Bluestreak Consulting

CUI Considerations for the Heat Treating Industry

/ MANUFACTURING HEAT TREAT, MANUFACTURING HEAT TREAT TECH, OP-ED

2024 is a big year for heat treaters who work for the DoD. As Joe Coleman, cybersecurity officer at Bluestreak Consulting, explains, Controlled Unclassified Information is a key topic you need to understand if you want to maintain or grow contracts with the DoD this year.

This Cybersecurity Corner installment was released in part in Heat Treat Today’s March 2024 Aerospace print edition.

If you are a prime contractor for the Department of Defense (DoD) or a subcontractor, then you have CUI in one form or another whether it is in paper or digital format. Learn what is, and is not, considered Controlled Unclassified Information (CUI).

What Exactly Is Considered CUI?

This image has an empty alt attribute; its file name is Reader-Feedback-announcement-of-survey-20220728-e1666277618505-edited.jpg
Click to share your Reader Feedback!

The DoD handles CUI in many forms across its operations. CUI includes sensitive information that requires safeguarding but does not meet the criteria for classification as classified information. Examples of DoD CUI include:

Click image to download a list of cybersecurity acronyms and definitions.
  • Export Controlled Information (ECI): Information that is subject to export control laws and regulations, such as technical data related to defense goods and services.
  • For Official Use Only (FOUO): Information that is not classified but still requires protection from unauthorized disclosure for official government use.
  • Critical Infrastructure Information (CII): Details about critical infrastructure elements like facilities, systems, networks, and assets that are essential for national security, economy, or public health.
  • Privacy information: Personal information of individuals (e.g., Social Security numbers, medical records) that needs to be protected under privacy laws and regulations.
  • Sensitive But Unclassified (SBU) Information: Information that, although unclassified, is sensitive and requires protection due to its potential impact if disclosed.
  • Contract-related information: Non-public details within contracts, such as proprietary information, financial data, or technical specifications.
  • Proprietary information: Data owned by an entity and protected by intellectual property rights or confidentiality agreements.

In the heat treating industry, DoD CUI might include various sensitive details related to heat treatment processes, materials, or specifications used in defense-related applications. Here are some potential examples of DoD CUI within the heat treating industry:

  • Material specifications: Specifications for heat treated materials used in defense equipment, weapons systems, or components. This could include details about specific alloys, heat treatment methods, tempering, or hardening processes required for certain applications.
  • Process documentation: Detailed procedures and technical information regarding heat treatment processes employed in the production of defense-related materials or components. This might involve specific temperature ranges, cooling rates, or other proprietary methods used in heat treating.
  • Quality control data: Information related to quality control measures specific to heat treating in defense-related manufacturing. This could involve data on testing methodologies, inspection techniques, or standards compliance for heat treated materials used in critical defense systems.
  • Research and development (R&D) information: Research findings, experimental data, or proprietary knowledge related to advancements in heat treatment technologies tailored for defense applications. This may include innovative heat treatment methods for enhancing material properties, durability, or performance in defense systems.
  • Supplier information: Details about suppliers providing heat treatment services or materials to the defense industry, including contractual agreements, proprietary processes, or specifications specific to DoD projects.
  • Cybersecurity measures: Information about cybersecurity measures employed within heat treatment facilities that handle DoD contracts or projects to safeguard sensitive data from cyber threats.
  • Facility security protocols: Details regarding security protocols, access controls, and clearance requirements within heat treating facilities handling defense-related projects to prevent unauthorized access to sensitive information.

Other items that may be identified as CUI provided by the DoD or generated in support of fulfilling a DoD contract or order include, but are not limited to (in both paper and digital formats):

  • Research and engineering data
  • Engineering drawings and lists
  • Technical reports
  • Technical data packages
  • Design analysis
  • Specifications
  • Test reports
  • Technical orders
  • Cybersecurity plans/controls
  • IP addresses, nodes, links
  • Standards
  • Process sheets
  • Manuals
  • Data sets
  • Studies and analyses and related information
  • Computer software executable code and source code
  • Contract deliverable requirements lists (CDRL)
  • Financial records
  • Contract information
  • Conformance reports

What Is Not Normally Considered CUI?

Here are several examples of items that may not typically fall under DoD CUI for the heat treating industry:

  • General industry standards: Information related to commonly accepted industry standards, processes, or procedures that are widely available and not specific to defense-related applications.
  • Non-proprietary heat treatment techniques: Basic information about standard heat treatment methods or techniques that are publicly known and not proprietary to a particular organization or application within the defense sector.
  • Publicly available research: Scientific or technical research findings, publications, or data that are publicly accessible, not subject to proprietary rights, and not specifically tied to defense-related advancements.
  • Commonly shared best practices: Information regarding widely accepted best practices in heat treating that do not involve proprietary or classified techniques applicable solely to defense-related materials or components.
  • Non-sensitive business operations: Routine business operations, administrative documents, or general non-sensitive communications within the heat treating industry that do not pertain to defense contracts or projects.
  • Information approved for public release: Data that has been officially approved for public release by the DoD or other relevant authorities, ensuring it does not contain sensitive or classified details.
  • Basic material specifications: Information about materials, alloys, or heat treatment processes widely used in commercial applications and not specifically tailored or modified for defense-related purposes.

I hope this information has been helpful to you. Please contact me with any questions and for a free consultation, with a complimentary detailed compliance ebook.

For more information: Contact Joe Coleman at joe.coleman@go-throughput.com.

