AIA NAS9924

INTRODUCTION

Supply chain companies are important to the aerospace and defense industrial base. Suppliers may have unique capabilities that are vital to aerospace and defense programs.

Aerospace and defense companies have been dealing with the threat of cyber intrusion for the past several years. As companies have increased the security of their IT network defenses, the attackers are now being driven to softer targets where they may find some of the same type of data that they previously had sought from these companies. The adversary is also using the collaborative relationships between the aerospace and defense companies and their suppliers as a "back door" as the defenses get better. Companies further down the supply chain may not have had the opportunity or expertise necessary to fully prepare to defend their systems from these attackers, but the result of the increased defenses in the major suppliers is that the attacker may target their suppliers based on their vulnerabilities. This document was designed to be a supplier baseline so that suppliers know what kind of security they need to have if they want to do business with aerospace and defense companies.

Who should use this document?

This standard practice is written to be used by the aerospace and defense supply chain. It provides basic information that a supplier can use to:

• assess themselves on their information technology security practices;

• determine their preparedness for cyber threat risk management for their customer; and

• assess the risks presented by their own suppliers.

Through the process of self-assessment suppliers can determine where their strengths and weaknesses exist.

This document should be used by any supplier that is interested in protecting their data from disruption or exfiltration. There are three distinct tiers of supplier that could benefit from this standard practice. These tiers are defined as:

Tier1: Suppliers that operate without a dedicated Information Technology professional on staff nor do they have a dedicated Information Technology Security professional. (Questions 1-5)

Tier 2: Suppliers with a dedicated Information Technology professional on staff, but have no dedicated Information Technology Security professional. (Questions 1-17)

Tier 3: Suppliers that have both dedicated Information Technology professionals and dedicated Information Technology Security professionals on staff. (Questions 1-72)