The Aerospace Industries Association (AIA) on Thursday released a risk-based cyber security standard aimed giving companies in the aerospace and defense industry set of baseline security controls that can evolve with changing threats and provide a shared comfort level within the industry and government that accepted cyber security practices are being achieved.
The National Aerospace Standard (NAS9933) complements existing controls established by the National Institute of Standards and Technology that are also accepted by the Defense Department. However, these are "modest" in terms of risk management because even if all of the controls aren't met, a contractor can still receive a government contract as long as they show what requirements have been satisfied and how they plan to achieve the remaining ones, AIA said.
The NIST standard, which consists of 110 controls described in Special Publication 800-171, establishes a "minimal level of security," John Luddy, vice president for National Security Policy at AIA, told Defense Daily in a brief telephone interview. Having a "floor" for cyber security in the acquisition process was the government's intent, he said.
The AIA standard creates a "more dynamic approach" in that it has different capability levels for companies to adopt and then adapt to the risks they are facing, Luddy said. The 22 control families contained in NAS9933 each have critical security sub-controls categorized into five capability levels, with Level 3 being the minimum 4 and 5 being higher-level objectives, AIA said.
In addition to industry "working toward a common set of requirements for cyber security that can be measured as a standard," Luddy said AIA hopes that contractors can show DoD contracting officers they meet the NIST standard and have also achieved a certain capability level with the NAS9933 to demonstrate that the requirements are being met.
Jason Timm, AIA's assistant vice president for National Security Policy, said the AIA standard applies to companies' networks and infrastructure.
Luddy said that AIA's Cybersecurity Committee has been working with DoD for at least a year on the AIA standard and "they see it as a useful, additional measure of security," adding that there is more work to be done in terms of "socializing" across the department and also across industry.
For companies and their supply chains, there is also a need to have a "common set of standards that we all work to," Luddy said.
"If I'm making something for Raytheon and something for Lockheed Martin, I'm achieving a level of security that the program at Lockheed Martin and the program at Raytheon can both see as hitting a certain mark of security," he said.
The standard is available through AIA's website for $60 for a secure or print copy or $96 for both.