The Aerospace Industries Association (AIA) has released a risk-based cyber security standard aimed giving companies in the aerospace and defense industry set of baseline security controls that can evolve with changing threats and provide a shared comfort level within the industry and government that accepted cyber security practices are being achieved.
The National Aerospace Standard (NAS9933) complements existing controls established by the National Institute of Standards and Technology that are also accepted by the Defense Department. However, these are “modest” in terms of risk management because even if all of the controls aren’t met, a contractor can still receive a government contract as long as they show what requirements have been satisfied and how they plan to achieve the remaining ones, AIA said.
The standard creates a more dynamic approach in that it has different capability levels for companies to adopt and then adapt to the risks they are facing. The 22 control families contained in NAS9933 each have critical security sub-controls categorized into five capability levels, with Level 3 being the minimum 4 and 5 being higher-level objectives, according to AIA.
Jason Timm, AIA’s assistant vice president for National Security Policy, said the AIA standard applies to companies’ networks and infrastructure.
The standard is available through AIA's website for $60 for a secure or print copy or $96 for both.
This article was originally published in Defense Daily, a sister publication to Avionics. It has been edited.