Find Heat Treating Products and Services When You Search on Heat Treat Buyers Guide.com

CUI Considerations for the Heat Treating Industry Read More »

Cybersecurity Desk: Artificial Intelligence and Heat Treating

/ CYBERSECURITY, FEATURED NEWS, MANUFACTURING HEAT TREAT NEWS, OP-ED / Leave a Comment
op-ed

Artificial intelligence remains a hot topic for every industry, not least heat treating. Understanding the how and why of AI’s potential impacts on the industry, however, is not so easily apparent.

Today’s article, written by Joe Coleman, cybersecurity officer at Bluestreak Consulting, breaks down the pros and cons of implementing AI, to help you decide if artificial intelligence might be a beneficial addition to your heat treat operations.

This article was originally published in Heat Treat Today’s December 2023’s Medical and Energy Heat Treat magazine, and can be read in fullness here.

Introduction

Joe Coleman, cyber security officer, Bluestreak Consulting

As all of you are aware, artificial intelligence (AI) is getting more and more attention, and companies are beginning to use AI to help with many aspects of running their businesses. I’m sure you’ve heard of ChatGPT and other intelligent user interfaces (IUI). You may be one of those businesses considering the idea or experimenting with it to access its potential benefits for your business.

Like any industry, there are quite a few pros and cons associated with using AI to improve the heat treating processes. This article will outline some of these advantages and disadvantages. Always make sure you do your own research before jumping into the AI world because it’s not always what it seems.

What Is Artificial Intelligence (AI)?

Artificial Intelligence is the simulation of human intelligence in machines that are programmed to think and learn like humans. It includes a wide range of techniques and approaches, including machine learning, allowing computers to perform tasks that typically require human intelligence, such as understanding natural language, recognizing patterns, solving problems, and making decisions. AI systems are designed to learn from data, improving their performance over time without direct programming. These technologies find applications in many areas, from virtual assistants and language translation services to autonomous vehicles and industrial diagnostics, revolutionizing industries and helping to shape the future of technology

Pros of AI in Heat Treating

Quality Improvement:

  • AI systems can monitor and help control the heat treatment process in real time, ensuring you have consistent quality and to minimize defects.
  • Predictive analytics in AI can anticipate potential defects, allowing for corrective actions before they occur.

Increased Efficiency:

  • AI algorithms can optimize processing parameters and reduce bottlenecks, leading to faster and more efficient heat treating processes.
  • AI-driven automation can improve employee labor throughput and increase overall production speed.

Cost Reduction:

  • By optimizing utilities usage and resources, AI can help reduce the plethora of operational costs within heat treating facilities.
  • Predictive maintenance generated by AI can prevent costly equipment breakdowns and production downtime.

Customization and Personalization:

  • AI algorithms can analyze customer requirements and tailor heat treating processes to their specific needs.
  • Improved data analysis can lead to the development of new and specialized heat treatments for different metals and alloys.

Data Analysis and Information:

  • AI systems can process enormous amounts of data generated during heat treatment, collecting valuable information that can be used for process improvements and better-quality management.
  • Pattern recognition and statistical process control (SPC) analysis by AI can identify trends and correlations that could normally be overlooked.
Click image to download a list of cybersecurity acronyms and definitions.

Cons of AI in Heat Treating

Initial Investment:

  • Implementing an AI system requires a significant initial investment in the technology, training, and infrastructure, which may be a showstopper for smaller businesses.

Dependency on Technology:

  • Dependencies on AI systems can be a problem if there are technical glitches or breakdowns, disrupting the entire heat treating process.

Data Security and Privacy:

  • AI systems rely heavily on data. Ensuring the security and privacy of sensitive data is critical, especially when dealing with Controlled Unclassified Information (CUI), your proprietary heat treating processes, and sensitive customer information.

Ethical Concerns:

  • AI decision-making processes raise ethical questions, especially if the technology is used in critical applications, ensuring fairness, transparency, and accountability in AI decision-making is essential.

Skilled Workers Replaced:

  • Automation using AI might reduce the need for certain manual tasks, potentially leading to skilled workers losing their jobs without the necessary skills to operate or maintain AI systems.

Here’s the bottom line: You should always do your own research to see if AI is a good fit for your business. AI is not always better. There are upsides of using it, and there are definitely downsides to using it. You can’t always trust AI to give you the best information, so always make sure you confirm the information it is giving you through V&V (verification and validation).

At the Metal Treating Institute’s (MTI) national fall meeting, held October 9–11 in Tucson, AZ, Jay Owen gave an excellent presentation entitled, “Artificial Intelligence: Be Afraid or Be Excited.” Contact MTI by visiting www.heattreat.net.

Find heat treating products and services when you search on Heat Treat Buyers Guide.Com

Cybersecurity Desk: Artificial Intelligence and Heat Treating Read More »

Cybersecurity Desk: What Should Heat Treaters Be Doing NOW?

/ CYBERSECURITY, FEATURED NEWS, MANUFACTURING HEAT TREAT, OP-ED
op-ed

This seventh article in the series from the Cybersecurity Desk  helps you determine if CMMC applies to your business, learn about what changes were made to CMMC 1.0., know what you should be doing NOW to prepare for CMMC 2.0., and more.

Today’s read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today’s May 2023 Focus on Sustainable Heat Treat Technologies print edition.

Introduction

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

Along with determining if CMMC (Cybersecurity Maturity Model Certification) applies to your business, this 7th article in the series from Heat Treat Today’s Cybersecurity Desk will give you a better understanding of what the certification is all about and the requirements to become certified. Also, we will cover the changes that were made to CMMC 1.0, the current status of CMMC’s proposed rule, and what you should be doing NOW to prepare for when the CMMC 2.0 rule is finally released.

