The National Institute of Standards and Technology does not mess around, of course, and when the organization publishes new rules, it’s best to just comply and move forward.
NIST ordered some new rules, and the deadline for manufacturers to comply with Special Publication 800-171 is fast approaching — December 31, a little more than 13 weeks away.
If 800-171 affects you — and, for the record, it affects any manufacturer who works with controlled unclassified information (CUI) from certain government agencies, most notably the Department of Defense (DoD), the General Services Administration (GSA) and NASA — you’ve probably already at least started the process of an assessment and an update. If you haven’t, well, time is short, according to Matt Kozloski, vice president of professional services at Kelser, a Connecticut-headquartered IT consulting firm.
“Consulting time and organizational time after the assessment is about 300 hours, about six to eight weeks,” Kozloski said, “which is why I’m concerned about people who’ve waited until after September to do just the assessment, to meet that 12/31 deadline.”
NIST 800-171 is rather comprehensive because it involves any manufacturer along the government supply chain. Even if you have no direct government contracts, you’re still affected if even one of your parts is used by a manufacturer who makes a part for, say, Boeing or Pratt & Whitney. It covers all the big names and loads more of the smallest manufacturers you’ve never heard of.
Kozloski wrote an excellent blog post earlier this year that dives into pretty good about NIST 800-171 and the process of bringing your shop up to speed. If you still have work to do to become compliant, I recommend reading it. He provided some more perspective in a recent conversation with IndustryWeek.
Matt Kozloski: In some ways, people are struggling with this. Within the framework, we haven’t found anyone to be 100% compliant out of the gate. There’s always something, and normally more than one thing, that needs to be remediated for someone to become NIST compliant. It is a pretty comprehensive framework, and it can be complicated.
IndustryWeek: Within manufacturing, what are some of the biggest hurdles, some of the most common hurdles, that you see?
MK: Manufacturers are sensitive to the cost of goods and the amount they’re spending on things. In some ways, IT security is an afterthought, it kind of takes a backseat to things like production and safety. What we’re finding, and what the government is finding with this controlled, unclassified information that’s out there, is that there are gaps in the way that manufacturers store and transmit information. That’s the biggest area of concern. They’re really good at having standard operating procedures about how to operate a machine, how to design a part, quality control and safety, but when it comes to transmitting and storing information, and even kind of classifying and separating that information, that’s the area that becomes a real challenge.
IW: You ask some questions near the bottom of your blog post, and one of them is “How can those gaps be closed?” Obviously, there are a number of ways to address that. What might you suggest as some solutions to that question?
MK: There are two parts to that. The first is understanding just logically where your information is — on your systems, on your network, and just where it is. The old cliché goes, “If you can’t see it, you can’t manage it,” and if you don’t know where your information is, it’s hard to classify and separate it. The first thing folks need to do is understand and take inventory of where their sensitive information is, who has access to it, things like that. The second thing is putting together a policy about who should have access to it and how that will be controlled.
IW: If we back up maybe a year ago, when I imagine this process started for a lot of companies, what were some of the more egregious examples? Any particular horror stories you saw? Any companies that just had no idea?
MK: As part of just doing the NIST assessment, we’re going through a comprehensive systems analysis, so we’ve seen everything from open wireless networks, to high-level access to various resources, to finding administrative passwords just by sniffing the network for a little while. Those are at one end of the extreme. It goes down to employee awareness and training people on how to handle sensitive information — what to do, what not to do — so cybersecurity awareness has become a big part of this, too. That was an area a lot of companies overlooked.
IW: You mentioned in your blog post a sort of skills gap that also often gets overlooked. We write a lot about the skills gap, but we don’t write much about the cybersecurity skills gap. It makes sense that it’s there, but it’s not something you really think about unless you’re confronted with it.
