We're excited to have had the opportunity to co-host the Securing the Manufacturing Supply Chain conference with MxD, the US DoD's Center for Manufacturing Cyber Security.
MxD, formerly known as UI Labs, is the new name of what used to be called the Digital Manufacturing & Design Innovation Institute (or DMDII).
Since 2014, MxD has led a public-private partnership to commercialize cutting-edge digital manufacturing technologies. In 2018, the US Department of Defense designated MxD as the United States' Center for Manufacturing Cyber Security. In that role, MxD is focused on supporting the small, medium and large manufacturers to protect their integrated supply chains. Verve Industrial is pleased to be partnering with MxD in this journey.
During the MxD event, roughly 100 manufacturing leaders came together at MxD's Chicago manufacturing test-bed facility to see cyber security use-cases and discuss challenges and solutions to securing industrial supply chains.
One of the key topics at the conference was how companies, from the largest prime contractors to the smallest family-owned manufacturing vendors, could achieve compliance with DFARS (Defense Federal Acquisition Regulation Supplement) which is based on the NIST 800-171 standard. If you're unfamiliar, it states as of December of 2017, all contractors participating in a U.S. Department of Defense contract, had to certify their compliance with the DFARS standards which apply to confidential unclassified data throughout the supply chain.
The conference and surrounding discussion made us realize just how complicated the cyber security standards landscape has become.
Working with various clients, we've partnered in their adoption of these different standards - NERC CIP, NIST 800-53, NIST CSF, CIS CSC20, ISO 27001, and others. Each of these cybersecurity standards has its own unique features from compliance requirements and real, financial penalties, to the level of specificity provided by the standards, to the level of certification available from third party auditors.
In some cases, organizations don't have a choice in cybersecurity protocol due to the industry standards upon them. For example, the utilities industry is required to meet NERC CIP standards and DoD contractors are required to meet DFARS standards.
But even for those organizations, additional questions about cybersecurity standards emerge. For instance, utilities need to decide what standards they should establish for low impact assets; DoD contractors need to decide whether they will pursue standards beyond the information security requirements of protecting covered defense information/ controlled unclassified information and what that standard should be.