What Is Changing in CMMC 2.0

In November 2021, the Department of Defense (DoD) announced a major update to the CMMC program. To safeguard sensitive national security information, the DoD launched CMMC 2.0, a comprehensive framework to protect the Defense Industrial Base’s (DIB’s) sensitive unclassified information from frequent and increasingly complex cyberattacks. Manufacturers or suppliers that handle sensitive or Controlled Unclassified Information (CUI) in any way or those within the DIB need to pay attention. CMMC 2.0 condenses the original 5 CMMC maturity levels into 3 levels, eliminating levels 2 and 4, and removing CMMC unique practices and all maturity processes. They have also revised the number of controls required for each of the three new levels. Level 1 includes 17 controls, Level 2 has 110 controls, and the total number of controls in Level 3 is still to be determined. There are also several other changes made that somewhat relax the requirements from CMMC 1.0.

Who Does CMMC Impact?

Manufacturers in the DIB are going to be held accountable to safeguard sensitive information and must comply with CMMC 2.0. Any contractor, subcontractor, supplier, or manufacturer that provides parts or services to the DoD or anyone within the DIB (no matter how minuscule) will need to comply with one of the three levels of CMMC compliance.

What Should Heat Treaters Be Doing Now?

Although CMMC 2.0 is still in the rulemaking phase, the new CMMC proposed rule is expected to be released sometime in mid-2023. This will give some much needed clarity on how to move forward and will help streamline the implementation of CMMC. Warnings will be issued to the DIB through DoD primes and will be passed down through the supply chain. Manufacturers that do not comply will be at risk of losing contracts.

If you (or your clients) are doing work for any DoD primes (or NASA), such as Raytheon, Lockheed Martin, McDonnell Douglas, Northrup Grumman, or L3Harris (and many more), then this applies to your business. If you are unsure, check the fine print in your contracts, and/or ask your clients about their requirements.

If you handle CUI in any way, you need to be at a CMMC Level 2 or Level 3. The most common level is Level 2. If you don’t handle CUI in any way, but you do handle FCI (Federal Contract Information), you will need to be certified at a Level 1.

On average, it can take a company of up to 100 employees between 12 to 18 months for NIST 800-171 (CMMC Level 2) implementation. Meaning, even though CMMC 2.0 is not completed yet, don’t wait until it is. You’re already a year behind if you haven’t started your NIST 800-171 implementations and you want to be ready for when the CMMC 2.0 rule is released

CMMC certification requires government oversight whereas NIST 800-171 compliance can be self-attested. You should always hire a qualified CMMC consultant to ensure that you’re “audit-ready” for your certification audit.

What’s the Difference Between FCI and CUI?

FCI is information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service. CUI and FCI share important similarities and a particularly important distinction. Both CUI and FCI include information created or collected by or for the government, as well as information received from the government. However, while FCI is any information that is “not intended for public release,” CUI is information that requires safeguarding and may also be subject to dissemination controls. In short: All CUI in possession of a government contractor is FCI, but not all FCI is CUI.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.

Find heat treating products and services when you search on Heat Treat Buyers Guide.com

Cybersecurity Desk: What Should Heat Treaters Be Doing NOW? Read More »

39 Heat Treat News Chatter Items To Keep You Current

/ FEATURED NEWS, HEAT TREAT NEWS, HEAT TREAT NEWS INDUSTRIES

Heat Treat Today offers News Chatter, a feature highlighting representative moves, transactions, and kudos from around the industry. Enjoy these 39 news bites that will help you stay up to date on all things heat treat.

 

Equipment Chatter

  1. The precision forging manufacturer Jiangsu Pacific Precision Forging Company has placed an order with SMS group for a fully automatic MP 3150 eccentric closed-die forging press. Pacific Precision will be able to forge aluminum chassis components on a much larger scale. This new expansion provides Pacific Precision with access to the growing automotive market segment for more lightweight designs.
  2. A commercial heat treater in Mexico purchased a third vacuum furnace from SECO/WARWICK Group.
  3. Ecocat India, a catalyst manufacturer, has ordered an advanced technology vacuum gas cooling furnace from SECO/WARWICK. The system will carry out brazing and annealing processes.
  4. Several new CAB lines have been ordered from SECO/WARWICK to be delivered to manufacturers in China. Two companies specifically chose EV/CAB lines while another manufacturer purchased a CAB line.
  5. SECO/WARWICK delivered two CAB lines and one universal chamber furnace for aluminum brazing to an automotive manufacturer in China. The systems will braze large-size coolers for vehicle batteries.
  6. Oetzbach Edelstahl GmbH, a hardening plant, has purchased a third furnace from SECO/WARWICK.
  7. A Swiss commercial heat treater ordered a brazing furnace to be used for nickel and silver from SECO/WARWICK.
  8. Tenova LOI Thermprocess has completed the production optimization of a new Twin-Chamber Melting Furnace (TCF®) at E-Max Billets in Kerkrade, the Netherlands.
  9. An Asian thread rolling die conglomerate selected a SECO/WARWICK vacuum furnace. The Vector® will be used for vacuum hardening and tempering fastener dies.

