The defense and aerospace industry wants the Department of Defense to adopt the same set of cybersecurity standards their companies use to trim vulnerabilities throughout their supply chain, rather than piling on additional requirements.
The message to the DoD is one of a handful from the Aerospace Industries Association to encourage what CEO Eric Fanning called “smart regulation” during a media briefing about AIA’s 2019 agenda.
“We’re not always seeking less regulation — I know you don’t hear that from industry every day, but [aerospace and defense] has benefited from smart government regulations, often developed with industry,” he told reporters Feb. 14. In terms of cybersecurity, “we’re trying to get away from the traditional way of assurance, which is just labor intensive and doesn’t keep up with changing regulations, technology and threats.”
Specifically, large companies are working with smaller suppliers to streamline their processes for greater assurance. AIA, in turn, released in December a list of 110 security controls, broken down into what it describes as 22 control families. Organizations can use the rubric to assess their vulnerability to cyberattacks.
Beyond enhancing security among its members, AIA says the standards could, in theory, be used as a baseline for the DoD.
“Cybersecurity writ large, it’s important for everyone,” Fanning said. “This is an effort to work together to develop standards that we use internally, that get us to a certain level of assurance, where DoD can take over, rather than applying an additional layer of standards and requirements on top of what industry is doing.
“The idea of hiring 10,000 people, giving them clipboards, and sending them around the country or world to run through a checklist won’t get at what is a serious problem."
In September 2018, then-Deputy Secretary of Defense Patrick Shanahan said cybersecurity “will become a key measurement for how industry is judged by the department.” And Wednesday, Assistant Secretary of Defense for Acquisition Kevin Fahey said the DoD will try to implement cybersecurity provisions in the Defense Federal Acquisition Regulation Supplement that essentially assign contractors a “cyber score,” according to a report from Inside Defense.
So far, Fanning is unaware of any specific standard established inside the department.
“They’re working on things, and have been intrigued, even enthusiastic about the work we’ve done internally among our membership,” he said. “The supply chain companies are not just concerned about a new set of standards from the DoD — [but also] multiple sets of standards if the Army, Navy and Air Force all come out with a separate way of doing it. They’re also concerned if the primes in the aerospace and defense industry come out with separate standards. We won’t get there if we don’t have a shared set of standards in and out because it will just be way too cumbersome."
In addition to regulatory reform, AIA pointed to budget process stability and predictability, reducing barriers to trade, and strengthening the aerospace and defense workforce as priority areas of advocacy for 2019.