Over the past five years, we’ve helped over a thousand small business Defense Industrial Base (DIB) manufacturers meet their obligations to secure Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) they may handle. (yes, we know, so many acronyms!) Over the course of these engagements, we’ve identified some commonalities between small business DIB manufacturers’ cybersecurity programs. In this post, we’ll provide an overview of common data types handled, common cybersecurity deficiencies we’ve discovered, and provide a few recommendations for CMMC compliance for small business manufacturers.
Common data types handled by DIB manufacturers
We’ve found that our small business DIB manufacturing clients have very similar types of data (aka “information elements”) they handle. Identifying the types of information elements they handle helps determine scope when it comes to FAR 52.204-21, DFARS 252.204-7012, NIST 800-171, and CMMC compliance for manufacturers.
For instance, across the board, all DIB manufacturers handle some sort of FCI, and this FCI is pervasive across their operational environments. As a result, most of the physical (buildings) and digital (computers) aspects of DIB manufacturer operations will have to comply with the FAR 17 and CMMC Level 1 mandates for the protection of FCI. Examples of FCI include DoD-part-related purchase orders, invoices, and non-technical part/product information such as build schedules and shipping locations. If you are manufacturer, think about how widespread this information is in your facility and computer systems. Every place that information resides will be considered (“in scope”) during a CMMC Level 1 assessment.
All of our manufacturing clients handle CUI as well; however, we’ve found CUI has a much more limited “footprint” in the organization and therefore a more limited “scope”. This makes sense as CUI is the subset of FCI that has been deemed more sensitive by the Federal Government. Since CUI in a DIB manufacturing environment is associated with parts and products ultimately being delivered to the DoD, it’s considered “Covered Defense Information” (CDI). Those manufacturers that have the DFARS 252.204-7012 clause in their contracts (or flowed down to them some other way from a customer) are mandated to operate a cybersecurity program that adequately protects CDI. The table below lists the five types of CDI Elements we’ve found in most of our manufacturer client’s environments.
CUI Element | CUI Index/Category | Rationale with NARA CUI Registry Link |
---|---|---|
Engineering Drawings | Defense/Controlled Technical Information (CTI) (For ITAR drawings and specifications) Export Control/Export Controlled | "Engineering Drawings": https://www.archives.gov/cui/registry/category-detail/controlled-technical-info.html ITAR: https://www.archives.gov/cui/registry/category-detail/export-control.html |
Work Instructions (often called "Travelers") | Defense/CTI | "Process Sheets": https://www.archives.gov/cui/registry/category-detail/controlled-technical-info.html |
CNC or G code | Defense/CTI | "computer software executable code and source code"; "engineering data";'"specifications": https://www.archives.gov/cui/registry/category-detail/controlled-technical-info.html |
Quality, Test, or Conformance Reports | Defense/CTI | "technical reports": https://www.archives.gov/cui/registry/category-detail/controlled-technical-info.html |
Shipping Locations (if OCONUS) | Provisional/Operations Security Information (OPSEC) | "operations security": https://www.archives.gov/cui/registry/category-detail/operations-security-info |
For your reference, the table also provides the CUI “Category” and a link to the National Archives and Records Administration (NARA) website with the CUI examples from which we derive our identified CDI elements. NARA is the authority on CUI.
The Venn diagram below shows the relationship between FCI, CUI, and CDI:
Note that we’ve updated this post (November 2022) to remove one of the CDI elements that we previously had on the list: National Stock Numbers (NSN). NSN are considered “catalog-item identifications”, which is listed by NARA as an example under the Controlled Technical Information (CTI) category of CUI. However, many manufacturers post the NSN they are capable of producing on their websites or other marketing literature, which would seemingly violate the government’s rule against publishing CUI publicly. So we asked the DoD for clarification on whether NSN are considered CDI. James Gillooley, from the DoD Industrial Base Cybersecurity Program said no:
“As for the question as to if National Stock Numbers (NSN) are controlled technical information (CTI); No they are not. The DoD Memorandum on ‘Clarifying Guidance for Marking and Handling Controlled Technical Information in accordance with Department of Defense Instruction 5200.48, ‘Controlled Unclassified Information’ page 3 provides additional clarification and information on Controlled Technical Information (CTI). DFARS 252.204-7012 as well as the above mentioned memo states that CTI ‘…does not include information that is lawfully publicly available without restrictions’. And as NSN’s are publicly available information, they do not fall under the definition of CTI.”