Company and Personnel Chatter

  1. Hubbard-Hall has expanded its product offering and customer resources by acquiring the assets of Torch Surface Technologies, a specialty chemical company based in Whitmore Lake, MI.
  2. New simulation software is being launched at CENOS Simulation Software. The application portfolio expands with some new electromagnetic case software apps. The first apps will be launched in Q4 or a little later.
  3. Solar Atmospheres of California announced it has been awarded the approval to process parts for Lockheed Martin (LMCO) owned Sikorsky. The Sikorsky approval adds to the existing LMCO process specifications held for vacuum heat treatment of titanium, nickel alloys, and stainless steel per AMS 2801, AMS 2774, AMS 2759/3, and others.
  4. Nel Hydrogen US, a subsidiary of Nel, has entered into a joint development agreement with General Motors to help accelerate the industrialization of Nel’s proton exchange membrane (PEM) electrolyzer platform. The two companies are looking to enable more cost competitive sources of renewable hydrogen.
  5. The Supervisory Board of thyssenkrupp AG extended the appointment of Oliver Burkhard by five years. Burkhard has been a member of the Essen-based group's Executive Board since February 2013, Thyssenkrupp AG director of Labor since April 2013, and additionally CEO of thyssenkrupp Marine Systems since May 2022.
  6. Joe Coleman, cyber security officer of Bluestreak Consulting™, has earned his Cyber AB CMMC Certification as a Registered Practitioner (RP). CMMC is a U.S. Department of Defense (DoD) program that applies to Defense Industrial Base (DIB) contractors.
  7. CG Thermal welcomes associate process engineer Signe Laundrup to the Process Systems Group. Laundrup is a 2021 chemical engineering graduate from the University of California, San Diego. Her background is in manufacturing and research and design.
  8. Tata Steel signed a memorandum of understanding with SMS Group to reduce carbon emissions at Tata’s integrated steel plants across India.
  9. Two heat treat technology companies integrate: C3 Data’s real-time pyrometry compliance software enables digital uploading of certificate data of all TT Electronics.
  10. Ipsen Japan announced the addition of Mr. Masakazu Kanaka in the role of customer service director. Kanaka is responsible for the growth of all Ipsen Japan customer service business, which includes retrofits, parts, and service. He will oversee the aftermarket sales team and field service engineers.
  11. Solar Atmospheres of California announced Honeywell approval to heat treat austenitic steels, martensitic steels, pH steels, tool steels, nickel alloys, cobalt alloys, titanium alloys, and magnetic alloys.
  12. Aluplast – ZTG, an Altest company, recently expanded its production capacity with a second Nitrex nitriding system. The second furnace, a model N-EXT-612, is capable of processing a load of extrusion dies weighing up to 1300lbs.
  13. Solar Atmospheres of Michigan is pleased to announce the addition of Chris Molencupp as their new sales manager.
  14. Metal Exchange Corporation announced that Matt Rohm, current President and Chief Operating Officer (COO), will be promoted to Chief Executive Officer (CEO) of Metal Exchange Corporation effective January 1, 2023. At that time, current CEO Rick Merluzzi will assume the title of executive vice chairman, serving as an advisor to executive chairman, Mike Lefton, on key strategic initiatives for the organization, through the end of 2023.
  15. Quintus Technologies joins the newly opened Application Center at RISE to support further development of additive manufacturing. The AM Center will also include the Quintus press model QIH 15L-2070.
  16. Abbott Furnace Company announced that it has partnered with Obsidian Technical Group for sales and service support across much of the eastern United States.
  17. Robert Roth announced the appointment of Nelson Sanchez as RoMan’s new president, effective January 1, 2023. Sanchez is the first non-family member to hold the office.
  18. Hubbard-Hall hired Aaron Mambrino as chief financial officer. Her expertise lies in driving process changes to create operational synergies, developing strategic partnerships, and LEAN manufacturing.
  19. John Savona, vice president of Americas Manufacturing and Labor Affairs, Ford Blue, will retire on March , after more than 33 years. Bryce Currie will step into the role.
  20. AFC-Holcroft welcomed employees and their families, company retirees, and invited guests to view their newly renovated building as part of an open house.
  21. Solar Atmospheres of California participated in the “Spark of Love” toy drive in coordination with the San Bernardino County Fire Department.
  22. Raytheon Technologies expands Bengaluru operations with opening of Pratt & Whitney India Engineering Center. The facility is co-located with Pratt & Whitney’s India Capability Center and Collins Aerospace engineering and global operations centers.
  23. Lucifer Furnaces in Warrington, PA, a manufacturer of heat treating furnaces and ovens for the last 80 years, has added Brett Wenger to its leadership team as vice president of sales.

 

Kudos Chatter

  1. Global Thermal Solutions celebrates 15 years in Mexico.
  2. Hitchiner Manufacturing receives Nadcap Accreditation.
  3. Ipsen USA announced that 2023 represents a milestone anniversary. This year marks 75 years since Harold Ipsen founded the company.
  4. Desktop Metal is sponsoring on a new season of BattleBots. The completely rebuilt robot is aided by the design freedoms and fast turnaround times of metal 3D printing.
  5. Solar Atmosphere’s Michigan and Western Pennsylvania facilities have recently been awarded Nadcap Merit status for vacuum heat treating and brazing.
  6. In September, the Swiss Steel Group (SSG) held the 1st Hydrogen Symposium at the Henrichshütte Iron and Steel Works in Hattingen. Speakers from academia, business, and politics held lectures in four sessions.
  7. Borikengineers, a team mentored by Pratt & Whitney employees in Puerto Rico, has advanced to the Qualifiers’ Finals Competition in the FIRST Tech Challenge DC Qualifier. The team won the Judges Choice Award.

 

Heat Treat Today is pleased to join in the announcements of growth and achievement throughout the industry by highlighting them here on our News Chatter page. Please send any information you feel may be of interest to manufacturers with in-house heat treat departments especially in the aerospace, automotive, medical, and energy sectors to sarah@heattreattoday.com.

 

Find heat treating products and services when you search on Heat Treat Buyers Guide.com

 

39 Heat Treat News Chatter Items To Keep You Current Read More »

Cybersecurity Desk: Have You Entered Your NIST 800-171 Self-Assessment Score into SPRS Yet?

/ CYBERSECURITY, FEATURED NEWS, OP-ED
op-ed

This sixth article in the series from the Cybersecurity Desk will give you a better understanding of how to submit your basic NIST 800-171 self-assessment score into SPRS (Supplier Performance Risk System).

Today’s read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today’s March 2023 Aerospace Heat Treating print edition.

Introduction

This sixth article in the series from the Cybersecurity Desk will give you a better understanding of how to submit your basic NIST 800-171 self-assessment score into SPRS (Supplier Performance Risk System).

Why Should You Do This?

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7020 is one of the three newly released clauses (after the original 252.204-7012) of the DFARS 252.204-70 series (7019, 7020, 7021) in November 2020. DFARS 252.204-7019 is the “Notice of NIST 800-171 DoD Assessment Requirements”; whereas DFARS 7020 consists of the requirements alone. DFARS 7020 requires you to submit your basic NIST 800-171 self-assessment score to SPRS. Contractors and service providers are to provide the government access to its facilities, systems, and personnel any time the Department of Defense (DoD) is renewing or conducting a Medium or High assessment.

Once your self-assessment score has been submitted and accepted into SPRS, you will be eligible to be awarded contracts. Your score must remain in SPRS throughout the duration of the contract(s). You’ll need to show that you are working towards full compliance.

If a self-assessment score submitted to SPRS is required in order to win a contract, and you don’t have a self-assessment score in the system because you don’t have CUI, does that mean you will lose the contract? Maybe.

The requirement for NIST SP 800-171 DoD self-assessment is being enforced whether or not you have CUI. So, it makes sense to get started on this ASAP to position your company for additional business. Plus, having better cybersecurity controls in place is definitely a business best-practice.

How To Submit Your Basic Self-Assessment Score to SPRS

There are two ways to submit your basic self-assessment score to SPRS.

Option 1: Using email to send the information. Submitting your self-assessment score via email to SPRS includes the following steps:

  • Get an accurate NIST 800-171 Self-Assessment and Score. Conduct the self-assessment and obtain your score using cybersecurity professionals that carefully follow the required DoD Assessment Methodology for NIST Special Publication (SP) 800-171A.
  • Identify your SPRS “Scope of Assessment.” Your SPRS score submission will fall into one of three categories: Enterprise, Enclave, or Contracts.
  • Determine your expected completion date. The “Plan of Action Completion Date” must be determined according to your compliance project timelines.
  • Find your commercial and government entity CAGE codes. Your CAGE codes represent the part(s) of your organization included in the assessment and represented in the final System Security Plan (SSP) document.
  • Provide a brief description of the SSP format and system architecture.
  • Submit your self-assessment score to SPRS. To submit your score, send an email (optionally encrypted and signed) to webptsmh@navy.mil with the subject line “SPRS Self-Assessment Score Submission” in the exact format specified below:
    • Assessment date
    • Assessment score
    • Scope of assessment
    • Plan of action completion date
    • Included CAGE(s) codes
    • Name of System Security Plan (SSP) assessed
    • SSP version/revision
    • SSP date
    • Wait for email confirmation

Option 2: Using the PIEE (Procurement Integrated Enterprise Environment). 

Register a PIEE account at https://piee.eb.mil/. Once your business is registered, choose the SPRS link and follow all instructions. You will need to provide all the same information as shown in Option 1.

Funding & Cost Sharing May Be Available for Heat Treaters

With the huge push for stricter cybersecurity practices by the government and many businesses, cost sharing and funding sources have been identified that may cover a substantial percentage of the costs associated with these critical cybersecurity projects. Every state has at least one MEP (Manufacturing Extension Partnership). Many states are more than willing to help out with the cost of implementation.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.

Find heat treating products and services when you search on Heat Treat Buyers Guide.com

Cybersecurity Desk: Have You Entered Your NIST 800-171 Self-Assessment Score into SPRS Yet? Read More »

Cybersecurity Desk: Performing Your Basic & Final NIST SP 800-171 Self-Assessments

/ CYBERSECURITY, FEATURED NEWS, OP-ED
op-ed

For any heat treater interested in getting these high-security contracts, review the following steps that will help you successfully complete your basic and final self-assessment.

Today’s read is a Cybersecurity Desk feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today’s February 2022 Air & Atmosphere Furnace Systems print edition.

Introduction

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

Do you have plans to perform your NIST SP 800-171 self-assessment, but need more clarity about what’s involved? DFARS 252.204-7012 and the DFARS Interim Rule, including DFARS 252.204-7019, state that all DoD contractors in the Defense Industrial Base (DIB) that process, store, and/or transmit CUI (Controlled Unclassified Information) and want to be eligible for any contract award must complete a self-assessment (or basic assessment) using the DoD’s NIST SP 800-171 Assessment Methodology and generate a points-based score. This score will then be uploaded into the Supplier Performance Risk System (SPRS). At the time of contract award for a DoD contract containing the new 7019 clause, a DoD contracting officer will verify that a score has been uploaded to the SPRS.

For any heat treater interested in getting these high-security contracts, review the following steps that will help you successfully complete your basic and final self-assessment.

Identifying and Defining Your Organization’s CUI

Your NIST 800-171 basic self-assessment should start by identifying CUI sources and flows and mapping them within your organization’s IT systems. Organizations need to understand that CUI is an information category that includes Covered Defense Information (CDI) and Controlled Technical Information (CTI).

Define the Scope of the Self-Assessment

When finished identifying all CUI, you’re ready to scope the environment. To scope the environment correctly, first, determine what systems, applications, and business procedures that process, store, or transmit CUI. Second, define details of how data moves through your network.

NIST 800-171 Self-Assessment Procedure

You can find the self-assessment procedure for all compliance requirements in NIST SP 800-171A. Basically, a self-assessment is performed evaluating all 320 assessment/control objectives. Assessment/control objectives include the determination statements related to a particular security requirement. The 320 assessment/control objectives are divided among 110 separate controls which are included in 14 different control families.

Self-assessment methods include:

  • Examining: reviewing, inspecting, observing, or analyzing assessment objects
  • Interviewing: discussing with individuals to facilitate understanding, clarification, or gather evidence
  • Testing: confirming that assessment objects under specified conditions are met

Organizations are not expected to use all assessment methods and objects in NIST 800-171A. Instead, they have the freedom to determine which methods and objects are best for them to get the desired results.

Must Have a System Security Plan (SSP)

One of the most important requirements for a successful self-assessment is having a System Security Plan (SSP). Not having an SSP is a definite obstacle.

The SSP describes the system boundaries, how the IT system operates, how the security requirements are implemented, and the relationships with, or connections to other systems. It also includes information on security requirements.

Plan of Action & Milestones (POA&M)

To best protect CUI, organizations need to implement the CUI security requirements to the fullest extent possible. But, when some of the requirements are not completely implemented, a POA&M must be generated. The POA&M includes the tasks needed to resolve deficiencies, along with the resources and timelines required.

The purpose of the POA&M is to identify, assess, prioritize, and monitor the progress of corrective actions, allowing the organization to achieve the desired assessment score.

Next month we will discuss: “Submitting Your Basic Self-Assessment Score(s) To The SPRS.”

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.

Find heat treating products and services when you search on Heat Treat Buyers Guide.com

Cybersecurity Desk: Performing Your Basic & Final NIST SP 800-171 Self-Assessments Read More »

Cybersecurity Best Practices: Dos and Don’ts

/ CYBERSECURITY, FEATURED NEWS, OP-ED

op-edCybercrime is hands-down one of the quickest growing crimes around the globe and it continues to impact organizations from all industries. Being protected from cyber-attacks is becoming more and more challenging. While cyber criminals are constantly looking for ways to take advantage of your security vulnerabilities, it’s very difficult for most organizations to keep up with them.

This fourth article in the serieswritten by Joe Coleman, cybersecurity officer at Bluestreak Consulting™, will give you a better understanding of some general cybersecurity best practices for all businesses, and a few tips for what you should and shouldn’t do.

This column is found in Heat Treat Today's December 2022 Medical and Energy print edition.

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

What Are the Risks of Having Poor Cybersecurity?

It’s difficult to remain 100% protected 100% of the time, but the risks from failing to have proper cybersecurity are hefty. The risks include: malware that can delete your entire system; the selling of your data or your customers’ data; an attacker hacking your system and altering files; an attacker using your computer to attack others; or an attacker stealing your credit card information and making unauthorized purchases.

12 Best Practices To Reduce the Chance of Cyberattacks

Follow these cybersecurity best practices to minimize the risks of cyberattacks and improve your cybersecurity:

  1. Use complex passwords: Use at least 12 to 16 characters, including letters (upper and lower case), numbers, and special characters. Remember to change your passwords frequently.
  2. Keep software up to date, including antivirus and antimalware: Install software patches as soon as they become available. Also, be sure to enable automatic virus definition updates to ensure maximum protection against the latest threats.
  3. Utilize a firewall: Firewalls may be able to prevent some types of attacks by blocking malicious code before it can infect your computer. Enable and properly configure the firewall as specified.
  4. Enable Multi-Factor Authentication (MFA) or 2-Factor Authentication (2FA): This gives you an additional layer of protection that helps to verify that you are an authorized user.
  5. Be suspicious of unexpected emails: Phishing emails are currently one of the biggest risks to a user. The goal of a phishing email is to gain information about you, steal money from you, or install malware on your device (if you click on something in the email).

  6. Click the Image TO Download More Than 350 Cybersecurity Acronyms

    Use VPNs to ensure connections are private: To have a more secure and private network connection, use a VPN (virtual private network). Your connection will be encrypted, and your private information protected.

  7. Look for HTTPS on websites (instead of just HTTP): On websites that do not use HTTPS, there’s no guarantee that the information between you and the site’s servers is secure.
  8. Scan external storage devices: External storage devices have the same risk as internal storage devices. Always scan external storage devices for malware before accessing them.
  9. Train your employees: If your cybersecurity program has any chance of working, make sure your employees are well trained and always using security best practices. It only takes one mistake. Educate your staff to be aware and on the lookout for different types of malicious social engineering (including a simple phone call asking for a username and/or password).
  10. Backup your important data: Critical data can be lost with security attacks. Make sure you backup your important data frequently to the cloud or local storage device (preferably multiple devices).
  11. Don’t use public networks: Avoid public networks or use a VPN to connect. All of your information is vulnerable on public networks at hotels, coffee shops, airports, and other similar locations.
  12. Use secure file-sharing to encrypt data: When sharing sensitive or confidential information, always use a secure file-sharing solution. If emails are intercepted, unauthorized users will have access to your data.

Improve Your Cybersecurity Weaknesses

NIST SP 800-171 is an excellent best practice, even if you are not in the DoD downstream or military-related supply chain, to ensure your data and your customer’s data is always secure.

My fifth article in this Cybersecurity Desk series will be: “Performing Your Basic & Your Final NIST 800-171 Assessments.”

