Cybersecurity Desk: Why and How To Become Compliant



Bluestreak Consulting

Reading Time: 4 minutes

Cybersecurity: it’s important for more than just keeping checking accounts safe. Banks, government agencies, and online databases all require strict cybersecurity. But what about heat treaters? What are cybersecurity requirements for heat treaters, and how can they become compliant?


Do You Need To Be Compliant?

If you are a heat treater who provides services to a Department of Defense (DoD) contractor or downstream DoD requests, you are affected by this topic and need to read on to get more details. In some cases, you may have already been asked about compliance by some of your customers. In this article and in future articles, we will provide the answers to the most frequent questions regarding how heat treaters can become and stay in compliance to cybersecurity specs and even improve compliance in cybersecurity health.

Discussions around DFARS compliance, NIST 800-171 implementation, and cybersecurity within federal defense contracting are becoming increasingly prevalent by the day. Although it seems like the conversation is only recently gaining steam, the DFARS mandate has been around longer than people realize.

The DoD is requiring all contractors, subcontractors, and suppliers to be DFARS 252.204-7012 and NIST 800-171 compliant. Don’t take a chance on losing current DoD contracts and losing future business because of non-compliance. Compliance is non-negotiable for heat treaters within the DoD supply chain.

Heat treaters implementing effective cybersecurity practices are facing particularly challenging circumstances because there are more devices (including mobile devices) than people, and attackers are becoming more innovative. Cybersecurity is the practice of protecting systems, data, networks, and programs from digital attacks (web/cloud-based). These cyberattacks usually seek to access, change, or destroy sensitive information; extort money from users; or interrupt normal business processes. Therefore, the government is pushing cybersecurity more than ever before. All of us need to be sure critical data and systems are protected and secured.


Here are several eye-opening statistics of how cybercrime affected SMBs (small to mid-sized businesses) from 2021:

  • Cyberattacks increased by nearly 300% since the beginning of the pandemic

  • 58% of cyberattack victims are small and mid-sized businesses

  • 60% of small companies go out of business within 6 months after a major security breach

  • 55% of ransomware attacks involve companies with fewer than 100 employees

  • 95% of cybersecurity breaches are a result of human error

What Is DFARS 252.204-7012?

DFARS 252.204-7012 is a DoD regulation that has become increasingly important for defense contractors and suppliers.

Originally implemented in 2016, DFARS 252.204-7012 requires safeguarding and “adequate security” of Covered Defense — which also includes CUI (Controlled Unclassified Information) — by implementing the guidelines found in NIST SP 800-171.

DFARS 252.204-7012 further requires contractors to follow certain procedures in the event of a cyber incident, report the incident to the government, and provide access to systems.

What Is NIST SP 800-171?

NIST SP 800-171 is a NIST (National Institute of Standards and Technology) Special Publication that provides recommended requirements for protecting the confidentiality of CUI in non-federal organizations or businesses. Defense contractors must implement the recommended 110 control requirements contained in NIST 800-171 to demonstrate their provision of adequate security to protect the Covered Defense Information (CDI) included in their defense contracts, as required by DFARS 252.204-7012. If a manufacturer is part of a DoD, General Services Administration (GSA), NASA, or other federal or state agencies’ supply chain, the implementation of the security requirements included in NIST SP 800-171 is a must.


The deadline to be fully compliant with NIST 800-171 was December 31, 2017. But it’s not too late.

Even if a heat treater is not a DoD contractor or in the DoD supply chain, NIST 800-171 is a great “best practice” standard for any organization to improve overall cybersecurity health. This will help in obtaining future orders because customers will know critical data is secure. Explaining NIST 800-171 in-depth, and each of the specific control areas is beyond the scope of this article. (Be on the lookout for a future article on this specific topic later).


Consequences of Failing To Comply With DFARS 7012 and NIST 800-171

Heat treaters willing to move forward with these cybersecurity initiatives by the DoD will have an overwhelming impact on the DoD supply chain and your business. If many heat treaters in the U.S. choose to not embrace the mandatory requirements, the DoD and DoD contractors will award contracts solely to the few heat treaters who do choose to become compliant. Poor cybersecurity practices can result in hacking, loss of company data and critical customer data, and attacks by malware, viruses, and ransomware. All of this can result in major damage to the business and loss of customers, not to mention being liable for all losses and paying significant fines.

Complying with DFARS 7012 and NIST 800-171 is a requirement for all DoD contractors, subcontractors, vendors, and suppliers. The DoD has now begun confirming that contractors and subcontractors are compliant before awarding additional contracts. Navigating NIST 800-171 and DFARS is a complex and challenging — but necessary — step in this process.


Can You Afford Compliance? Funding and Cost Sharing for Heat Treaters

With the huge push for cybersecurity by the government, cost sharing and funding sources have been identified that may cover a substantial percentage of the costs associated with these critical cybersecurity projects.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer.

Joe will be speaking at the Furnaces North America (FNA 2022) convention, presenting on DFARS, NIST 800-171, and CMMC 2.0 on October 4th. Contact Joe: joe.coleman@go-throughput.com.

8 views0 comments