Last Updated on June 29, 2021
Aerospace companies with government contracts are increasingly focused on information security compliance. Many face a short-term requirement to self-assess their compliance with NIST 800-171, per the new DFARS 7020 clause that is now appearing in new and modified government contracts.
Then there’s the longer-term need for firms that handle Controlled Unclassified Information (CUI) to pass a third-party audit against the Cybersecurity Maturity Model Certification (CMMC) standard at CMMC Level 3.
NIST 800-171 and CMMC Level 3 are very similar frameworks, and achieving compliance with either one demonstrates a robust security posture. Is there any need for firms in the Aerospace & Defense industry to go “beyond” this level of attestation?
What about compliance with ISO 27001, the international “gold standard” for cybersecurity? Or obtaining a positive SOC 2 report?
This subject came up on a recent episode of The Virtual CISO Podcast featuring John Virgolino, Founder and CEO of nationwide ISP Consul-vation. Hosting the episode as always is John Verry, Pivot Point Security’s CISO and Managing Partner.
“Do Aerospace firms have clients with multiple, disparate requirements?” John Verry asks. “Like, Boeing or Raytheon are saying, ‘Give me NIST 800-171.’ And Ford is asking them for ISO 27001, or something equivalent?”
According to John Virgolino, few of the clients he works with have a business driver for ISO 27001 certification or a SOC 2 report—even those that have both government and non-government clients.
“Getting to NIST 800-171 compliance lets you say to non-government organizations, ‘Here is our security posture, it follows this standard and that is good enough for the Department of Defense and for the US government. Is there really anything else that you’re looking for?’” John Virgolino shares.
What about Aerospace & Defense companies that don’t have government contracts and have mostly private sector customers?
“They’re like any other business,” notes John Virgolino. “They’re either going to be thinking about [security attestation] and consider it to be something that’s important for their business, and are going to look into how to invest. And there are a lot of models for implementing security out there. So you can do basic stuff, and be able to say that you’re security conscious. Or you can go all the way to something like NIST 800-171. Or beyond, and get an ISO 27001 certification. [The choice] varies based on the type of business, really.”
“I agree with what you said about, if you implemented NIST 800-171, that’s pretty similar to ISO 27001 or SOC 2—or any good framework,” replies John Verry. “Fundamentally, information security frameworks are the same: Understand what I’m protecting, understand what I’m protecting it against and what the risks are, implement controls proportional to risk, and validate that it actually works the way I said it does. That’s information security, fundamentally.”
“So it doesn’t really matter what standard [you implement],” John Verry continues. “But the problem with a NIST 800-171 environment is it’s self-attested. So if I’m the third party, I’m not accepting that. … I think that’s the flaw with NIST 800-171.
“In fact, that’s the reason why CMMC Level 3 exists, right? Because a lot of people said, ‘Yeah, yeah, I’ll get around to implementing [NIST 800-171]. Yeah, yeah, we’re doing that.’ And they weren’t.
“I think when CMMC Level 3 comes out, it’ll be very, very interesting, because I think the private sector companies or anyone in the defense industrial base (DIB) is going to say, ‘I’m not doing ISO 27001 on top of this, guys. You’re either going to accept this, or you’re not going to work with us.’ And I think people are going to accept it, because I think CMMC Level 3 is a pretty good level of security,” John Verry summarizes.
If you have a security/compliance related role within the Aerospace & Defense industry, put this podcast with John Virgolino on your must-listen list.