So there you have it: NSN are not CDI.
For CDI elements, the scope is typically much smaller than for FCI. Still significant, but smaller. For instance, whereas most of the employees in the organization come into contact with FCI, when it comes to Engineering Drawings (a type of CTI), the individuals who come into contact with — i.e. “handle” — those drawings are typically much more limited:
- engineers
- programmers
- document control
- quality control
- procurement
But other individuals may not handle the Engineering Drawings, such as:
- contracts
- machine operators
- shipping/receiving
- purchasing
- human resources
- etc.
By the way, the vast majority of manufacturers we deal with are required to handle the drawings of DoD parts as export controlled, usually having them marked as “ITAR”. Hence the inclusion of the Export Controlled category in our table and Venn diagram above.
Note that all of these CDI categories, except for OPSEC, are considered “Specified” by the DoD. Don’t worry about what “Specified” means (it’s subtle) but know that CMMC compliance factors may limit manufacturers’ technology options for protecting Specified CUI, especially when it comes to cloud services.
This limited scope of CDI elements in a manufacturing environment can lead to a reduction in costs and complexity of the cybersecurity program mandated by DFARS and CMMC Level 2. Limiting the footprint of CDI in the organization, and therefore the complexity of the cybersecurity program, is important, because as we’ll see in the next section, we found most of our small business manufacturing clients have a long way to go when it comes to DFARS/NIST 800-171/CMMC compliance. Limiting the scope helps to shrink the distance that needs to be covered.
Common small business DIB manufacturer cybersecurity deficiencies
In this section, we’ll describe some deficiencies we commonly discover during gap assessments of small business DIB manufacturers’ cybersecurity programs. For these assessments we follow the assessment objectives outlined in the DoD’s CMMC Assessment Guide. This guide is aligned with and expands upon the NIST 800-171A standard for assessing an organization’s implementation of 110 safeguards — or “controls”. Seventeen (17) of these controls are listed in FAR 52.204-21 for the protection of FCI, and 93 additional controls are listed in NIST 800-171 for the protection of CUI. For CMMC Level 1 compliance, manufacturers assess themselves on their implementation of the “FAR 17” and their ability to protect FCI. In a CMMC Level 2 assessment a third party will assess their implementation of the 110 NIST controls and their ability to protect the more sensitive CDI.
As we noted above, all our manufacturing clients handle FCI as well as CDI. However, at least at the beginning of their cybersecurity compliance journey, we find that all these clients do not do a good job of protecting either type of information. This means that in our experience, most DIB manufacturers could not pass even a CMMC Level 1 assessment. And these manufacturers certainly don’t have critical cybersecurity protections in place such as those outlined in our Totem Top 10. We’ve discovered some typical physical and digital system deficiencies that lead us to this conclusion, which we’ll explore below.
Manufacturers' common physical cybersecurity deficiencies
By far the most apparent CMMC compliance and cybersecurity deficiency we note among our small business manufacturing clients is the lack of physical protection of FCI and CDI. Commonly we find that buildings’ outside doors remain unlocked, or as often is the case in warmer climates, propped wide open. And we aren’t just talking human-sized doors, we are talking garage bay doors, facing the street, rolled open and unattended. Surprisingly, unlocked doors are common even at those companies that don’t have fences or gates around their campus.
We understand that free movement of personnel, raw materials, in-process parts between buildings is crucial in many manufacturing environments. But this free movement makes it just as easy for an adversary to cruise on in and steal paper copies of FCI/CDI. And paper copies of this type are ubiquitous in the manufacturing environment in the form of purchase orders, engineering drawings, work instructions (travelers), and quality reports.
