Cybersecurity Requirements for AM Systems

Brenna Sniderman,Oyindamola Alliyu,Mark J. Cotteleer,Simon S. Goldenberg,Veda Mujumdar,Ian Wing,Stephen Kania

doi:10.1145/3462223.3485624

Abstract

The Office of the Inspector General (OIG) for the US Department of Defense (DoD) released Audit of the Cybersecurity of Department of Defense Additive Manufacturing Systems (DODIG-2021-098) [1] in July 2021, to determine whether DoD [sites] secured additive manufacturing (AM) to prevent unauthorized changes and ensure the integrity of the design data. The audit report recommends requiring all to obtain an authority to operate in accordance with DoD policy before their use [1], and requiring AM system owners to immediately identify and implement security controls to minimize risk until obtaining an authority to operate. [1] The DoD Chief Information Officer (CIO) responded that existing DoD regulations require both of these for all IT systems, including systems [1]. Such cyber security rules can help guard against vulnerabilities such as design file theft or digital thread hacking, as well as unauthorized prints on that can impact the safety and integrity of parts used in defense systems, expose critical intellectual property to bad actors and even cause manufacturing facilities to shut down. To improve system vendors' understanding of these cybersecurity requirements for DoD and the US Government (USG), we discuss in this paper the process for obtaining an Authority To Operate (ATO) certification for an IT system per DoD and USG cybersecurity regulations, i.e., the Risk Management Framework (RMF) process from the US National Institute of Standards and Technology (NIST) [2]. We also describe resources for system vendors to understand and implement the RMF process for obtaining an ATO certification, particularly in the DoD environment. [1] Department of Defense Office of Inspector General. 2021. Audit of the Cybersecurity of Department of Defense Additive Manufacturing Systems (DODIG-2021-098). https://www.dodig.mil/reports.html/article/2683843/audit-of-the-cybersecurity-of-department-of-defense-additive-manufacturing-syst/ Full report at: https://media.defense.gov/2021/Jul/07/2002757308/-1/-1/1/DODIG-2021-098.PDF [2]NIST Information Technology Laboratory Computer Security Resource Center. 2021. About the Risk Management Framework (RMF): A Comprehensive, Flexible, Risk-Based Approach https://csrc.nist.gov/projects/risk-management/about-rmf

Full Text