Cybersecurity Requirements Looming For Michigan Manufacturers – Defense Department Requirements Take Effect This Year

PLYMOUTH – Cybersecurity guidelines required by the Department of Defense are likely to have an enormous impact on the 800 Michigan manufacturers that received a DoD contract in 2016. By December 31, 2017, all DoD contractors (including small businesses) must meet minimum cybersecurity requirements or risk losing DoD business. Alarmingly, most manufacturers aren’t even aware of the looming deadline or what they must do to comply.

“As we talk to small and medium-size manufacturers across the state, very few have heard of the DoD’s cybersecurity regulations,” said Elliot Forsyth, Vice President of Business Operations at the Michigan Manufacturing Technology Center. “Time is going to become a major factor, as these companies will need to complete an information security assessment, remediate any issues, and establish a plan for monitoring and reporting—all before the end of the year. Also a factor is the scope of the regulations that are far beyond the basics like having a firewall,” Forsyth said. “Many of these requirements, such as data encryption and multifactor authentication, simply are not found in an everyday manufacturing environment.”

The standards are outlined in a publication from the National Institute of Standards and Technology (NIST) and fall into 14 areas with specific security requirements that must be implemented as documented in “NIST Special Publication 800-171.” The categories include:

·         Access Control

·         Awareness & Training

·         Audit & Accountability

·         Configuration Management

·         Identification & Authentication

·         Incident Response

·         Maintenance

·         Media Protection

·         Personnel Security

·         Physical Protection

·         Risk Assessment

·         Security Assessment

·         System & Communications Protection

·         Systems & Information Integrity

“As the NIST affiliate in Michigan as part of the Manufacturing Extension Partnership (MEP) program, The Center is very familiar with the requirements,” said Forsyth. “We have assembled a team of cybersecurity experts to offer a comprehensive process that encompasses four steps:  discovery, remediation, test and validate, and monitoring/reporting. After an initial assessment, the team then tailors a plan specifically for each client’s internal capabilities, budget and time sensitivity.”

Failure to comply with these cybersecurity standards could have an enormous impact on manufacturers across the state. Consider the size and scope of defense-related business in Michigan:

·         Total employment of nearly 100,000.

·         Michigan’s Defense Sector produces $9 billion in products and services annually.

·         Nearly $2.5 billion in defense-related prime contracts were performed in the state (2014).

·         70 percent of everything a soldier shoots, drives, flies, wears, eats, or communicates with has a component that is contracted in Michigan.

Increasing the potential impact on manufacturers is the fact that the General Services Administration (GSA) and NASA also have similar cybersecurity requirements that must be met by the end of this year. The number of manufacturers potentially affected swells to more than 2,100 when taking into account contracts with those two federal agencies.

“There is no question that cybersecurity is a focal point for the Department of Defense and all major industries,” said Jennifer Tisdale, Cyber Mobility Program Manager for the Michigan Economic Development Corporation (MEDC). “With an increasingly complex and interconnected industrial base, safe-guarding manufacturing supply chains is becoming more important than ever.

“Manufacturing is the largest sector of the Michigan economy, representing more than 21 percent of the gross state product,” said Tisdale. “Additionally, there are 11,400 manufacturers in Michigan, which is nearly one of every 20 manufacturing companies in America, and they employ 14 percent of our workforce.

“There is an incredible wave of innovation and evolution sweeping the manufacturing industry, and it’s being powered by technology and connectivity,” said Forsyth. “With these advances, there must be an increased focus on information security, as there are tremendous competitive advantages that come with such new developments, but there are also additional areas of responsibility and concern that can be far-reaching.

“As much as this is manufacturing issue, it really is more than that,” added Forsyth. “Cybersecurity is paramount to our nation’s security and our military’s viability.”

Forsyth is leading The Center’s new cybersecurity practice area, which provides information security assessment, remediation and regulatory compliance. The Center’s cybersecurity practice area adds to the in-depth consulting services for clients, including Growth Services, Operational Excellence (including Quality Systems, Lean and Six Sigma), Leadership Development, Skill Development, Accelerating Technology, Research Services, and Food Processing.

The Center will host an informational session for area manufacturers on Tuesday, February 14, from 8:30am to 11:30am. The event will include special guests from NIST who were directly involved with documenting the cybersecurity requirements. For more information and to register, interested businesses can visit:  http://www.the-center.org/Events/EXPLORE-Cybersecurity-Compliance

 To view a letter from the DoD’s Office of Small Business Programs, click:

http://www.acq.osd.mil/osbp/docs/Cybersecurity_04272016.pdf

The full NIST Special Publication is available here:

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf