FEATURE ADVANCED MATERIALS & PROCESSES | MAY/JUNE 2023 56 D on’t be one of those companies who continues to delay the required implementation of enhanced cybersecurity practices. Especially now, during the ever-growing threat of cyberattacks, it is critical to secure not only your company’s data but also your customer’s data. Failing to do so could potentially jeopardize current contracts and prohibit future business if customers ask for proof of compliance. Businesses that process, store, or transmit controlled unclassified information (CUI)[1] are required to implement National Institute of Standards and Technology (NIST) Special Publication 800-171, Revision 2[2] under the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012[3]. The deadline set for complying with NIST 800-171 was December 31, 2017. The good news is that it’s not too late. If a company handles CUI in any way, it must become both NIST 800-171 compliant and receive Cybersecurity Maturity Model Certification (CMMC)[4] to continue to be awarded Department of Defense (DOD) contracts (Fig. 1). These requirements are now receiving a lot of attention, which is putting pressure on businesses who deal with CUI. Many companies have put this off for years while others simply were not aware of the requirements. But recently, several businesses have had current contracts pulled, and are also ineligible for new contract awards until they become compliant. Generally, the timeframe for the NIST 800-171 implementation process takes 9 to 12 months to complete. Complying with NIST 800-171 is not only for those that handle CUI, but also a great best practice for protecting and safeguarding your systems, networks, and data (Fig. 2). DFARS 252.204-7012 DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting is a flow-down that obligates DOD prime contractors to ensure their operations and supply chains meet NIST 800-171. All covered contractor information systems not operated on behalf of the government were required to implement security requirements outlined in NIST SP 800-171; customer and DOD audits are already happening. CYBERSECURITY FOR HEAT TREATERS A string of cybersecurity requirements from the U.S. government could pose a threat to heat treaters who fail to comply. Joe Coleman Bluestreak Consulting, Delafield, Wisconsin To meet these requirements, obligated companies must demonstrate acceptance of the DFARS 252.204-7012 by subcontractors and suppliers and must also show that adequate due diligence was performed. NIST SP 800-171 Complying with NIST SP 800-171 is a requirement for all DOD primes, contractors, or anyone in their downstream supply chain of service providers. Not complying with NIST 800-171 suggests a company is practicing poor cybersecurity methods and not keeping up with competitors. Some customers may have already asked whether your company is compliant, and if not—they soon will. Fig. 1 — Compliance with DFARS, NIST SP 800-171, and CMMC is an essential part of cybersecurity for heat treaters with government contracts. Fig. 2 — Facts about cyberattacks on businesses. 7