Messaging App Security and Information Privacy

messaging app security
messaging app security

Many users take messaging app security for granted when sending text messages, voice messages, photos, and videos.  However, not all apps secure messaging data equally.  This is a concern for both organizations and individuals who wish to ensure the confidentiality, integrity, and authenticity of information transferred between authorized users.

Elements of Messaging Security

Messaging app security has many facets, each of which are of importance to achieving data security.  

Encryption

Encryption scrambles data into an unreadable format that is sent to its intended recipient to protect data.  The encrypted data is then decyrpted into its original intelligible format when received.  To accomplish this encryption keys are shared between the sender and the recipient.  

There are various types of encryption and decryption used, some are more secure, some less.  The two major types used today are symmetric and asymmetric encryption.  Symmetric encryption uses a single key for data transfer.  Asymmetric encryption, the stronger of the two, uses two keys, a public key that is shared between users to scramble data and a private key which is not shared to return the data into its original format.

Password Protection 

Some messaging apps require a password to protect information.  This adds another layer of security should a device is lost or stolen.  

Multi-factor Identification

Multi-factor identification has become a common feature for enterprise security management.  This provides assurance that access is open only to authorized parties.

Message Deletion

Many apps have the capability to destroy messages automatically after a determined amount of time.  This feature although included in an app may require activation in its settings.  Here again this feature can provide an additional layer of security if a device is stolen or lost.  

Message deletion functionality can vary greatly across app providers.  Some apps such as Signal and Telegram allows users to delete messages on both sides of a conversation.  Others such as Apple iMessage only allow deletion of messages from one devices.  Additionally, iMessage only allows deletion of entire chats, not a single message.

Data Collection

Many providers of messaging apps collect a user’s metadata.  Metadata is in essence data about data.  This data can include names, numbers, email addresses, timestamp data, source, and destination information. 

Many providers of apps such as Google Messages profit by selling metadata to other companies.  Other providers such as Signal, Threema, and Session encrypt metadata to protect it from external viewers.

This data can also be accessed by other organizations such as the Federal Bureau of Investigation (FBI).  While FBI access may be a reason for concern, this data cannot be obtained without a warrant or subpoena.

Protection Against External Attack

As with other forms of electronic data transfer, messaging app security is subject to malware, viruses, and phishing.  Once a device is compromised by these attacks other devices or networks sharing information can be effected.  Apps selected for use should be resilient to attacks and possibly be supplemented by malware apps.

Open Source Code

Much has been written about the value of applications that are have publicly available source code.  These platforms are generally considered to be more reliable because they are open to peer reviews from security experts.  This creates an increased level of trust in that users can have a higher expectation that vulnerabilities and hidden backdoors do not exist in the product.

This is a major consideration when choosing a messaging app as many popular apps use closed source code.  These include Google, Apple, Facebook, and Skype.  Providers that do use open source include Signal, Threema, Wire, and Session.

Video Encryption

While video is not generally associated with messaging, there are video messaging apps.  Video calls however are widely used and can expose far more personal data than a text message.  Many apps do not provide end to end encryption.  If video messaging is desirable and privacy a concern, Wire is an open source provider that encrypts data.

Special Concerns for Organizations

Employee data access often can cross lines between business and personal usage.  Where the protection of sensitive data is concerned it is important that organizations protect devices by blocking unapproved apps and communicating to employees the inherent risks through policies, guidelines, and education.

It is also important to realize that controls that prevent data breech such as encryption can also prevent cyber security controls from detecting data loss or leakage.  Policies and controls in place in an Information Security Management System (ISMS) should take these risks into consideration.

No system is stronger than its weakest link and all too often that link is the human operating a device.  Again and again organizations have fallen prey to the least sophisticated scams and suffered severe data breeches.  Continual education of people at all levels should re enforce best practices such as not using public Wi-Fi, sending sensitive information over messaging apps, clicking on links on messages, and keeping devices secured.

There are numerous options when selecting an appropriate app for an organization’s messaging needs.  While product reviews can be helpful in making these selections it is important to remember to check that the desired security features are enabled in the system settings.

Conclusions

Collaborative tools have become more essential as business models have incorporated remote workplaces.  Organizations that rely on apps to promote collaboration must therefore critically assess their employee habits to weigh and balance risks.