When we alert company management about the risks involved with open doors, we are commonly met with the rebuttal “well the employees will notice someone unauthorized walking in and they’ll do something about it.” Don’t be so sure. We often get the sense at these facilities that we could, with no problem, put on a some of our client’s executive-level garb — such as slacks and a logo’d polo shirt — walk through an open bay door onto the shop floor, and abscond with a traveler, or plug a laptop into an open network jack. First of all, there are no locked doors to stop us. Second, few, perhaps none, of the operators, who are nose-down busy with their own jobs (and like all of us, extremely vulnerable to social engineering and prone to diffusion of responsibility) would question the action. This second fact speaks to cybersecurity awareness and training deficiencies, for which we’ll provide some recommendations below. The bottom line is that if we get the sense that we can get unauthorized physical access to manufacturer’s FCI and CDI, then you better believe our Chinese and Russian adversaries have that same sense, and are actively recruiting individuals (disgruntled former employees?) to take advantage of the lack of physical security to steal our CDI.
On a related note: although door alarms and surveillance systems are not explicitly required by the FAR 17 nor NIST 800-171, the use of these detective systems to protect FCI/CDI are implicitly required by the Government through assumptions in NIST 800-171. We are surprised at how few of our clients have working door/window alarms and/or motion sensors or camera surveillance systems. Usually physical protection of their “stuff” is one of the first security measures a business owner contemplates. While alarms and cameras won’t stop an intrusion, they’ll certainly alert the organization during or after the fact, and are an important part of the defense-in-depth posture the government expects us to adopt to protect its information.
Another common physical security deficiency we find in manufacturing environments is unaccounted networked hardware. “Know your assets” is #1 in our Totem Top Ten for a reason: you can’t protect what you don’t know you have. And any unprotected device is a vector for attack. For example, we commonly see unprotected network switches on shop floors, into which we could connect a laptop and have unfettered access to the network (see the explanation of the “flat network” deficiency in the section below). When we ask the IT system administrators for the hardware list that describes the attributes of and purpose for the switch, the reply often will be “well, I’m not really sure about that one; it was installed before I was hired here.” That’s not good. While unaccounted hardware is understandable in a dynamic and growing environment, it still is not a good practice, and in fact is forbidden by the FAR 17.
Below we’ll make some recommendations for how manufacturers can physically secure their facilities, data, and systems, and not have to compromise too much of the operational flow.
Manufacturers' common digital and technical cybersecurity deficiencies
The most common CMMC compliance digital (logical) or technical deficiency we’ve found in our manufacturing client’s cybersecurity programs is operating a flat network. A flat network is one in which every connected device can communicate with impunity with every other connected device. Flat networks are a bad practice because it means that once an adversary gains a “foothold” in the network, they can scan the entirety of the network in one easy swoop, locate the target device or information they’re looking for, and often compromise the target without being noticed.
This is especially risky for manufacturers because many operate older “legacy” machines whose controllers run on outdated and unsupported operating systems such as Windows 7 or XP, or even *gulp*, Windows 95. Unsupported OS are easy pickins for any adversary. 100% of our manufacturing clients have at least one machine running unsupported OS.
In the recommendations section below we’ll explain a bit about how to rectify a flat network by implementing “segmentation.”
A second almost ubiquitous CMMC compliance deficiency we find for manufacturers is the use of shared accounts. These are accounts for which multiple individuals know the usernames and passwords. They are commonly used at machine controllers, whereby multiple operators can login to a single controller, so that anyone can use the device during any shift without having to remember their own username and password. Very often the same username and password is used for all machine controllers across the organization.
There are multiple reasons why shared accounts are bad news:
- You lose accountability for which user does what with the system. Accountability is a best practice (#10 on the Totem Top Ten) and required for CDI (NIST 800-171 “Audit and Accountability” family).
- The password is usually short and insecure, very frequently written down somewhere near the machine, and never changed. We don’t think it necessary here to expound upon why short, insecure, written down, permanent passwords are bad. For more information on our suggested password policy, see this post.
