Manufacturers in the United States perform more than three-quarters of all private-sector R&D in the nation, driving more innovation than any other sector. Being the driving force for economic growth and innovation does not come without its challenges—protecting intellectual property (IP) and meeting NIST Cybersecurity Framework requirements are chief among them.
The first, protecting IP, cannot be overstated in terms of value—it is the lifeblood of any company. In fact, IP theft costs U.S. companies as much as $600 billion each year. When it comes to protecting proprietary information in the manufacturing industry, cybercrimes targeted at companies are designed to not only steal IP but cause physical disruption to operations and produce black-market replicas. Therefore, understanding what puts your organization at risk, and how to mitigate those risks is essential for data protection and security.
Sharing data is essential for collaboration but the more service providers, contractors and third-party suppliers that come in contact with your IP, the more at-risk you become. Over the last year, 56% of organizations have had a breach that was caused by one of their vendors.
Aging patchworks of vendors and equipment combined with perimeter-only security is an open invitation for cyberattackers.
Modernizing the supply chain with end-to-end encryption will ensure unauthorized parties—such as competitors or attackers—will not be able to access your proprietary data, like confidential R&D plans and product roadmap details.
For manufacturers servicing the US government, protecting IP and sensitive data is not just a best practice, it is required for NIST 800-171 compliance.
The National Institute of Standards and Technology (NIST) is a non-regulatory government agency that provides a set of standards for recommended security controls for information systems to federal agencies. As such, the standards set forth by NIST are a critical resource for security among manufacturing companies that are a part of any government supply chain.
The main benefit of NIST compliance is that it helps to ensure an organization’s infrastructure is secure. Therefore, compliance with NIST guidelines—specifically NIST 800-171—has quickly become a top priority for organizations handling controlled unclassified information (CUI) such as emails, drawings, patents, personnel records, sales orders, or contracts. NIST 800-171 aims to help organizations that are a part of the government supply chain ensure that their systems that process CUI are secure and controlled. That means that a private sector firm—such as a hardware manufacturer that supplies the federal government— is subject to the requirements laid out in NIST 800-171.
NIST 800-171 is comprised of 14 control families that establish guidelines for protecting CUI when stored and transmitted by non-federal systems and organizations:
On September 9, NIST released the Preliminary Draft of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. Building on the widely adopted Cybersecurity Framework, the companion Privacy Framework will help organizations address the privacy risks and legal obligations associated with designing and deploying products and services. The Cybersecurity Framework has been critical in establishing a common lexicon for cybersecurity in government and industry as well and hopefully the final Privacy Framework can achieve this same goal.
As the convergence of privacy and security grows in response to public concern over the multitude of unauthorized data access incidents, NIST has been careful to honor the current cybersecurity guidance while adding privacy best practices to address the increasing need for data protection. NIST recognizes that cybersecurity risks arise from unauthorized activity while privacy risks are a byproduct of authorized data processing and that both play a role in a holistic data security strategy.
As the above Venn diagram illustrates, the application of the proposed Privacy Framework aims to address privacy risks associated with both data processing and privacy breaches. The Core functions of the Privacy Framework—Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P, where the -P refers to privacy-focused activities—are designed to offer organizations flexibility when addressing privacy risks:
NIST recognizes the importance of collaboration between privacy and security teams, and encourages organizations to view the proposed, voluntary framework with flexibility and apply it based on the maturity of the organization’s current privacy program. While some may use the framework as guidance for a new privacy program, others will see it as a means of identifying gaps in a current program. Ultimately the framework should serve as a guide for balancing innovative uses of data while minimizing negative consequences for employees, customers and partners.
First things first, evaluate your current infrastructure to determine where you are currently NIST compliant and where you need to improve. Based on this gap analysis, you’ll see what changes you need to make and which features to look for in selecting a solution to help protect IP and CUI.
From the beginning, Virtru’s mission has been to protect privacy by securing data and helping organizations securely share data to achieve mission success. Modern data protection requires data-centric protection that persists with the data, including access controls and policy management. With end-to-end encryption, organizations can ensure sensitive data is protected at the object level, reducing your organization’s risk of IP theft, and helping to achieve NIST 800-171 compliance. As a FedRAMP authorized solution provider, Virtru can help you achieve data-centric protection and compliance goals, all while enabling an ecosystem that ensures secure data sharing and collaboration
Get in touch with us to learn more about how Virtru helps with NIST compliance and protecting your IP.
See Virtru In Action
Sign Up for the Virtru Newsletter
Contact us to learn more about our partnership opportunities.