Components of DOT Security’s Services
Explore each of the core elements that combine to form DOT Security’s complete offering
See how it all comes together
DOT Security’s holistic service- A plan to get back up and running if a problem occurs
- Comply with data security laws and industry regulations
- Expert planning and training to improve overall security
- Protection for a controlled internal environment
- Coverage for individual systems and devices
- Control who can get into your networks
- Improved insight into data and communications
- Extra fortification for your most sensitive data
Risk Assessment
InsightsCybersecurity insights and analyses
Dive into the world of modern cybersecurity with explanations, predictions, and expert opinions
Find blogs, infographics, videos, and more
DOT Security insights- Definitions for industry terms and acronyms
- The complete beginner’s guide to everything cybersecurity
Compliance Services
A Rundown of CMMC Aerospace Industry Regulations
September 27, 2022
5 Minutes
Aerospace industry regulations are becoming more complex as the Department of Defense (DoD) adds or reinvents requirements and cybercriminals continuously attack the industry.
One example of this is the cybercriminal operation dubbed TA2541, launched by an unknown hacking group that has been targeting the aerospace, transportation, defense, and manufacturing industries since 2017. And it continues to do so, having compromised companies in North America and abroad.
With so many risks, the DoD looks to heighten cybersecurity to protect sensitive data and national security. Therefore, the CMMC program was created.
Sign up for our newsletter!
Contractors in the defense industrial base who work with the Department of Defense will be required to adhere to these requirements. Let’s dive deeper into what they are and how they affect aerospace industry regulations.
What is CMMC?
CMMC stands for Cybersecurity Maturity Model Certification. The CMMC is a compliance program by the U.S. Department of Defense outlining requirements for contractors in the defense industrial base (DIB).
The Department of Defense released the CMMC 2.0 model in November of 2021. The program is meant to safeguard federal contract information (FCI) and controlled unclassified information (CUI).
The CMMC 2.0 program also:
- Simplifies the previous CMMC program from five to three levels
- Provides clarity on cybersecurity regulations, policies, and contract requirements
- Prioritizes advanced cybersecurity standards and third-part assessments on contractors involved in high-priority programs
- Increases DoD supervision of standards in contractor assessments
The CMMC was built on existing standards created by National Institute of Standards and Technology (NIST). In simple terms, CMMC compliance protects sensitive DoD data that could be exploited by foreign or domestic malicious actors.
To learn more about the CMMC program, its three levels, who needs to be certified, and what kind of data it seeks to protect, head over to our blog: What is CMMC Compliance?
Why Do These Aerospace Industry Regulations Exist?
Hackers based in Russia, as an example, target defense industrial base companies with long-term cyberattack campaigns.
The Department of Defense relies on these DIB contractors for the manufacturing and maintenance of aircraft, engineering and technology initiatives, project management, and more.
"DIB cybersecurity is and will remain an expanding priority for the U.S. Department of Defense. More than 220,000 companies provide value to the department's force development, and the DIB is now facing increasingly sophisticated and well-resourced cyber-attacks that must be stopped." -Deputy Defense Secretary Kathleen H. Hicks
Therefore, aerospace industry regulations — including the CMMC — are required because organizations in this sector handle sensitive information that could affect not only manufacturing or project timelines, but also national security.
Many defense industrial base contractors use cloud solutions to manage daily operations. Cloud technology allows for the collection, transferring, and storage of data. However, malicious actors often target aerospace companies that take advantage of cloud solutions.
To learn more about the need for aerospace industry regulations, examples of cloud technology in the industry, and why cybersecurity is important, read out blog The Need for Cloud Security in the Aerospace & Defense Industry.
The Difference Between CUI and FCI
When a contractor or subcontractor works with the Department of Defense, they need to protect two types of information: federal contract information (FCI) and controlled unclassified information (CUI).
Federal contract information, or FCI, is information not marked as public or for public release and is provided by or generated for the U.S. government under contract.
The original definition of FCI by the Federal Acquisition Regulation (FAR) clause FAR 52.204-21 is “any communication or representation of knowledge such as facts, data, or opinions, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.”
Controlled unclassified information, or CUI on the other hand, is highly sensitive government information that requires safeguarding and may be subject to dissemination controls.
The clause 32 CFR Part 2002 defines CUI as “information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation or [government policy] requires or permits an agency to handle using safeguarding or dissemination controls.”
To learn more about these types of information used in the aerospace industry and how they fit in the CMMC program, head over to our blog Explaining the Department of Defense’s (DoD) CMMC Requirements
CMMC and Aerospace Manufacturing
If you are a manufacturing company or contractor working on DoD contracts, adhering to CMMC requirements is important, not only to receive a contract with the Department of Defense, but to safeguard information that could lead to cybersecurity and national security risks.
The level of CMMC certification a manufacturing company needs depends on the type of data they handle. These businesses will need either an annual self-assessment, a triennial third-party assessment, or a triennial government-led assessment.
The length of time to obtain a CMMC certification depends on which level you are required to meet, the size of your business, the strength of your cybersecurity and compliance program, and the priority of the DoD project.
To learn more about how long it can take to get certified, how to begin the certification process, and whether you need the certification, this blog will provide you with some useful information: What You Need to Know About CMMC in Manufacturing.
Bottom Line
Cybersecurity is paramount in the aerospace industry. Since cyberattacks targeting this sector are continuously increasing, it is important for contractors to prepare for the CMMC requirements.
The Department of Defense created the CMMC based on standards by National Institute of Standards and Technology. It aims to safeguard sensitive information and protect national security.
CMMC helps protect two types of data (FCI and CUI) and the level of certification an organization needs will depend on the type of data it handles. Contractors looking to receive a contract with the Department of Defense should consider investing in cybersecurity compliance services to ensure adherence to the program.
To learn more about preparing for a CMMC assessment and whether your organization has implemented the security practices to pass, use our downloadable Checklist: How to Prepare for a CMMC Assessment.