Small Business Cyber Security Requirements – Ramping Up!
From the American Small Manufacturers Coalition 24 July 2018. Cyber security requirements for all defense contractors will continue to be emphasized but there may be some help on the way. But with “help” comes “oversight.” Be prepared. Cyber Security Symposium on 11 Oct in Chapel Hill.
Cybersecurity Language In NDAA
The text and report of the final conferenced National Defense Authorization Act of 2019 (HR 5515) were released yesterday. They include statutory and report language that enable the Department of Defense to work with NIST to improve US small manufacturers’ cybersecurity.
Although the language does not specifically mention the Manufacturing Extension Partnership (MEP), it is ASMC’s understanding that the intent of the Department of Defense and the Department of Commerce is to work with and through the MEP National Network to provide cybersecurity assistance to small manufacturers in the defense industrial supply chain. The House and Senate are expected to pass the final bill later this week.
HR 5515 Bill Language on PDF page 1296:
SEC. 1644. ASSISTANCE FOR SMALL MANUFACTURERS IN THE DEFENSE INDUSTRIAL SUPPLY CHAIN AND UNIVERSITIES ON MATTERS RELATING TO CYBERSECURITY.
(a) DISSEMINATION OF CYBERSECURITY RESOURCES.-
(1) IN GENERAL.-The Secretary of Defense, in consultation with the Director of the National Institute of Standards and Technology, shall take such actions as may be necessary to enhance awareness of cybersecurity threats among small manufacturers and universities working on Department of Defense programs and activities.
(2) PRIORITY.-The Secretary of Defense shall prioritize efforts to increase awareness to help reduce cybersecurity risks faced by small manufacturers and universities referred to in paragraph (1).
(3) SECTOR FOCUS.-The Secretary of Defense shall carry out this subsection with a focus on such small manufacturers and universities as the Secretary considers critical.
(4) OUTREACH EVENTS.-Under paragraph (1), the Secretary of Defense shall conduct outreach to support activities consistent with this section. Such outreach may include live events with a physical presence and outreach conducted through Internet websites. Such outreach may include training, including via courses and classes, to help small manufacturers and universities improve their cybersecurity.
(5) ROADMAPS AND ASSESSMENTS.-The Secretary of Defense shall ensure that cybersecurity for defense industrial base manufacturing is included in appropriate research and development roadmaps and threat assessments.
(b) VOLUNTARY CYBERSECURITY SELF-ASSESSMENTS.-The Secretary of Defense shall develop mechanisms to provide assistance to help small manufacturers and universities conduct voluntary self-assessments in order to understand operating environments, cybersecurity requirements, and existing vulnerabilities, including through the Mentor Prot´eg´e Program, small business programs, and engagements with defense laboratories and test ranges.
(c) TRANSFER OF RESEARCH FINDINGS AND EXPERTISE.-
1) IN GENERAL.-The Secretary of Defense shall promote the transfer of appropriate technology, threat information, and cybersecurity techniques developed in the Department of Defense to small manufacturers and universities throughout the United States to implement security measures that are adequate to protect covered defense information, including controlled unclassified information.
(2) COORDINATION WITH OTHER FEDERAL EXPERTISE AND CAPABILITIES.-The Secretary of Defense shall coordinate efforts, when appropriate, with the expertise and capabilities that exist in Federal agencies and federally sponsored laboratories.
(3) AGREEMENTS.-In carrying out this subsection, the Secretary of Defense may enter into agreements with private industry, institutes of higher education, or a State, United States territory, local, or tribal government to ensure breadth and depth of coverage to the United States defense industrial base and to leverage resources. (Potential Business Opportunities??)
(d) DEFENSE ACQUISITION WORKFORCE CYBER TRAINING PROGRAM.-The Secretary of Defense shall establish a cyber counseling certification program, or approve a similar existing program, to certify small business professionals and other relevant acquisition staff within the Department of Defense to provide cyber planning assistance to small manufacturers and universities.
(e) ESTABLISHMENT OF CYBERSECURITY FOR DEFENSE INDUSTRIAL BASE MANUFACTURING ACTIVITY.-
(1) AUTHORITY.-The Secretary of Defense may establish an activity to assess and strengthen the cybersecurity resiliency of the defense industrial base, if the Secretary determines such is appropriate.
(2) DESIGNATION.-The activity described in paragraph (1), if established, shall be known as the ”Cybersecurity for Defense Industrial Base Manufacturing Activity”.
(3) SPECIFICATION.-The Cybersecurity for Defense Industrial Base Manufacturing Activity, if established, shall implement the requirements specified in subsections (a) through (c).
(f) AUTHORITIES.-In carrying out this section, the Secretary may use the following authorities:
(1) The Manufacturing Technology Program established under section 2521 of title 10, United States Code.
(2) The Centers for Science, Technology, and Engineering Partnership program under section 2368 of title 10, United States Code.
(3) The Manufacturing Engineering Education Program established under section 2196 of title 10, United States Code.
(4) The Small Business Innovation Research program.
(5) The mentor-prot´eg´e program.
(6) Other legal authorities as the Secretary determines necessary to effectively and efficiently carry out this section.
(g) DEFINITIONS.-In this section:
(1) RESOURCES.-The term ”resources” means guidelines, tools, best practices, standards, methodologies, and other ways of providing information.
(2) SMALL BUSINESS CONCERN.-The term ”small business concern” means a small business concern as that term is used in section 3 of the Small Business Act (15 U.S.C. 632).
(3) SMALL MANUFACTURER.-The term ”small manufacturer” means a small business concern that is a manufacturer in the defense industrial supply chain.
(4) STATE.-The term ”State” means each of the several States, Territories, and possessions of the United States, the District of Columbia, and the Commonwealth of Puerto Rico.
NDAA Conference Report Language:
Assistance for small manufacturers in the defense industrial supply chain and universities on matters relating to cybersecurity (sec. 1644) The Senate amendment contained a provision (sec. 1626) that would require the Secretary of Defense, acting through the Chief Information Officer and Under Secretary of Defense for Research and Engineering, to improve awareness of cybersecurity threats among small-and medium-sized manufacturers in the defense industrial supply chain, including via: the development of cybersecurity self-assessments to enhance firms’ understanding of network vulnerabilities and the Department’s cybersecurity standards; the transfer of appropriate cybersecurity technology and techniques developed in the Department of Defense to these businesses; and the establishment of a cyber counseling certification program. The House bill contained no similar provision. The House recedes with an amendment that would require the Secretary of Defense, acting through the Chief Information Officer and Under Secretary of Defense for Research and Engineering, to improve awareness of cybersecurity threats among universities, in addition to small-and medium-sized manufacturers, in the defense industrial supply chain and to establish a broader cybersecurity activity for the defense industrial base as needed.
The NC Military Business Center, the NC Community College System, and the State of North Carolina do not officially endorse events. These items are posted strictly for the information and convenience of NCMBC customers.