Recognising the critical importance of cybersecurity
What does Cybersecurity mean?
Cybersecurity is about protecting networks, systems and data from ever evolving malicious threats and attacks.
Why is it important?
BAE Systems, in common with the rest of the Aerospace and Defence sector, is an attractive target for cyber-attacks not only because of the information and technology we generate in relation to the work we do for our customers but also because of the sensitive information that we are entrusted with and hold on behalf of our customers and partners.
As with other businesses, those involved in the Aerospace and Defence sector are facing increasingly sophisticated and customised cyber attacks, which are often targeted directly at them. The attacks continue to rise in frequency and their impact can be massive. Even a relatively minor breach could have severe consequences for a business’ reputation and finances and potentially also for national security.
It is therefore imperative that our suppliers recognise the critical importance of cybersecurity and ensure they have the appropriate controls in place to protect the information that they hold and generate in the work they do for us and our customers.
What is being done about it?
To better protect sensitive information in the defence supply chain from this threat a number of new regulatory and contractual requirements have been, or are planned to be, implemented by the UK Ministry of Defence through the Defence Cyber Protection Partnership (DCPP), the U.S. Federal Government through a new safeguarding clause in the Federal Acquisition Regulation (FAR) and the U.S. Department of Defense through new rules on safeguarding and cyber incident reporting in the Defense Federal Acquisition Regulation Supplement (DFARS).
These new requirements specify various security controls that affected suppliers will have to implement across their networks to ensure that relevant information they hold or generate is adequately protected. Some of the new requirements also require a set process to be followed to ensure cyber incidents are appropriately reported to relevant authorities.
Will this impact you?
It is imperative that our affected suppliers are able to and, where applicable, have implemented the necessary security controls required for them to comply with these new contractual requirements.
The new cybersecurity related clauses in the FAR and DFARS are already being flowed down to our suppliers in the relevant contracts. These clauses have clear requirements for how information is to be protected and how cyber incidents are to be reported.
Whilst the DCPP is yet to be fully launched, all new Ministry of Defence contracts that contain ‘MOD Identifiable Information’ are likely to require a level of compliance with DCPP standards.
Additionally, where suppliers aren’t yet caught by the regulations and contractual requirements, our cyber risk management processes will incorporate our own supplier cyber assessment model that parts of our business will use to scope the extent to which nominated suppliers are, or have, implemented cyber security measures.
What are we doing about it?
We are committed to raising awareness of the critical importance of cybersecurity and the security controls contained in the new requirements that will be flowed down the supply chain.
Additionally as cyber risk management becomes a more integrated part of our standard supplier management process, areas of potential vulnerability in the supply chain will be highlighted so that we have greater oversight of the steps you are taking to build protection and address the potential threats to our, and our customers, information.
Ultimately, however, responsibility for cyber security within your business and compliance with the relevant regulatory and contractual requirements must rest with you, our suppliers.