MK: After talking with enough manufacturers, it’s interesting to learn who becomes the IT manager over time. Sometimes, it’s someone who was an operations manager or had some involvement in the plant. They helped out with a couple PCs, and before they know it, they’re the IT manager. It happens all the time. So that person has no direct experience — I don’t want to say they have no direct qualification, that sounds rude — but they have no experience to think about some of the things that go on with IT. That sparked the spirit of the NIST framework: the federal government realized there were these gaps, and they said, “We need some kind of standards so companies can organize their systems in a relatively secure way.”
IW: One of the questions you included on your blog post is “What’s next in terms of training?” What kind of training is still needed? What should managers and other employees be looking for in terms of ongoing training?
MK: From here on out, when we talk about training, it’s really about regular cybersecurity awareness training. What I think is the most effective way to do it is train employees on a regular basis, monthly even, with mini modules that are maybe 10 or 15 minutes. They can pick away at it on their own schedule, a different topic every month — handling sensitive information, how to be careful on social media, ransomware and how it works. It’s ultimately designed to keep cybersecurity and protecting information top of mind. The training is important, too, but having that constant awareness helps.
The other thing we incorporate is a series of simulated phishing attacks, putting together a fake email and then reporting back on who took the bait. We don’t advocate anything punitive after that. We like that to be a learning opportunity, not a negative. If someone kept doing it three or four times, the company might want to take a look at that, but the first time, even the first couple times, it’s better to treat it as a learning opportunity. Combined, those things seem to be effective.
IW: There’s a Greek dance called sirtaki that starts slow and gets faster and faster —
MK: I know the general music behind it. There’s some clapping involved.
IW: I imagine there are some companies that are way behind in getting NIST 800-171 compliant and they may be emulating that dance a little bit. Any advice for manufacturers who may have started but have more to go than they should?
MK: The first piece of advice is that they need to commit to doing it. If an organization still a little wishy-washy, they don’t have a focus, they’re getting into pretty dicey territory, because the assessment is the first step where you’re uncovering what’s going on. Let’s say during the assessment, you find out your firewalls need to be replaced, you’re not encrypting your data, you have all your data mixed in — you’re looking at some major activities. Is it possible to be compliant by December 31? Yes, but if you haven’t started, you’re treading on super thin ice.
IW: And you’re maybe making the last few months of the year a little more stressful than they need to be.
MK: Sure. To me, it’s like simple math: Your DoD contract is worth X dollars. The assessment costs Y dollars. Is that contract worth it to you? If the answer is yes, then why put it off? Just do it.
IW: Worst-case scenario, a company gets to New Year’s Day and isn’t compliant. Otherwise, it’s January 1, you’re a manufacturer who’s now compliant. What happens form that point? What changes? What should change?
MK: At that point, it’s going to go into a kind of continuous improvement cycle. The NIST framework itself has policy and procedural items and objectives built into it. Let’s say you have a policy on written information. With that policy comes a date you’re going to review it and who’s going to sign off on it. Once NIST is implemented, it just becomes another of those continuous improvement processes.
IW: The other side of that coin: January 1 comes around and a company isn’t compliant. I’m sure it becomes a little more complicated
MK: Yeah, it does. At the very least, you’re notifying whoever’s upstream from you in the supply chain, and then you’re looking at losing a contract or some kind of major shifts. That’s why it’s going to come down to how much a contract is worth to you, because little manufacturers around, say, Connecticut, are peanuts to Pratt & Whitney or United Technologies. UTC is not going to risk losing a DoD contract because some little manufacturer in Stafford is not willing to become compliant. They’ll just move the business somewhere else.
IW: Anything else that’s really key for the next 87 days?
MK: For me, it just goes back to the notion that manufacturers are used to certain standard operating procedures, they’re used to having safety procedures, so why not apply that to their technology, too? Even outside of NIST itself, it’s important for manufacturers to just consider their technology and the data they have to be equally as important as other operations. If people think about it that way, I think it simplifies it and kind of connects what they’re already doing to something a little unknown. It could ease the stress around becoming NIST compliant, too.