cybersecurity compliance. After that, the CMMC Accreditation Body will award the certificate for three years.

Security Risk Assessment Requirements Critical Manufacturing Companies Should Know

Security risk assessment is a comprehensive process of collecting information and assigning operational processes to identify known and unknown risks, then working to mitigate them. This risk-based approach to cybersecurity helps critical companies in the defense manufacturing industry to quickly identify critical assets and cyber threats and vulnerabilities that could impact business continuity.

According to reports, the manufacturing industry replaced financial services as the top attack industry, with ransomware causing 23% of attacks. Due to the consistent rise in cyberattacks targeting critical industries, including the US defense manufacturing sector, not having a robust security risk assessment operation is negligence. Therefore, critical manufacturing companies must collaborate with a trusted industry partner to conduct a robust security risk assessment to understand their current security posture and identify high-risk areas.

Particulars of the Security Risk Assessment Process

The security risk assessment process for critical manufacturing companies that are partnered with the US DoD entails the following operations:

1. Determine the scope of the security risk assessment: The first step is to identify all physical and logical assets and the relevant regulatory compliances. It also includes all the risks stakeholders pose to the organization’s cybersecurity posture, from hiring to termination. Determining the scope helps visualize the interconnectivity between assets, processes, and network entry points.
2. Identify threats and vulnerabilities: Identifying vulnerabilities through automated scanning, auditing, penetration testing, vendor security advisories, and application security testing (AST) techniques help rectify the technical flaws. In addition, cybersecurity experts must also secure physical access to data through inspection of on-site servers, laptops, and the system for vulnerabilities and unnecessary risks. 
3. Determine the potential impact and prioritize risks: Considering the discoverability, exploitability, and reproducibility of threats and vulnerabilities, security risk assessments must identify how a threat exploits a vulnerability. If any threats exceed the agreed-upon tolerance level, the organization must avoid, transfer, or mitigate them to bring them to the risk tolerance level.
4. Documentation: At the end of the security risk assessment, a detailed report recording all activities, a risk analysis, and a security roadmap is provided to the organizations to help them understand the highest areas of risk and focus their efforts to take fast action.

Conclusion

The defense manufacturing industry relies on a diverse network of private sector companies, R&D organizations, and more to develop technologies that enable the US military to maintain national security. However, the exchange of sensitive data across a highly distributed and complex supply chain exposes the suppliers to intellectual property theft. In addition, cyberattacks on critical manufacturing industries also cause substantial financial and reputational damage to defense contractors, disrupting supply chains and causing schedule overruns.

A security risk assessment is necessary for critical manufacturing companies to achieve DFARS and meet the DFARS interim rule requirements. From identifying the location of vulnerable assets, scrutinizing critical processes, and securing hardware and software, reputable security partners can help to manage your security risk assessment needs and improve your corporate security posture.