March 31, 2021

Last Updated on January 14, 2024

Aerospace businesses must meet new cyber compliance guidelines specified in the US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) framework, as well as the DFARS clauses now appearing in new and modified contracts. One of the most significant—and most misinterpreted—is the mandate to “flow down” cyber compliance requirements to your subcontractors/vendors.

What is the correct interpretation of the flowdown requirement? Where exactly is it specified? What vendors does it apply or not apply to? Do all vendors need to submit scores to SPRS? What cyber maturity level do vendors need to meet? What if a vendor says they don’t have any Controlled Unclassified Information (CUI)?

To answer these and other questions about flowdown, we talked with John Virgolino, Founder and CEO of nationwide ISP Consul-vation, on a recent episode of The Virtual CISO Podcast.

A basic interpretation of the flowdown directive as specified in DFARS 7020 is that Aerospace firms must “… ensure that applicable subcontractors also have the results of a current Assessment posted in SPRS prior to awarding a subcontract or other contractual instruments.”

In other words, your subcontractors all need to comply with NIST 800-171, or at least be headed in that direction. They must also move quickly to self-attest to their current compliance posture in SPRS, and develop a System Security Plan and a Plan of Action & Milestones (POA&Ms) for achieving compliance.

But is the situation really that clear-cut? And where does that leave SMB Aerospace firms that are finding their own compliance scenario more than enough to deal with, let alone riding herd on vendors’ security postures?

“If [Aerospace SMBs] were confused about getting compliant themselves, they are beyond confused about flowdown requirements,” jokes John. “It’s so unclear what their responsibility is. They’re relegated to essentially copying what their upstream partners are doing to them. Which is putting together a letter that explains, ‘OK, this is the DFARS 7020 clause that applies to you. You are downstream; you need to get to this cybersecurity level. Go figure it out.’”

It’s an open question how Aerospace SMBs can continue to meet contract obligations if they’re held accountable for pushing security requirements downstream to potentially dozens of subcontractors that are largely also SMBs—especially when many of those vendors will find full compliance with NIST 800-171 or CMMC Level 3 completely beyond their means.

“It’s not confusing what they need to do—what’s confusing is how to do it,” clarifies podcast host John Verry, Pivot Point Security’s CISO and Managing Partner. “If your contract specifies DFARS 7020, your vendors have to have a score in SPRS. That’s simple. The problem is these orgs won’t have the wherewithal to either calculate that score or get it to a certain level. And if they don’t get that score to a certain level, can you still continue to work with them?”

What can you do if you need to work with a vendor that’s struggling with cyber requirements? It may come down to what kinds of information you’re exchanging with them.

“It’s tough…” John Virgolino acknowledges. “And this is also where that CUI question comes in. Which is, ‘I’m just sending this out to get coded. We’re not giving the vendor any diagrams. We’re literally just giving them the parts, and they’re coding them and sending them back. Do they have to do this?’”

“At a minimum, they’re probably going to have to be CMMC Level 1 compliant,” continues John Virgolino. “But that’s not bank-breaking. That’s actually just basic stuff.”

Arguably if you’re not able to put that “basic cyber hygiene” level of security in place, you shouldn’t be working on defense contracts.

“It really is the new state of warfare, right?” asserts John Virgolino. “North Korea is going after us from a cyber standpoint, and they’re looking for that weakest point. And that’s going to be the guy who’s coding whatever you’re sending them, who doesn’t have a firewall in place.”

“It’s that simple. And that’s why we’re doing all of this,” John Virgolino stresses.

What’s Next?

Concerned about Aerospace & Defense security, compliance and technology issues? Then you’ll definitely want to catch this podcast with John Virgolino, CEO at Consul-vation.

To listen to the show, click here. If you don’t use Apple Podcasts, you can access all of our cybersecurity podcast episodes here.