At FTP Today, we get asked a lot about aerospace cybersecurity. From who regulates aerospace to how to be compliant in the industry, it is critical to understand how the industry works.
At the center of the aerospace cybersecurity field is the Aerospace Industries Association or AIA.
In this article, we will explore who the AIA actually is, what role they play in the aerospace industry, and what regulations or standards they have put into place to promote aerospace cybersecurity.
Who is the AIA?
The Aerospace Industries Association (AIA) is a trade association representing the different branches of the aerospace industry – commercial aircraft, helicopters, space systems, etc. Since its founding in 1919, the AIA has documented the history and helped shape the trajectory of the aerospace industry.
The AIA is made up of CEO-level representatives from the approximately 350 member organizations. These representatives are tasked with supporting and furthering the best interests of the industry, while also supporting national security and the U.S. economy.
To accomplish these goals, the AIA often works closely with the U.S. government to ensure aerospace safety and security, and overcome emerging challenges faced by aerospace organizations and employees.
According to the AIA, the organization works to “advocate for effective federal investments; accelerated deployment of innovative technologies; policies that enhance our global competitiveness; and recruitment and retention efforts that support a capable and diverse 21st-century workforce.”
Why is the AIA important to aerospace cybersecurity?
One challenge facing the aerospace industry that the AIA has taken steps to tackle is emerging cybersecurity vulnerabilities. As with many industries, cybersecurity threats are growing more sophisticated each day, making it difficult to keep pace with and stay ahead of these threats.
Unlike with some other industries, however, cybersecurity threats to the aerospace industry could result in loss of human life. While the monetary loss is also a threat, cybersecurity breaches could mean the weaponization of airplanes, helicopters, drones, and more. The stakes are much higher for the aerospace industry than many of its counterparts.
So, what role does the AIA play in promoting aerospace cybersecurity? The AIA, though an independent entity, does have a supportive relationship with the Department of Defense in the fight for cybersecurity in aerospace. The DoD and the AIA have worked collaboratively to develop comprehensive, dynamic aerospace cybersecurity measures to protect against even the most sophisticated threats.
In the past, the DoD implementation of NIST SP 800-171 as a guide to necessary security protocols has been used by the aerospace industry to protect against hackers. While this may have worked in the past, further measures are needed today to defend against hackers who are smart, well equipped, and persistent in their threats. NIST SP 800-171 also made compliance difficult for smaller members of the aerospace industry, who did not have the corporate structure or resources to properly comply with the publication’s regulations. The cost and complexity of compliance were simply too high.
In addition to the burden of compliance on smaller industry members, there was also a lack of uniformity in compliance. While NIST SP 800-171 was one option for security control compliance, there was no overarching Federal Acquisition Regulation cybersecurity rule to regulate how acquisitions were made. Without all the proper regulations in place, it was nearly impossible to standardize security compliance across the entire industry.
To ensure there was greater clarity in terms of cybersecurity for the aerospace industry, the AIA developed (National Aerospace Standard) NAS9933 to supplement DoD requirements. NAS9933 was drafted primarily for this industry.
The goals of NAS9933 were first to maintain cybersecurity in the industry, but also to make data security processes repeatable and cost-effective. NAS9933 offers guidance on how to achieve a state of security beyond basic compliance controls.
What other standards has the AIA created? NAS9933 is not the only standard that the AIA has created to ensure the aerospace industry is safe, efficient, and organized. Other standards have been created to regulate the handling of:
- NAS parts (bolts, rivets, washers, screws, nut plates, pins, knobs, etc.)
- Safety Management Systems (NAS9927)
- Nondestructive Test Personnel certification (NAS410)
- Hazardous materials management (NAS411)
- Foreign Object Debris (FOD) prevention (NAS412)
- Cutting tools (drills, reamers, end mills)
- Airport Operations (NAS3306)
- Trade Compliance Standards (TCS)
Is NAS9933 Compliance Mandatory?
AIA standards are voluntary measures designed to promote cybersecurity. However, it is wise for aerospace contractors and subcontractors to align with the guidelines in NAS9933.
According to the AIA, NAS9933 was developed with two purposes in mind:
- “To provide industry partners with an indication of a company’s cybersecurity profile, as a way to measure a company’s cybersecurity risk.
- To enable reciprocity across industry and critical infrastructure sectors, so that a company’s level of cybersecurity is universally accepted by all whose work supports national interests.”
The intent behind NAS9933 was to develop a baseline of security standards for the aerospace industry. Cybersecurity is maintained by having repeatable processes by which standards are regularly assessed and updated to ensure they’re working properly.
How Does NAS9933 Promote Cybersecurity?
The AIA lays out a number of cybersecurity priorities for NAS9933. These priorities include:
- Maintaining collaboration between the industry and the U.S. government. This collaboration helps the government to enact the appropriate security measures, without putting undue burden on aerospace contractors and subcontractors. Compliance is essential, but security controls should also be reasonable based on the resources of each aerospace industry member.
- Establishing the means to manage, track, and report threats. Aerospace contractors and subcontractors should be able to detect a data breach, mitigate the risk through quick action, and report the incident as soon as possible. With the proper defenses in place, organizations should be able to accomplish this goal quickly and easily.
- Tailoring NIST SP 800-171 to the needs of specific organizations. By using a risk management-based approach to cybersecurity, companies can tailor the security controls outlined in NIST SP 800-171 to their specific requirements.
- Designating and marking CDI. CDI, or Covered Defense Information, in the possession of aerospace contractors and subcontractors is a highly desirable target for today’s hackers. By designating CDI, you’re able to protect it first. You can gather all CDI into one location and prioritize it for protection.
- Identifying the most important CDI for protection. Protecting the most important and most sensitive CDI first means you’re prioritizing this aspect of data security. After you’ve built a foundation of data security protecting the most important CDI, you can incorporate additional security measures to protect other sensitive CDI, as well.
Staying compliant in all aspects of cybersecurity is critical to having success in working with the contractors and the Department of Defense as a whole. FTP Today has helped hundreds of organizations with their compliance needs. To get started, we recommend downloading our free Government Compliance Guide.