results of the aia membership survey: dfars …aia recently released a survey to its members to...
TRANSCRIPT
Results of the
AIA Membership Survey:DFARS Cyber Security Compliance
AEROSPACE INDUSTRIES ASSOCIATIONThe Voice of American Aerospace & Defense
National Security Policy Division
AIA recently released a survey to its members to assess their EOY
2017 readiness to DFARS Cyber Security compliance
• Intended to formulate an AIA advocacy position, and communicate the challenges
of industry compliance with senior DOD officials
Findings:
• Industry compliance is incomplete.
• Wide range of responses: ‘fully compliant’ to ‘not compliant’
• Tier 1 primes are in better shape than the rest of the supply chain and spending the most $$.
• Tiers 2-4 get progressively further behind in number of controls left to implement.
• Data indicate a correlation between the number of controls yet to implement and the cost to comply.
• Results also indicate that companies are finding additional controls difficult to implement.
• MFA & FIPS-validated encryption controls are shown as the costliest & hardest to implement.
Ongoing Actions:
• Results highlighted that 3rd party tools are effectively being used to aid in preparing for compliance.
• AIA is working to develop ‘how to’ guides and best practices.
• AIA has an active Cyber Security Committee and AIA’s Supplier Management Council has a Cyber
Security Working Group centered on lower-tier members and assistant to compliance.
• Industry remains engaged with the DOD through: (1) DIB CS/IA meetings, (2) Internal AIA meetings,
forums, panels and discussions, (3) letters, and (4) dissemination of an initial awareness package for
the AIA supply chain.
Overview: Cyber Security Survey
NIST SP 800-171 R1
Details: Cyber Security Survey
Do You Have A Get Well Plan For Unimplemented Controls?
Tier Yes No N/A
1 80.0% 0.0% 20.0%
2 83.3% 8.3% 8.3%
3 70.0% 20.0% 10.0%
4 76.9% 19.2% 3.8%
Submittal to DOD CIO For Approval Of ‘Alternative Yet Equally Effective Measures'
Tier # Submitted # Approved
1 2 0
2 0 0
3 0 0
4 1 0
Have You Changed Your Business MixDue To The Cyber Requirement?
Tier Yes No N/A
1 0.0% 86.7% 13.3%
2 0.0% 83.3% 16.7%
3 0.0% 0.0% 0.0%
4 3.8% 96.2% 0.0%
Have You Considered Exiting The DOD Market Due To The Cyber Requirement?
Tier Yes No N/A
1 20.0% 60.0% 20.0%
2 8.3% 83.3% 8.3%
3 0.0% 0.0% 0.0%
4 11.5% 80.8% 3.8%
Survey Responses By AIA Tiers
Tier Revenue # of Responses
1 $7B+ 15
2 $1B - $7B 12
3 $100M - $1B 10
4 <$100M 26
Average Controls Yet To Implement & Approximate Implementation & Mx Costs
Tier Avg. Controls Approx. Cost
1 10 ̴$2M
2 43 ̴$1M
3 37 ̴$750K
4 47 < $250K
• CSET
• Archer Database
• CIS-Configuration Assessment Tool
• Exostar
• SCM, Zscaler, Carbon Black, Sophos
• AlienVault Unified Security Management
3rd Party Tools: Cyber Security Survey
• Nexpose, CIS Benchmarks
• SANS “Top 20” CSC and ISO 27002 Framework
• Splunk, Microsoft System Center
• DarkTrace and BeyondTrust
• FPA Technology Services, Inc.
Top 5+1 Controls: Cyber Security Survey
# Control # Control Description
1 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
2 3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
33.4.8 Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or denyall, permit-byexception (whitelisting) policy to allow the execution of
authorized software.
43.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the
respective system development life cycles.
3.13.16 Protect the confidentiality of CUI at rest.
3.3.5 Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.
3.1.21 Limit use of organizational portable storage devices on external systems.
3.3.1 Create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or
inappropriate system activity.
3.7.5 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal
maintenance is complete.
3.11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the
operation of organizational systems and the associated processing, storage, or transmission of CUI.
# Control # Control Description
1 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
2 3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
33.4.8 Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or denyall, permit-byexception (whitelisting) policy to allow the execution of
authorized software.3.3.1 Create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or
inappropriate system activity.3.6.1 Establish an operational incident-handling capability for organizational systems that includes adequate preparation, detection, analysis, containment, recovery, and user
response activities.
3.1.19 Encrypt CUI on mobile devices and mobile computing platforms.
5 3.3.5 Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.
3.1.3 Control the flow of CUI in accordance with approved authorizations.
3.7.5 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal
maintenance is complete.
3.8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical
safeguards.
3.13.16 Protect the confidentiality of CUI at rest.
+1
Top 5+1 Hardest Controls:
Top 5+1 Costliest Controls:
5
+1
4
AIA Position: MFA 3.5.3 – A&D should support MFA for remote access & internet facing networks.
• We welcome the security requirements.
• We generally concur with AIA's stated positions/concerns regarding DFAR cyber security control mandates and associated implementation challenges.
• We don't know how to comply or who can help us.
• Primarily we work for the supply chain (foundries, machine shops) of the primes, and have not yet been told about needing compliance.
• Clause should clearly state the Government will identify specifically what is CDI on a contract. PCOs seem to be looking for contractors to identify the CDI.
• The FIPS certified crypto requirement provides virtually no benefit compared to commercial grade crypto yet imposes a significant burden. The same applies to the MFA requirement.
• Additional time, a phased approach, and assistance to achieve compliance would be beneficial.
• Requirements are not clear with regards to expected solutions as well as what meets the criteria for CUI.
Member Comments: Cyber Security Survey
These are individual AIA member company comments and do not reflect the position of AIA.
• The topic of CUI is a costly burden to industry. Our company strives to find a balance between being secure, productive, and competitive. The controls in NIST SP 800-171 are designed to cover security at the lowest common denominator due to proliferation of cloud environments employed in industry. These blanket guidelines should not apply to companies like ours who exclusively keep all data on-site where there is inherently more security as opposed to the cloud.
• More clarity and substantive information is needed from the government to support Industry's DFARS compliance.
• DFARS cybersecurity requirements require pervasive changes and investments that negatively affect our overall cost basis as a diversified industrial manufacturer.
• This is burdensome & expensive for small business. I sincerely doubt most small businesses will truly comply due to insufficient resources to build & maintain the systems required.
• DoD should offer assistance to small businesses trying to meet the DFAR requirement. It is very costly, and a significant investment for a small business to comply.
Member Comments: Cyber Security Survey
These are individual AIA member company comments and do not reflect the position of AIA.
