New Cybersecurity Requirements Impact Michigan Manufacturers



The risks are enormous and potentially devastating. According to IBM, small and mid-sized businesses are hit by cyber-attacks about 4,000 times a day. The U.S. National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyber-attack.

As a result of increased concerns about cyber-attacks, manufacturers with contracts with the Department of Defense (DoD), General Services Administration (GSA) or NASA must be compliant with defined cybersecurity requirements no later than December 31, 2017.

Since 2009, Congress has added more information security requirements in the National Defense Authorization Act, and the National Institute of Standards and Technology (NIST) has produced several iterations of cybersecurity standards. The DoD, GSA and NASA have implemented these measures through changes to policies, the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS).

Today, there are new standards for companies handling “Controlled Unclassified Information,” or CUI. This data can be considered government-proprietary. It is information the government wants held secure, but is not vital to national security. FAR now is implementing cybersecurity requirements on contractors handling CUI—a far broader set of companies than those doing classified work.

What represents adequate security for CUI under FAR? The set of minimum cybersecurity standards is described in NIST Special Publication 800-171 and broken down into 14 areas:

  • Access Control
  • Awareness & Training
  • Audit & Accountability
  • Configuration Management
  • Identification & Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System & Communications Protection
  • Systems & Information Integrity

In each of these 14 areas, there are specific security requirements that contractors MUST implement by year’s end.

Remove the weak link.
Companies with fewer than 100 employees generally are very capable in the manufacturing and/or fabrication of products. However, they often lack resources in information technology and physical security, particularly associated with cyber-attacks that clearly pose a threat to the viability of small to mid-sized manufacturers.

According to the Ponemom Institute, the average price for small businesses to clean up after they have been hacked stands at $690,000; and, for middle market companies, it is more than $1 million.

Cybercriminals target small businesses because they are easy, soft targets to penetrate. They steal information to rob bank accounts via wire transfers; steal customers’ personal identity information; file for fraudulent tax refunds; and commit health insurance fraud.

In addition to the fundamental financial threat of cyber-attacks, small to mid-sized manufacturers now face the double threat of losing their respective government contracts should they not conform to the NIST 800-171 standards by December 31, 2017.

Don’t risk losing business. The Center is your best defense.
The Michigan Manufacturing Technology Center has launched a new cybersecurity practice area designed specifically to meet the needs of the state’s small and mid-size manufacturers. Our team of cybersecurity experts will assess a client’s vulnerabilities and tailor a plan specifically for each company’s internal capabilities, budget and time sensitivity. If you have questions about cybersecurity standards, contact our experts at or visit

Additional Resources
Defense Cybersecurity Requirements: What Small Businesses Need to Know 
(U.S. Department of Defense)

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (NIST)

Since 1991, the Michigan Manufacturing Technology Center has assisted Michigan’s small and medium-sized businesses to successfully compete and grow. Through personalized services designed to meet the needs of clients, we develop more effective business leaders, drive product and process innovation, promote company-wide operational excellence and foster creative strategies for business growth and greater profitability. Find us at

Categories: cybersecurity