- Frequently the shared credentials access the default administrative account on the machine. Providing administrative access to users that don’t really need it is bad. Bad like crossing the streams bad.
- You can’t implement one of the best cybersecurity technologies — multifactor authentication — on shared accounts.
But we get it, the operators are busy bringing home the bacon for the company and shouldn’t be burdened with cybersecurity, right? And besides, the machines and their controllers are “Operational Technology” (OT) and are obviated by the CMMC scoping guide from standard cybersecurity stuff, right?
Not really. We can forget the notion about operators not having to worry about cybersecurity. All personnel that come into contact with FCI and certainly CDI will have to be trained in the organization’s cybersecurity program and agree to abide by an Acceptable Use Policy.
As for the second notion, even though machines are OT, they still handle CNC code (CDI; see above), so manufacturers will still have to put some basic risk mitigations in place to pass a CMMC Level 2 assessment. Ditching shared accounts, especially shared administrative accounts, where ever possible is a basic risk mitigator.
In the following section, we’ll describe some recommendations we have for manufacturers to mitigate the risk of shared accounts as well as some other ways to bolster their CMMC compliance.
Our recommendations for rectifying manufacturer's common CMMC deficiencies
Above we outlined a few of the deficiencies we commonly discover in our manufacturing clients’ CMMC cybersecurity programs. This post doesn’t list a complete and comprehensive set of deficiencies, just the most glaring. So if you are a manufacturer, our first recommendation is this: educate yourself on the FAR, DFARS, NIST, and CMMC cybersecurity requirements. If it all seems a little overwhelming, we understand. We can help. If you’d like, come join us in one of our DFARS/CMMC Workshops, in which we break DoD contractor cybersecurity requirements down into manageable actions.
After education, our next recommendation is to start with our Totem Top Ten #1: Know Your Assets. And the first asset that needs accounting is the information the organization handles. We follow a “three C’s” methodology for information accounting:
- Catalog: what information is the organization required to protect, either for business purposes (e.g. intellectual property) or by regulation (DFARS, HIPAA, etc.)?
- Categorize: is any of the cataloged information more sensitive and require additional protections? For instance, CUI has more required protections than does FCI.
- Characterize: how does the information flow through the organization’s facilities and IT system? Any asset that supports any part of the information “lifecycle” in the organization is “in scope” and requires protection.
The next step after the three C’s is to catalog all assets that support the information lifecycle. This can be done in a simple spreadsheet (see our CUI and System Inventory template in our free tools), or by using automated tools.
Once a list of assets has been captured, develop diagrams and graphics that depict the flow of data through the organization as well as the topology of the network. We have examples of these in the “SSP Introduction and SEPG template” in the free tools page.
Now that we have established the need to Know Your Assets first and foremost, let’s look at some specific recommendations to rectify the deficiencies we described above.
Physical security recommendations
Here are some recommendations for CMMC compliance for manufacturers concerned about the physical security deficiencies listed above:
- Ensure accountability for anyone entering through an outside door. The most effective (although maybe not the cheapest) way to do this is to install RFID badge readers or key code entry system that opens a magnetic lock to allow entry. Every time the door is successfully opened, an entry log is registered in a central system.
- If doors, especially garage bay doors, must be left open during working hours (for airflow, lighting, etc.), install collapsible gates to bar unfettered entry. Consider installing locks on the gate (perhaps mag locks; see above) and providing access only to a limited set of individuals. Ensure the doors are closed and locked off hours. These gates will provide additional protection of FCI/CUI on printed media and protect access to IT systems.
- Consider digitizing all paper media. We’ve had several clients change from printed paper travelers and engineering drawings to all digital format accessed through WiFi connected tablets. So instead of a travelers in a workbook or folder, operators access their work instructions digitally on a tablet. Unique (not shared) credentials are required to login to the tablet. This provides accountability for access to the information, and, as long as the tablets’ drives are encrypted, additional physical protection against stolen media. Our clients who have made this switch to digital also realize business process efficiency improvements, as well as cost savings of not having to manage a slew of paper documents.
