Understand Your ERP Deployment Options Related to Department of Defense (DoD) Cybersecurity Requirements
An interesting phenomenon has been taking root in recent years, in which the government has added cybersecurity requirements related to the United States Department of Defense (DoD) secrecy. It is well known that other countries understand the technological superiority of U.S. manufacturers and the DoD. As a result, these foreign entities will do whatever they can to hack their way into anyone’s systems to gain access to government-controlled confidential information — such hacking includes your systems. Therefore, the DoD now has a long list of requirements that meet a high level of security for manufacturers in the United States. These requirements start with allowing DoD CUI (Controlled Unclassified Information) and unclassified CTI (Controlled Technical Information) to only individuals who are U.S citizens residing in the continental United States and extend far deeper into protecting CUI information from cybersecurity attacks.
As a prime defense contractor or sub-contractor, under the U.S. Defense Federal Acquisition Regulation Supplement (DFARS), it is understood that manufacturers must meet strict requirements for CUI protection to comply with the National Institute of Standards and Technology Special Publication NIST SP800-171 (commonly called NIST 800-171).
Extending beyond the U.S. borders, there are over 25 countries worldwide, who are considering DFARS compliance, so the need for managing CUI is global.
What is NIST? Its purpose is to provide security requirements for protecting the confidentiality of CUI when the CUI is resident in non-federal information systems and with organizations such as contractors.
These security requirements apply to protecting the privacy and security of information including that used by your Enterprise Resource Planning (ERP) software, and all related endpoints.
Understanding DoD Compliant Deployment Options
What does this mean to hardware deployment options? Simply put, there are hackers out there that will do what they can to get and sell confidential information from your systems as well as those of cloud providers. This is so concerning to the DoD that they will not certify manufacturers for DoD contracts unless the manufacturer can certify that their data is located in the United States, it is managed and accessible exclusively by U.S. citizens who reside in the U.S., and have sufficient cybersecurity mechanisms in place to prevent cyberattacks including controlling the endpoints (email, thumb drives, etc.) of the information and respond to potential threats that could happen. These requirements include cloud, hosted, and on-premise deployments.
Here is the question for you — Is anything you are doing in your manufacturing organization so secret and confidential (whether DoD or customer information) that you would be concerned with the potential of hackers trying to access the related intellectual property?
If yes, some providers, like Amazon, have certified options for DoD hosting of systems (Amazon AWS GovCloud) and a much less business intrusive and less expensive option of CUI document storage (Amazon S3 GovCloud). Those providers comply with the U.S. DoD requirements. Infor provides an AWS GovCloud SaaS hosting alternative for SyteLine/CloudSuite Industrial. As another option, The Lake Companies provides an Amazon S3 GovCloud storage solution to manage and control access to CUI content.
There is a price to pay if your systems are hacked and CUI information is extracted. This can result in the total loss of DoD contract work, no matter where your organization is in the DoD supply chain. What’s at stake is the value of the controlled information you retain on your systems?
Cyberattacks are becoming far more commonplace than any of us are comfortable with. These bad actors will not stop in their relentless pursuit of intellectual property, whether for the DoD, or any other market that is filled by the manufacturing industry. We expect customers in industries that are outside the DoD industry to begin adopting the cybersecurity standards and requirements set forth by the DoD — it is just a matter of time.
Next Steps
Our team at The Lake Companies works tirelessly to ensure that each of our clients are equipped with the right deployment model to meet their internal desires and industry-specific requirements. If you would like to discuss your ERP deployment options further, including your DoD CUI and other valuable business information, please contact us today. Our team will be happy to provide you more detailed information on your options and answer any questions!
If you are looking for additional information on general ERP deployment options, including SaaS (Software as a Service), Private Cloud, and/ or On-Premise you can find more information on our blog about those deployments here.