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Joe will be speaking at the Furnaces North America (FNA 2022) convention, presenting on DFARS, NIST 800-171, and CMMC 2.0. Contact Joe at joe.coleman@go-throughput.com.

Find heat treating products and services when you search on Heat Treat Buyers Guide.com

 

Cybersecurity Best Practices: Dos and Don’ts Read More »

Cybersecurity Desk: The DFARS Interim Rule and What It Means for Heat Treaters

/ CYBERSECURITY, FEATURED NEWS, MANUFACTURING HEAT TREAT, OP-ED

op-edAs the next installment in this series on cybersecurity, this third article will give you a better understanding of the Department of Defense’s DFARS interim rule and its requirements.

Today's read is a Cybersecurity Desk feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today's November 2022 Vacuum print edition. Refresh with part 1 and part 2 in earlier editions.

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

DFARS Interim Rule

On September 29, 2020, the Department of Defense (DoD) published the DFARS (Defense Federal Acquisition Regulation Supplement) interim rule 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements, with an effective date of November 30, 2020. These new clauses are an extension of the original DFARS 252.204-7012 clause that has been required in DoD contracts since 2018.

The interim rule implements the NIST SP 800-171 DoD Assessment Methodology and the CMMC (Cybersecurity Maturity Model Certification) framework. The interim rule requires contracting officers to take specific action prior to awarding contracts, giving task or delivery orders, or extending an optional period of performance on existing contracts on or after November 30, 2020.

DFARS 252.204-7019 Clause: Notice of NIST SP 800-171 DoD Assessment Requirements

All DoD contractors in the Defense Industrial Base (DIB) must complete a self-assessment using the DoD’s NIST 800-171 Assessment Methodology and generate a points-based score. If the self assessment score falls below 110, contractors are required to create a POAM (Plan of Action and Milestones) and indicate by what date the security gaps will be remediated and a score of 110 will be achieved as part of the Supplier Performance Risk System (SPRS). At the time of a DoD contract award containing the new 7019 clause, a DoD contracting officer will verify that a score has been uploaded to the SPRS.

DFARS 252.204-7020 Clause: NIST 800-171 DoD Assessment Requirements

Along with the 252.204-7012 and 7019 clauses, the 7020 clause is approved for use in all DoD contracts. This new clause requires that contractors provide the government with access to its facilities, systems, and personnel when it is necessary for the DoD to conduct or renew a higher-level Assessment. The higher level Assessments are the Medium and High Assessments. The self assessment conducted as part of the 7019 clause is called a Basic Assessment.

Photo Source: Bluestreak Consulting™

A Medium Assessment is conducted by DoD personnel and will include a review of your System Security Plan (SSP) and how each of the requirements are met and to identify any language that may not adequately address the security requirements.

A High Assessment is conducted by DoD personnel onsite at the contractor’s location and will leverage the full NIST SP 800-171A (Assessing Security Requirements for Controlled Unclassified Information) to determine if the implementation meets the requirements by reviewing evidence and/or demonstration such as recent scanning results, system inventories, baseline configurations and demonstration of multi-factor authentication and/or two-factor authentication.

Along with that, this rule also requires that contractors flow down their requirements from 7019 to their subcontractors and suppliers. Just as the DoD may choose not to award a contract due to noncompliance, you may not be able to use a subcontractor or supplier due to their noncompliance.

DFARS 252.204-7021 Clause: Cybersecurity Maturity Model Certification (CMMC) Requirements

Heat treaters willing to move forward with these cybersecurity initiatives by the DoD will have an overwhelming impact on the DoD supply chain and your business. If many heat treaters in the U.S. choose to not embrace the mandatory requirements, the DoD and DoD contractors will award contracts solely to the few heat treaters who do choose to become compliant. Poor cybersecurity practices can result in hacking, loss of company data and critical customer data, and attacks by malware, viruses, and ransomware. All of this can result in major damage to the business and loss of customers, not to mention being liable for all losses and paying significant fines.

Complying with DFARS 7012 and NIST 800-171 is a requirement for all DoD contractors, subcontractors, vendors, and suppliers. The DoD has now begun confirming that contractors and subcontractors are compliant before awarding additional contracts. Navigating NIST 800-171 and DFARS is a complex and challenging — but necessary — step in this process.

This DFARS clause establishes CMMC into the federal regulatory framework. This requires that CMMC is to be included in all contracts, tasks or orders, and solicitations, with very few exceptions. The level of CMMC that is required will be determined by the DoD and added into the Request for Proposal. Contractors must maintain the appropriate CMMC level for the duration of any contract and the requirements must be trickled down to your subcontractors and suppliers. The CMMC certification is required at the time of contract award.

Watch For the Next Cybersecurity Desk Installment

My next article, number four in the series, will be: “General Cybersecurity Best Practices and What You Should and Should Not Do.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer.'; Contact Joe at joe.coleman@go-throughput.com.

Find heat treating products and services when you search on Heat Treat Buyers Guide.com

 

Cybersecurity Desk: The DFARS Interim Rule and What It Means for Heat Treaters Read More »

Cybersecurity Desk: Why and How To Become a Compliant Heat Treater

/ CYBERSECURITY, FEATURED NEWS, MANUFACTURING HEAT TREAT, OP-ED

op-edCybersecurity: it's important for more than just keeping checking accounts safe. Banks, government agencies, and online data bases all require strict cybersecurity. But what about heat treaters? What are cybersecurity requirements for heat treaters, and how can they become compliant?

Today's Technical Tuesday is a Cybersecurity Desk feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column series will have its debut in Heat Treat Today's September 2022 Trade Show print edition.

 Do You Need To Be Compliant?

