March 30, 2021

Last Updated on January 4, 2024

Aerospace companies are facing new, business-critical compliance challenges due to the US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) rollout and the new DFARS interim rule. Requirements that may have been treated “informally” in the past are now front-and-center.

If your business hasn’t put significant focus on cybersecurity prior to now, you may be wondering where to begin and how best to proceed—especially around the new rule to self-score your compliance with the NIST 800-171 cyber standard and enter that (possibly very low!) number into the government’s Supplier Performance Risk System (SPRS) database ASAP.

To talk about the key information security and compliance challenges that Aerospace firms are currently facing, including SPRS scores he’s seeing with companies like yours, we hosted John Virgolino, Founder and CEO of nationwide ISP Consul-vation, on a recent episode of The Virtual CISO Podcast.

John acknowledges that a high percentage of his Aerospace SMB clients are entering low or even negative compliance scores going into SPRS. Most are in the +50 to -50 range, where +110 is highest score possible.

So if you wind up in that same boat, all is not lost! The government is in some sense “grading on a curve,” because many of your competitors are also entering low scores.

Why are SMB Aerospace firms collectively behind the cyber compliance 8-ball? “A huge factor is when they started [addressing security],” comments John. “So many companies literally started two months ago. There’s absolutely no way that you’re implementing 110 rules and regulations [in NIST 800-171] in a month or two.”

Indeed, it’s not just policies and procedures that you’ll need to put in place, but also new technology. That means due diligence and planning. Say you discover you need logging or a SIEM solution. You’ll need to identify your requirements, including cost parameters, and then research your choices in the marketplace. Having chosen a solution, you’ll need to line up a vendor or ISP to support you, and then plan and execute a rollout.

At that point, you might feel comfortable checking a box or two in SPRS. But a CMMC auditor will be looking for objective evidence of sustained operation of your controls. Who’s going to monitor your new SIEM? How will it tie into your incident response function? Assuming you even have an incident response program? And what about…?

All this is why John emphasizes that while your CMMC audit might be a few years away, you need to start getting ready now. That includes identifying the CMMC maturity level you need to achieve.

“I’m seeing a lot of questions,” John relates. “When you look at something as overwhelming as this could be to an organization, the natural inclination is to look for a loophole. ‘Can I get out of this somehow?’”

Are you creating CUI?

Many Aerospace SMBs want to believe that they don’t actually handle Controlled Unclassified Information (CUI), because CUI drives the mandate for CMMC Level 3.

John pantomimes: “’Our customer is telling us that we should probably do this. But we never see any CUI. What is CUI, anyway? Is that really CUI—and if it isn’t, cool! Then we don’t have to do this, right?!’”

Evaluating the paper and digital documents that flow through a company is a key part of John’s job. This includes not just what you receive, but also what you create and send out.

“Are you creating CUI? Because a lot of times it’s not just what you’re getting from your customer and that you’re participating in building,” John shares. “You may also be generating CUI as part of that process.”

Further, as podcast host John Verry, Pivot Point Security CISO and Managing Partner, points out, all CUI is not created equal—and this can suddenly become a huge compliance issue: “You need to talk to your contracting officer, or you need to talk to program managers from the primes or the agencies you’re working for. You need to go to whoever holds the legal paperwork and you need to look specifically at what’s in those contracts—because the data you’re working with might make you responsible not only for CMMC Level 3, but also additional regulations like NOFORN or ITAR.”

What’s Next?

Every company that does business with the US government needs to understand definitively all the regulations it is subject to before making technology decisions. Otherwise, you could invest considerable time and effort and still miss the mark on compliance.

If you’re looking for practical solutions to Aerospace & Defense security, compliance and technology challenges, definitely plan to listen to this podcast with John Virgolino, CEO at Consul-vation.

To hear the full episode, click here. If you don’t use Apple Podcasts, you’ll find all of our podcast episodes here.