The Aerospace Industries Association has established a new, cybersecurity-centered "National Aerospace Standard," according to an AIA statement issued this morning.
"National Aerospace Standard NAS9924, 'Cyber Security Baseline' provides guidance that benefits the aerospace and defense suppliers of all capability levels by giving the supply chain a base line of standard practices they can follow to better protect their information system infrastructures from cyber threats," the statement reads.
"We're very proud to announce this first National Aerospace Standard on cyber security," AIA President and CEO Marion Blakey said in the statement. "It will benefit the entire industry through education and increasing security throughout the supply chain. As our nation's leaders work to counter increasing cyber security challenges, industry looks forward to supporting their efforts and assuring we remain Second to None in the cyber domain as well as in aerospace."
According to AIA's abstract of the document (available for purchase on the AIA website):
The new standard provides information for companies to assess themselves on their information technology security practices and helps them determine their preparedness for cyber threat risk management for their customers while assessing the risks presented by their own suppliers.
Supply chain companies are important to the aerospace and defense industrial base. Suppliers may have unique capabilities that are vital to aerospace and defense programs.
Aerospace and defense companies have been dealing with the threat of cyber intrusion for the past several years. As companies have increased the security of their IT network defenses, the attackers are now being driven to softer targets where they may find some of the same type of data that they previously had sought from these companies. The adversary is also using the collaborative relationships between the aerospace and defense companies and their suppliers as a "back door" as the defenses get better. Companies further down the supply chain may not have had the opportunity or expertise necessary to fully prepare to defend their systems from these attackers, but the result of the increased defenses in the major suppliers is that the attacker may target their suppliers based on their vulnerabilities. This document was designed to be a supplier baseline so that suppliers know what kind of security they need to have if they want to do business with aerospace and defense companies.
The document, according to AIA, "provides basic information" that an aerospace/defense supplier can use to:
* assess themselves on their information technology security practices;
* determine their preparedness for cyber threat risk management for their customer; and
* assess the risks presented by their own suppliers.
Last Friday, InsideDefense.com reported that a senior Pentagon official has called on lawmakers to pass legislation to create and enforce standards for companies to strengthen their networks against cybersecurity attacks. Further:
"I believe that there has to be some aspect of best practices that Congress nudges the private sector to raise their game on this," Eric Rosenbach, the deputy assistant secretary of defense for cyber policy, said today at an Armed Forces Communications and Electronics Association cybersecurity symposium.
Rosenbach added that a lot of industry leaders still might not understand the magnitude of the threat or are not willing to put up the extra investment to protect their companies.
He noted the relative ease with which hackers can look for network vulnerabilities on the Internet. "There's someone out there who has been sloppy, probably inadvertently sloppy, but they're not doing what they should do to keep their kind of game high and have a good defensive posture," Rosenbach said.
Read the full story.
Additionally, Inside the Pentagon reported last week that while the Department of Homeland Security has the lead in securing critical U.S. infrastructure against cyber attacks, the administration is looking to the Defense Department to play a key though less prominent role in advancing the goals of an executive order recently signed by the president. ITP further reported:
DOD, the largest cabinet agency, is expected to bring to bear expertise in acquisition and information sharing -- skills deeply ingrained in day-to-day operations at the Pentagon, though sometimes with mixed results. Defense officials, together with the General Services Administration, have 120 days to craft a report on the role security standards would play in acquisition planning and contract administration.
The final version of the executive order, dated Feb. 12, no longer contains a passage from a widely circulated November 2012 version that instructed DOD to consider "changing the federal procurement process" to give preference for vendors meeting given cybersecurity standards. The omission touches on a discussion within the defense acquisition community where divvying up the supply chain into vendors meeting certain qualifications and those that do not has routinely occurred.
Jim Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, says the practice would be difficult to apply for acquisitions related to critical infrastructure because monopolies -- for utilities, as an example -- are common in that market segment. "It's hard to get meaningful acquisition improvement in critical infrastructure without legislation," he said.
Read the full story.