Cybersecurity and UAS
By Vince Scott, founder of Defense Cybersecurity Group
January 26, 2021
Is this you? Just completed a Phase I SBIR on UAS related technology. The DOD sponsor says, "We love you, have budgeted for your Phase II, but you need to get your cyber stuff done." What cyber stuff?
The Department of Defense (DoD) is launching a new cyber model that will impact every UAS company that sells to DoD; the Cybersecurity Maturity Model Certification (CMMC). The standards have changed somewhat, but the key difference will be an accountability mechanism driven by independent third-party assessments. This will have an impact down to the ultimate subcontractor, so even companies who do not think of themselves as DoD contractors will be affected, and other Federal departments are following the DoD’s example. Cyber inspections are coming, and if you are anywhere in the DoD or other Federal supply chain you should understand the likely requirements.
CMMC follows a tiered 1-5 model and all suppliers will require at least a level 1 certification. The requirements depend on the type of information you hold or create, and UAS companies, particularly those researching new technologies with DoD funding or application will generate information that needs protection. Compliance is not always straightforward, so look for qualified advice to make sure that you fully understand what you are and are not obligated for!
Every UAS company that sells to the DoD or DoD Prime’s needs to take a fresh look at their cyber program, understand the new and forth coming requirements, and start preparing now for your first assessment. Those will require work and time! You cannot start too soon. For more information visit the DoD FAQ, or the CMMC Accrediting Body.
About the author — Vince Scott is the Founder of Defense Cybersecurity Group, a service-disabled veteran owned small business. He is a graduate of the U.S. Naval Academy and a 21-year Navy veteran with extensive ISR and cyber experience.