There are no easy answers when selecting the perfect app.  Generally however, it would be wise to avoid providers whose business models are centered around the collection of user information.  This would include companies such as Google, Facebook, and Microsoft. 

CVG Strategy Information Security Management System Consultants

We can help your organization protect its sensitive information with an Information Security Management System.  An Information Security Management System is a collection of policies, procedures, and controls that systematically address information security in an organization.  It is a framework based on risk assessment and risk management.  

The most widely recognized and instituted ISMS in the business environment is ISO 27001.  It shares many of the features of a quality management system such as ISO 9001.

CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives including messaging app security. This process includes defining the context of your organization, creation of internal auditing processes and much more.  Contact us to learn more.

EMC for Space Systems – AIAA S-121A-2017

EMC for space systems
EMC for space systems

AIAA S-121A-2017 is a test standard based on military standards MIL-STD-461 and MIL-STD-464 that addresses EMC for space system requirements.  This standard relies heavily upon appropriate tailoring in the development of a test plan.

EMC and Space System Applications

The burgeoning New Space Economy is providing opportunities for a wide array of product developers to provide equipment and subsystems designed for space missions.  These systems must be robustly designed to be suitable for missions where high-reliability is essential.  The American Institute of Aeronautics and Astronautics (AIAA) has created this standard to provide designers with an adequate tool to conduct verification and validation testing for electromagnetic emissions and susceptibility. 

AIAA S-121A Testing

An emphasis in this standard’s test protocols is the testing of actual flight hardware in representative modes of operation.  This means that special attention must be focused on defining these methods and creating the necessary off chamber interfacing hardware to control and monitor the Equipment Under Test (EUT).  Furthermore, test planning should include the identification and documentation of risks and intended mitigations that will serve as a baseline for stakeholders’ decisions and rationale.

Test Requirements for Units and Subsystems

Requirements are normally tailored by the procuring agency to reflect the needs of a specific program.  These requirements include the following parameters

  • Conducted Interference for audio frequencies
  • Conducted interference for radio frequencies (50 kHz to 20 MHz)
  • Common mode emissions from power and signal cables
  • Antenna conducted emissions
  • Transient conducted emissions
  • Conducted susceptibility for power leads, antenna ports
  • Conducted susceptibility for bulk cables
  • Radiated Emissions for audio, magnetic, and radio frequencies
  • Radiated Susceptibility for magnetic and radio frequencies
  • Conducted Susceptibility for lightning transients 
  • Conducted Susceptibility from Personnel Bourne Electrostatic Discharge (ESD)

Special Test Requirements for AIAA S-121A

Test requirements and procedures for space applications can often exceed those of the military standards that this standard was derived from.  This can often be the case for radiated emissions where the limits for certain frequency bands are extremely low.  To achieve these measurements, tailored testing involving scans at reduced Resolution Bandwidths (RBW).  Performing these tests requires detailed communications with test facilities to ensure that testing is performable and to calculate required time for test performance.

CVG Strategy Experts

Our experts at CVG Strategy have extensive experience in EMI/EMC testing for a number of industries and products, both military and commercial.  We also have expertise in testing for space requirements including AIAA S-121A.  Our industry experts can assist in developing tailored test plans, test witnessing and troubleshooting.  We can also provide design analysis and guidance for space applications.

CVG Strategy is a consultancy offering coaching, mentoring, training and program development focused on areas including Business Process Improvement, ITAR and Export Compliance, Cyber Security and Quality Management Systems.

Opportunities for Improvement – Internal Audits

Opportunities for Improvement

Opportunities for Improvement – Internal Audits and Management Review.

Opportunities for improvement can be identified during the performance of a Quality Management System (QMS) Internal Audit.  When findings are analyzed with a critical review by management, valuable insights can be gained into increased profit, efficiency, and customer satisfaction. 

Opportunities for Improvement

The Benefits of Effective Auditing

Often an internal audit is viewed by management as an interruption to the normal flow of business.  Employees can be apprehensive to share insights or participate fully because they fear that confidentiality is not ensured.  The truth of the matter is however, that when planned and executed in a proper fashion the internal audit can cause minimal interruption and maintain the confidentiality of those who provide comments.

