The clock is ticking for Southern California’s legion of aerospace suppliers to get in line or get left behind on new cybersecurity standards issued by the Department of Defense.

The stringent new rules go into effect at the end of December and come in response to several high-profile cyber thefts of American military equipment designs.

The recent breaches – which included theft of stealth fighter technology – prompted the Department of Defense to call on suppliers to drastically upgrade their IT systems with stricter cybersecurity measures when handling defense-related information.

Industry executives and experts indicate progress has been spotty among small subcontractors, a crucial link in the aerospace industry’s supply chain. That’s prompted worries that an unknown number aerospace manufacturers within Los Angeles County’s vast supplier base risk being locked out of defense contracts.

Compliance with the new standards issued under the Defense Federal Acquisition Regulation Supplement, or DFARS, could require a substantial investment of time and money in information technology systems. Many small subcontractors don’t have those resources, said David Blanco, president of Performance Ascent Inc. of Irvine, a consultancy which works with aerospace suppliers throughout Southern California.

“Cybersecurity is really an anomaly to (small manufacturers) – it’s really hard for them to get their arms around this, especially when they don’t have internal resources,” Blanco said. “For suppliers that don’t have an IT department, or IT person, or aren’t contracting IT, then it’s doubly hard because they are starting from the ground up.”

Jobs generator

The aerospace segment accounts for much of the manufacturing sector in Los Angeles, the largest single industry in terms of employment, with more than 300,000 jobs countywide, according to the state Employment Development Department. Several aerospace giants that are prime contractors for the Department of Defense – Falls Church, Va.-based Northrop Grumman Corp., Lockheed Martin in Bethesda, Md., Boeing Co. in Chicago, and Raytheon Co. of Waltham, Mass., among others – have significant operations here, and count on numerous smaller, local subcontractors in their supply chains

The Department of Defense has made prime contractors responsible for ensuring that they and their subcontractors are compliant with its cybersecurity standards.

Some of the prime contractors have offered to help subcontractors meet the new standards.

Raytheon – a firm which has significant operations in Los Angeles County, including its Space and Airborne Systems division in El Segundo – spent the last year offering free cybersecurity assessments of its supplier’s IT systems.

Raytheon is still eyeing the end of the year deadline cautiously, said Josh Douglas, chief strategy officer of Raytheon Cyber Services in Boston.

“We have a multitude of suppliers across the board at various different levels (of compliance). Some that have been very diligent in seeing that hit the requirements, some that need a little assistance,” he said. “There are still suppliers in the industry, be it Raytheon’s or others, that still have some confusion on what they need to deliver.”

The Pentagon concluded that its supplier base was vulnerable to cybertheft after the Chinese military produced and flew a stealth jet fighter in 2011 that looked a lot like U.S. military’s F-22 Raptor and another one in 2012 that looked a lot like the F-35 Joint Strike Fighter. The Department of Defense responded by raising the cybersecurity requirements for its entire supply base of contractors and subcontractors.

“Over the past 10 years we’ve seen a tremendous loss of property to other foreign nations through cyberattacks,” said George Kamis, Herdon, Va.-based federal sector chief technology officer of Forcepoint, a cybersecurity subsidiary of Raytheon. “This forces subcontractors to protect their information.”

Passwords and protocols

The Pentagon’s upgraded regulations require contractors to implement 110 cybersecurity standards. Measures include limits on information system access, encryption of controlled information on mobile devices and multi-factor authentication of users. Contractors also have 72 hours upon discovering and verifying a cyberattack to report the incident to the Department of Defense and must preserve information systems impacted by a cyberattack for up to 90 days, so that investigators can assess the damage forensically.

The cybersecurity regulations are intended to lockdown controlled unclassified information regulated by laws such as the United States’ International Traffic in Arms Regulations or designated “For Official Use Only.” Such information falls short of needing to be classified, but could help U.S. foes reverse engineer, disrupt production or target vulnerabilities in military hardware and software.

Generally, any information that a subcontractor receives or creates related to a defense contract will be regulated by the Pentagon’s new cybersecurity controls, said Susan B. Cassidy, partner with law firm Covington & Burling in Washington, D.C.

“Anything that you develop or get from the Department of Defense you can’t share publicly,” she said. “The definition of that is something that many people are struggling with because it’s a pretty broad definition.”

Middle ground

The Department of Defense acknowledged that many industry suppliers might not be able to get fully up to snuff by year’s end when it posted an interim rule about the upgrade in December 2016.

But contractors must nevertheless conduct a cybersecurity assessment and enact an action plan for updating their IT systems by Dec. 31, said Covington’s Cassidy.

“If on Dec. 31 a contractor has a system security plan that specifies its status and its plan to get to full compliance… they will have met the regulatory requirement,” she said. “They don’t want thousands of contractors in breach of their contracts.”

Even the preliminary assessment might be a challenge for small businesses without in-house expertise in cybersecurity, said Brian Berger, executive vice president of Commercial Cyber Security for Cytellix in Aliso Viejo, the cybersecurity division of Information Management Resources Inc., which works with manufacturers in Los Angeles County.

“Every time I talk to a new company about doing this their preparedness is pretty low,” he said. “A lot of them say, ‘This is overwhelming for me. I run a machine shop. I make parts. Where do I go?’”

Some businesses are contracting outside cybersecurity firms and law firms to help assess the security of their IT systems, said Berger. He cautioned, however, that businesses cannot just pay to make their problems go away – they should begin to consider cybersecurity an ongoing part of their operations.

“Every day there is a new problem or challenge with cybersecurity,” he said. “It’s not a one and done.”