According to our 2019 State of Northeast Ohio Manufacturing Report, cybersecurity is a growing concern for manufacturers—and for good reason.
Supply chain attacks increased 78% between 2017 and 2018. That’s why the Department of Defense (DoD) is ramping up efforts to improve contractor compliance across its supply chain.
In fact, new language under the Defense Federal Acquisition Regulation Supplement (DFARS) requires contractors to comply with enhanced cybersecurity measures.
What Does This Mean for Manufacturers?
There are many manufacturing contractors and subcontractors in the DoD supply chain. If your manufacturing company has won a contract with the DoD, there’s a set list of clauses you’re expected to follow.
Take DFAR Clause 252.204-7012 “Safe Guarding Covered Defense Information and Cyber Incident Reporting,” for example. This clause requires contractors and subcontractors to provide adequate security to safeguard Covered Defense Information (CDI) that resides on or is transiting through a contractor’s internal information system or network.
In response to this clause, the U.S. Government stated that they couldn’t afford to have sensitive information inadequately secured by contractors. Therefore, they will be reviewing contractor risk management practices to adequately test, hunt, censor, and respond to incidents on contractor systems.
Thus, manufacturers must take the following actions to improve cybersecurity across the supply chain.
1. Provide Adequate Securities
Electronic transfer of information through the supply chain is standard. However, it presents hackers with another attack path to ascertain information. To provide adequate security, manufacturers—and those contractors they communicate with in the supply chain—must safeguard CDI.
CDI generally refers to unclassified information that is collected, developed, received, stored, transmitted, or used on behalf of a contractor. This includes information that requires dissemination controls, such as:
- Catalog-item identifications
- Data sets
- Engineering drawings
- Manuals
- Process sheets
- Source codes
- Specifications
- Standards
- Technical reports
To identify CDI in your government-supplied documents, look for information marked with control designation letters B through F, ITAR designation, or Export Control designation.
2. Report Cyber Incidents
Supply chains operate more efficiently when data is shared between stakeholders, as it enables deeper communication. This hyper-connectivity, however, has exposed the risk of data hacks across the whole digital supply chain.
For instance, hackers have the ability to tamper with manufacturing companies in the following ways:
- Attackers with physical access to the hardware introduce a new device that transmits falsified data into the monitoring service.
- Attackers compromise or modify the central store of monitoring data with an attack vector, such as malware.
To secure DoD supply chains, manufacturers are required to report cyber incidents that affect a covered contractor information system or the covered defense information residing therein, or that affect the contractor’s ability to perform requirements designated as operationally critical support.
Additionally, manufacturers must submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center.
3. Disseminate the Cause in Subcontracts that Involve CDI
Finally, contractors must flow down the cause in subcontracts that involve CDI.
So, even if a manufacturer has a comprehensive cybersecurity strategy in place, they must also include the DFARS 252.204-7012 clause in the contract with a supplier that involves the use of CDI.
To prevent stolen data, manufacturers must vet business partners carefully and conduct regular security audits to ensure they’re keeping any shared data safe.
After all, a cybersecurity attack within the supply chain can destroy a manufacturer’s key assets, derailing profits in the process.
Make Cybersecurity a Priority at Your Manufacturing Company
MAGNET’s cybersecurity experts offer formal cybersecurity threat assessments to help you identify vulnerabilities and keep your company safe from hackers. As a result, you can prevent cyber attacks on your company’s key infrastructure. To protect your company, the experts at MAGNET can help.
