Marine Machinery Association-Meeting Minutes September 19, 2017 Hyatt Regency Baltimore Inner Harbor Baltimore, Maryland

Marine Machinery Association-Meeting Minutes
September 19, 2017
Hyatt Regency Baltimore Inner Harbor
Baltimore, Maryland

A list of all attendees is attached separately.

18 September 2017

1730 A working meeting and dinner was held at Camden Yards. After dinner we witnessed the first place Red Sox beat the Orioles 10-8 in 11 innings. Some made it until the 10th inning, it was a long but fun game to watch.

19 September 2017

0815 Call to Order by John Rhatigan, Chairman of the Marine Machinery Association. At this time the evolution of Cyber in the past year was discussed and Mr. Jeff Roth of NCC Group. NCC Group is a global expert in cyber security & risk mitigation. Jeff has quite a background with manufacturing, the military and NASA. He has been associated with computer forensics for much of his career and was on the NASA Challenger disaster audit team. His contact info is: Jeff Roth
Southeast Regional Director, Risk Management & Governance North America, NCC Group, M:  321.795.0391.

0820 Introduction of all MMA members present.

0830 Presentation by Jeff Roth on all aspects of Cyber and the implementation of NIST Special Publication 800-171- Protecting Controlled Unclassified Information(CUI) in Nonfederal Systems and Organizations. Jeff gave a nice background of the current state of Cyber. One aspect that was interesting is that NIST 800-171 Rev A has NOT been released yet. It is still under review and its exact release date has yet to be determined.
Please see the attached presentation for the outline of Jeff’s presentation. Some of the notable words of wisdom that I picked up from the meeting are the following:

• Cyber is not just an “IT thing” it’s a “Business thing”. A bonus of Cyber is that it will help you protect your intellectual property (IP).
• It’s not too late to get your Cyber system in place by the end of the year-even though it might not be completed by then.
• Depending on your contract, All of your subcontractors may have to have Cyber flowdowns-even if you don’t send them any CUI. Certain primes (NNS was discussed as one) will mandate that you have the Cyber clause in your subcontracts “in case” you may send them CUI in the future.
• While some SP 800-171 rev 1 requirements may not be currently applicable, you will still need to document these note applicable items within your System Security Plans. Example – Just because you don’t have a wireless network does not mean you don’t have to have a wireless controls within your Cyber plan-or at least have it on your Plan of Action and Milestones (POA&M). What may be not applicable today may become applicable in the future – remember this is a living document and follows the life cycle of your business and IT processes.
• Key to making Cyber as less expensive as possible is to “minimize your footprint where CUI is stored, processed and transmitted”. Only let those with a need to know access your CUI, and minimize your CUI. Keep your ERP systems separate from CUI if at all possible was one example.
• Outsourced IT, Cloud services, Labs, and University’s all fall under the CYBER rules. If you use an outside outsourced services that store, process or transmit CUI it must be compliant to the NIST rules.
• Current discussion are taking place with DCMA will bepossibly being tasked with auditing vendorscontractors to verify that the required SSP and POA&M are in place. They have already started training on how to audit. He expected first audits to occur in later half of 2018. This may take a while to get to your local DCMA inspectors. Regardless of the DCMA’s activities, your Prime contractor vendor quality audits may start to pick this up even sooner.

1200 Working Lunch.

1230 Jeff continued to present and take questions. He stated that in his opinion 2018 will bring many changes to the Cyber world and that firms will have to continuously fine tune their cyber defense as new threats arise. A final version of NIST 800-171 Revision- A will be out shortly.

1415 Final wrap-up and meeting was adjourned.

Summary: In my opinion this was a great value-add event for the MMA. Our presenter was an expert in the field and everyone felt comfortable asking him tough questions. I have personally been to Cyber meetings in DC and many of the Cyber Web events that have been put on by the shipyards, DOD and Homeland DefenseSecurity. I felt the government and shipyard sponsored events only addressed the big picture and did nothing to address some of the “nitty gritty” necessary to become compliant by the end of 2017. Jeff did a great job and I for one left with a wealth of knowledge I did not have prior to the meeting.


Be the first to leave a reply!

Leave a Comment