In essence an internal audits should objectively and impartially evaluate the outputs of processes to ensure that these processes are meeting the planned expectations and goals of the QMS.  

By taking the opportunity to take an impartial look at a process, internal auditors can identify problems that could go unnoticed during day-to-day activities.  In addition, they will be able to identify issues with linkages between processes that can cause inefficiency, thereby identifying opportunities to improve the overall effectiveness of the QMS.   Taking action on these improvement opportunities can lead to cost savings and increased profitability.

Third Party Internal Audits

Third party internal audits can provide fresh insights into an organization’s opportunities.  A third party auditor will not only have exceptional experience and expertise in the auditing process, but will also have perspectives gained from auditing other entities.  More importantly, an external auditor will not be limited to the internal politics and culture of the organization, thus ensuring a greater degree of objectivity.   Additionally third party internal audits are also useful if an organization’s team members are not available to conduct an audit.

Management should be active in establishing parameters when performing an audit with an auditor outside of the organization.  These include defining the criteria, scope, and objectives of the audit.  They should have previous audit reports available for review, especially any findings.  Once these boundaries have been established, management should ensure that the required time and resources to conduct the audit are available.  

Effective Management Review

Once an audit has been completed, management should review findings and recommendations.  While this process is often limited to problem solving of nonconformities and corrective actions, time should earnestly be spent evaluating areas of improvement.  These areas of improvement can range from changes to corporate governance, improvements to work environments, and improvement of organizational communication skills.

Opportunities Are Everywhere

Every workflow or process has opportunities for improvement. Organizations that strive to realize these opportunities, endeavor to engage their entire workforce in providing feedback, thereby creating an organizational culture of continuous improvement.  This is because front-line workers can provide a more granular perspective than an organization’s managers and senior leaders.  

CVG Strategy ISO 9001 Consultants

CVG Strategy quality consultancy firm can help your organization implement an ISO 9001system effectively and painlessly.  Our consulting services will guide you through all phases of QMS, from assessment and development to the certification process.  This includes:

  1. GAP Analysis and Reporting
  2. QMS Plan and Schedule
  3. Training
  4. Preparation of Procedures, Work Instructions, Forms and Policy
  5. Internal Auditor Training
  6. Coaching and Implementation
  7. Pre-Audit Support
  8. Post-Audit Support

CVG Strategy also provides the inclusion of statutory requirements for export compliance into your program.  A compliance program is a requirement for both the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations. (EAR).  Ask our experts how we can provide this feature into your quality management system.

There are many consulting companies providing support in ISO 9001:2015. What sets CVG Strategy apart from the rest is our approach. We fine-tune our statement of work depending on your capability and goals. Some clients have us serve as an advisor while they generate the documentation and implement the program themselves.

Many of our clients outsource the Quality Manager role to one of our experts, and we write the quality manual and supporting documentation set and provide all the training.  Some use our expertise to include other quality guidelines and standards into their ISO 9001:2015 QMS including food, hazardous materials and department of defense.

Other Quality Management Systems

CVG Strategy has  experience in a large number of quality management systems standards.  In addition to ISO 9001:2015 our Global Exemplar Lead Auditors can assist you designing and implementing a QMS to the following standards:

  • AS9100
  • ISO 27001
  • ISO 13485:2016
  • FDA Title 21 Part 820
  • EN ISO 14971:2019

CVG Strategy can provide a QMS that incorporates multiple quality standards. This includes incorporating management strategies for ensuring compliance to industry regulations such as EU Directive 98/79EC for medical devices.

 
 

Tech Standard Development Open to U.S. Companies

Tech Standard Development Open
Tech Standard Development Open

The United States Standards Strategy (USSS) supports the development of economic growth through the development of standards.  This development is open to participation by U.S. companies in their respective sectors. 

Originally published in 2000, the USSS was formerly the National Standards Strategy for the United States (NSS).  It coordinates the efforts of industry stakeholders in the development of standards to ensure a sound U.S. economy and infrastructure.  The American National Standards Institute (ANSI) board of directors oversees this undertaking.