- Install alarms (motion detecting or break) on all doors and windows. Install cameras to surveil all points of facility entry and any other areas where sensitive information resides or is accessed. These are implicitly required detective controls for CUI, but can be expensive.
- Finally, spin up a cybersecurity awareness and training program for all personnel, even machine operators. A training program is required by NIST 800-171, but its also just a good idea to inform your most valuable asset — your people — on how to protect your second most valuable asset: your information.
Digital security recommendations
As we noted above, flat networks are the most common digital CMMC compliance deficiency we see in manufacturer’s environments. The remedy for this is network segmentation, which is #7 in our Totem Top Ten. Segmentation changes the network topology from “flat” to “hilly”. Just like it is harder to walk on hilly ground than it is on flat, a “hilly” network makes the adversary do more work to move around your IT environment. This extra work serves two purposes:
- Exhaust the adversary. Being forced to navigate a network with some topology may make the juice not worth the squeeze.
- Force the adversary to “make noise.” To move laterally in a segmented network requires the adversary to conduct more in-depth scans and change the configuration of the network. If we’re “listening” for this activity (by monitoring network traffic and event logs — both of which are requirements in NIST 800-171), we can identify the intrusion and respond before it’s too late.
Network segmentation involves logically dividing the network into similar groups of assets. These groups could be similar “types”, such as workstations, servers, machine controllers. Or the assets could be grouped by similar “functions”, such as human resources, engineering, and operations. Or a combination of both. In fact, most organizations already have a type of functional network segmentation: separate corporate and guest wireless access. This type of segmentation is a great way to prevent unauthorized access.
After corporate vs. guest wireless, the simplest division to start with is probably by type, and in a manufacturing environment we recommend the following segments:
- Workstations
- Servers
- Peripheral devices such as printers
- Security devices including networked cameras and intrusion detection systems (IDS)
- Corporate wireless
- Guest wireless
- Shop floor PCs/controllers
- Time clocks
Network segmentation can be accomplished by several means, including:
- Physical “air gapping” between segments,
- Separate switches for each segment,
- Subnets, and, the most likely in modern networks,
- Virtual Local Area Networks (VLANs)
The other CMMC compliance deficiency we frequently find for manufacturers is shared accounts. The best remedy for shared accounts is just to do away with them, and require all personnel to sign into IT resources with unique credentials.
However, we recognize that sometimes these shared accounts just can’t be avoided. For example, we have plenty of clients that make extremely complicated parts where the machining job takes several shifts to complete. Thus the controller can’t be logged out and back in by another individual lest the job be compromised. So we recommend the following “compensating controls” when shared accounts must be present:
- Maintain accountability by monitoring use of the system with cameras.
- Require a long, memorable passphrase instead of a password, in accordance with best practices. Train personnel on mnemonics to help remember the passphrase and discourage writing it down. Better yet, provide password managers to all personnel. Change the passphrase whenever anyone who knew it leaves the organization.
- Eliminate all administrative privileges except for those your IT system administrators absolutely must have. If the software doesn’t require administrative privileges to run, the users don’t need admin rights. Most newer software doesn’t require admin privileges, and that which does can be limited by technologies such as endpoint privilege management tools.
Wrapping up
This post provides our take on some commonalities in CMMC compliance for manufacturers. Most manufacturers in the DIB handle the same categories of CUI, which we’ve listed above. However, most manufacturers we’ve performed preliminary assessments for are not yet adequately protecting that CUI. So here we noted the most common and glaring deficiencies, which will certainly cause a manufacturer to fail a CMMC assessment. Finally, we provided some suggestions for how manufacturers can fix those deficiencies or mitigate their associated risk.
We’ll reiterate: this post just scratches the surface of CMMC compliance for manufacturers. NIST 800-171 is a long road to travel. But we can help. Explore our free tools, join us in a Workshop, or just drop us a line. We love to talk about this stuff!
Good Hunting!
–Adam