If you are a heat treater who provides services to a Department of Defense (DoD) contractor or downstream DoD requests, you are affected by this topic and need to read on to get more details. In some cases, you may have already been asked about compliance by some of your customers. In this article and in future articles, we will provide the answers to the most

frequent questions regarding how heat treaters can become and stay in compliance to cybersecurity specs and even improve compliance in cybersecurity health.

Discussions around DFARS compliance, NIST 800-171 implementation, and cybersecurity within federal defense contracting are becoming increasingly prevalent by the day. Although it seems like the conversation is only recently gaining steam, the DFARS mandate has been around longer than people realize.

The DoD is requiring all contractors, subcontractors, and suppliers to be DFARS 252.204-7012 and NIST 800-171 compliant. Don’t take a chance on losing current DoD contracts and losing future business because of noncompliance. Compliance is non-negotiable for heat treaters within the DoD supply chain.

Heat treaters implementing effective cybersecurity practices are facing particularly challenging circumstances because there are more devices (including mobile devices) than people, and attackers are becoming more innovative. Cybersecurity is the practice of protecting systems, data, networks, and programs from digital attacks (web/cloud based). These cyberattacks usually seek to access, change, or destroy sensitive information; extort money from users; or interrupt normal business processes. Therefore, the government is pushing cybersecurity more than ever before. All of us need to be sure critical data and systems are protected and secured.

Here are several eye-opening statistics of how cybercrime affected SMBs (small to mid-sized businesses) from 2021:

  • Cyberattacks increased by nearly 300% since the beginning of the pandemic
  • 58% of cyberattack victims are small and mid-sized businesses
  • 60% of small companies go out of business within 6 months after a major security breach
  • 55% of ransomware attacks involve companies with fewer than 100 employees
  • 95% of cybersecurity breaches are a result of human error

What Is DFARS 252.204-7012?

DFARS  252.204-7012 is a DoD regulation that has become increasingly important for defense contractors and suppliers.

Originally implemented in 2016, DFARS 252.204-7012 requires safeguarding and “adequate security” of Covered Defense — which also includes CUI (Controlled Unclassified Information) — by implementing the guidelines found in NIST SP 800-171.

DFARS 252.204-7012 further requires contractors to follow certain procedures in the event of a cyber incident, report the incident to the government, and provide access to systems.

What Is NIST SP 800-171?

NIST SP 800-171 is a NIST (National Institute of Standards and Technology) Special Publication that provides recommended requirements for protecting the confidentiality of CUI in non-federal organizations or businesses. Defense contractors must implement the recommended 110 control requirements contained in NIST 800-171 to demonstrate their provision of adequate security to protect the Covered Defense Information (CDI) included in their defense contracts, as required by DFARS 252.204-7012. If a manufacturer is part of a DoD, General Services Administration (GSA), NASA, or other federal or state agencies’ supply chain, the implementation of the security requirements included in NIST SP 800-171 is a must.

The deadline to be fully compliant with NIST 800-171 was December 31, 2017. But it’s not too late.

Photo Source: Bluestreak Consulting™

Even if a heat treater is not a DoD contractor or in the DoD supply chain, NIST 800-171 is a great "best practice" standard for any organization to improve overall cybersecurity health. This will help in obtaining future orders because customers will know critical data is secure. Explaining NIST 800-171 in depth, and each of the specific control areas, is beyond the scope of this article, so, be on the lookout for a future article on this specific topic later in this series of articles.

Consequences of Failing To Comply With DFARS 7012 and NIST 800-171

Heat treaters willing to move forward with these cybersecurity initiatives by the DoD will have an overwhelming impact on the DoD supply chain and your business. If many heat treaters in the U.S. choose to not embrace the mandatory requirements, the DoD and DoD contractors will award contracts solely to the few heat treaters who do choose to become compliant. Poor cybersecurity practices can result in hacking, loss of company data and critical customer data, and attacks by malware, viruses, and ransomware. All of this can result in major damage to the business and loss of customers, not to mention being liable for all losses and paying significant fines.

Complying with DFARS 7012 and NIST 800-171 is a requirement for all DoD contractors, subcontractors, vendors, and suppliers. The DoD has now begun confirming that contractors and subcontractors are compliant before awarding additional contracts. Navigating NIST 800-171 and DFARS is a complex and challenging — but necessary — step in this process.

Watch for Future Articles in Heat Treat Today Covering the Following Topics:

  • DFARS 252.204-7012 and NIST SP 800-171 Explained for Heat Treaters
  • DFARS Interim Rule Explained (DFARS 252-204-7019, 7020, and 7021)
  • General Cybersecurity Best Practices and What You Should and Should Not Do
  • Performing Your Basic & Your Final NIST 800-171 Assessments
  • Submitting Your Assessment Score(s) to the SPRS (Supplier Performance Risk System)
  • CMMC 2.0: The New Changes and How To Become Certified
  • How To Safely and Securely Work From Home and Work Remotely
  • If You're Not Using 2FA or MFA, Your Data and Your Customer’s Data Is Not Secure
  • . . . and many more cybersecurity topics curated for heat treaters

Can You Afford Compliance? Funding and Cost Sharing for Heat Treaters

With the huge push for cybersecurity by the government, cost sharing and funding sources have been identified that may cover a substantial percentage of the costs associated with these critical cybersecurity projects.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Joe will be speaking at the Furnaces North America (FNA 2022) convention, presenting on DFARS, NIST 800-171, and CMMC 2.0. Contact Joe at joe.coleman@go-throughput.com.

Find heat treating products and services when you search on Heat Treat Buyers Guide.com

 

Cybersecurity Desk: Why and How To Become a Compliant Heat Treater Read More »