The Role of Standards in Technology

Rapidly evolving technologies present challenges for the world.  Standards are created to establish minimal criteria for functionality, interoperability, and safety.  They also establish methods of test and evaluation to ensure those criteria are met by products.  Because these standards effect the manner in which products are specified, it is important that U.S national security and foreign policy interests are represented in their formation.

A consumer product must be tested and certified by the manufacturer or importer to be in compliance with applicable standards for the specific countries the product is to be sold in.  While many standards can be harmonized for North America / Europe more extensive testing is often required for a product to meet a global market.

Important Considerations for Future Standards

Because technology is controlling more and more critical functions, it is important that it functions safely and reliably.  This is especially this case for technologies like autonomous vehicles, and medical devices.  The ability of devices to not interfere with each other and coexist operationally is of increasing concern.  Standards must be created and evolve to rapidly developing technologies and airways that are becoming busier with wireless communication.

Artificial Intelligence (AI) and robotic applications are other technology sectors that will require relevant and effective standards to meet regulatory and market needs to safeguard the public.

The Importance of U.S. Involvement

Making tech standard development open to U.S. tech firms allows major technology developers to shape the industry, based on expectations of future product capabilities.  U.S. product standards are often accepted as a baseline for the creation of international standards. To establish a vision of the future that incorporates national and international priorities it is essential to engage diverse U.S. interests.  This should be approached with consensus, openness, and transparency in the standards community. 

Department of Commerce Secretary Wilbur Ross stated “The United States will not cede leadership in global innovation. This action recognizes the importance of harnessing American ingenuity to advance and protect our economic and national security.  The Department is committed to protecting U.S. national security and foreign policy interests by encouraging U.S. industry to fully engage and advocate for U.S. technologies to become international standards.”

Directions in Standard Development

As Tech Standard Development opens to the public, industry and government should work together to identify coordinated solutions.  These solutions should address public health, the environment, and safety.  Resultant standards should reflect consumers groups and academia concerns for energy efficiency, product quality, health, and safety.  

The U.S. standards community should promote the adoption of their endeavors by participating in international standard organizations.  This is of particular importance in working to prevent standards from forming trade barriers to U.S. products.

CVG Strategy

Our experts at CVG Strategy have extensive experience in Environmental/Dynamic and EMI/EMC testing for a number of industries and products.  We can perform testing for both military and commercial products.  CVG Strategy specializes in Independent Developmental Testing and Evaluation including development of Test Plans, Test Procedures, Test Witnessing and Troubleshooting.

CVG Strategy is a consultancy offering coaching, mentoring, training and program development focused on areas including Business Process Improvement, ITAR and Export Compliance, Cyber Security and Quality Management Systems.

MIL STD 810 Shock Test Methods Are Numerous

MIL STD 810 Shock
MIL STD 810 Shock

MIL-STD-810 Shock Methods and Procedures

MIL-STD-810 contains numerous shock methods and procedures that provide laboratory simulations of real world events.  Mechanical shock can adversely effect the integrity of a component, especially if the resonances of the shock harmonize with natural frequencies of that component.

To ensure effective developmental test and evaluation of a product it is important to understand these types of shocks, their characteristics, and how they could potentially effect the product to be tested.  Methods for evaluation in MIL-STD-810 include:

  • Shock
  • Pyroshock
  • Gunfire Shock
  • Ballistic Shock
  • Rail Impact

Method 516.8 Shock

Method 516.8 Shock has eight different procedures these procedures include:

  • Functional Shock – Tests equipment its operational modes to evaluate its ability to perform as intended during and after exposure to mechanical shock.
  • Transportation Shock – Tests equipment to shocks expected during transportation.  Ground vehicle profiles are often used due to their severity.
  • Fragility – Procedure III (Fragility) is often performed early in the development cycle to establish a fragility level of a design so that shipping and packing designs can be adequately developed.
  • Transit Drop – Tests equipment’s ability to endure drops encountered during loading and unloading.
  • Crash Hazard Shock – This procedure verifies the integrity of mounts and fasteners to prevent equipment mounted in air or ground vehicles from creating hazards during shocks encountered during a crash event.  This often employs classical shock test waveforms.
  • Bench Handling Shock – Shocks commonly encountered during packaging and maintenance.
  • Pendulum Impact – This procedure is used to evaluate the effects of horizontal impacts on large shipping containers
  • Catapult Launch/Arrested Landing – This tests materiel mounted on aircraft that operate on aircraft carriers.

