Last Updated on March 29, 2021
Because they often deal with the US federal government, regulatory compliance has been a perennial concern for Aerospace firms. But now, thanks to the US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) rollout and the new DFARS interim rule, the need to comply with cybersecurity requirements has gone from “checking the box” to way outside the box.
According to John Virgolino, Founder and CEO of nationwide ISP Consul-vation and our guest on a recent episode of The Virtual CISO Podcast, many Aerospace SMBs are still lagging on security and need to run to catch up.
What are the key changes Aerospace companies must make to stay in the hunt for government contracts?
John points out that right now the biggest security/compliance concern—by far—for Aerospace SMBs is to log a rigorous and accurate self-attestation of their NIST 800-171 compliance posture in the government’s Supplier Performance Risk System (SPRS) database. “You need to go through each of the 110 clauses to determine current compliance status, and then create Plans of Action and Milestones (POA&Ms) for getting your controls to the next level,” John states.
Posting a score in SPRS is a prerequisite for consideration for future DoD contracts. A higher score is obviously better, but a lower score is much better than no score.
What about CMMC compliance?
Any steps you take now to comply with NIST 800-171 will directly benefit your CMMC compliance posture. But as John notes, “With a CMMC audit possibly a few years away, the implementation [of CMMC controls] is a much longer-term focused project.”
What technology upgrades is John emphasizing to move his Aerospace clients towards compliance? “We’re prioritizing larger-scale items in NIST 800-171 like two-factor authentication—things we can implement fairly easily and quickly without huge expense,” explains John. “Smaller, more complex stuff gets pushed down.”
In environments where rolling out 2FA is more involved, John recommends targeting privileged users first, such as admins. “Learn from that and then roll it out to all your users,” John advises.
Another weak spot for many of John’s Aerospace clients is “the perimeter.” “You’d be amazed how many organizations rely on just the router that their ISP gives them,” observes John.
If you’re in Aerospace & Defense and need to understand practical solutions to your security, compliance and technology challenges, you’ll get a lot from this show with John Virgolino.