Method 517.3 Pyroshock

Pyroshock testing is performed to assess materiels ability to operate as intended and survive when operating near detonated explosive devices.  This method has five procedures that vary in accordance with closeness of the explosive shock and method of employing that shock.  The shock can be administered using actual explosions, mechanical test devices such as those used in shipboard shock test machines, electrodynamic shakers, or beam resonant shock machines.

Pyroshock presents particular challenges for designers in that it has has a shock response spectrum ranging from 100 Hz to 1 MHz.  These shocks can range from 300 to 200,000 gs.  Because of the high frequencies encountered, effects of pyroshock can include damage to small electronic components and cause relay chatter.  High frequencies can also generate piezoelectric effects that can cause unexpected operation of materiel

Method 519.8 Gunfire Shock

Gunfire shock testing is used to evaluate a components ability to withstand high rate repetitive shocks from gunfire.  This method is not intended to replicate effects of large single shot weapons such as large naval guns.  To adequately tailor a test plan it is important to know what specific weapon is being employed, what that rate of fire is, and where the material to be tested is with respect to the gun.  Measured data from the component location on the intended platform is preferred for replication in the laboratory setting.

Method 522.2 Ballistic Shock

Ballistic shock is the shock experienced when a projectile impacts an armored surface.  This testing is limited to equipment intended for use in armored combat vehicles.  As with pyroshock, ballistic shock has a very broadband of frequencies with high acceleration and poses special concerns for electronic devices. 

Testing can include with actual projectiles being fired at armor hulls and turrets (testing performed on a military base).  Usually testing is performed using various types of shock machines such as those used in MIL-S-901 Shipboard Shock.

Method 526.2 Rail Impact

Rail Impact testing is used to evaluate tie down methods for systems that will be transported on rail cars.  The impact of concern is that which occurs during the coupling process.  These tests are performed using a locomotive, a cushioned draft car with the test item secured.  These are conveyed at speeds of 4, 6, and 8 mph and collided into a draft car upweighted with brakes set.

Choosing Appropriate MIL-STD-810 Shock Methods

Because time and money are limited resources, decisions must be made as to which testing will be performed.  While requirements can offer a degree of clarity into relevant test methodology selection, a thorough assessment must be made through a Life Cycle Environmental Profile (LCEP) to develop an effective test matrix. 

The LCEP will map all anticipated logistical, tactical, and operational shock events and offer appropriate parameters for test selection and severity.  These inputs combined with requirements and measured data are then placed into an Environmental Issues/Criteria List (EICL).  Selection can then be made based on a risk assessment of vulnerabilities of the product based and probability of an environmental stress to occur.

Characteristics of Shock Types

Mechanical shock are generally events that have a short duration of under a second and are usually limited in frequency below 4 kHz.  Other types of shock such as Pyroshock (Pyrotechnic Shock) , Ballistic Shock, and Shipboard Shock (MIL-DTL-901) can have much higher frequency components. 

As we have seen, pyroshocks, typically are less than 20 milliseconds in duration with a frequency range of 100 Hz to 1 MHz.  Therefore consideration must be given to the test items vulnerabilities to shock frequency content as well as  g forces.

Making the Decisions

MIL-STD-810 provides guidance for selection of appropriate test methodologies.  This allows for the development of systems in a timely fashion without excessive testing and over engineering.  When selecting, for example, appropriate scenarios for Transport Drop for Tactical situations, look at those with the greatest impact velocity and then make a risk assessment as to which of these would pose the greatest threat to the test item based on the probability of an event to occur. 

CVG Strategy Can Help

Our team of test and evaluation experts can assist you in creating a meaningful test program that meets requirements and prevents costly failures at the operational test stage.  CVG Strategy provides an array of services to help you with environmental and EMI/EMC testing.  We also offer classes in MIL-STD-810 to help you keep current with the latest developments in this important standard.

 

Packaged Product Methods of Evaluation

packaged product methods of evaluation
packaged product methods of evaluation

Preventing Product Damage Due to Shipping

Utilizing packaged products methods of evaluation can greatly reduce losses due to shipping damage and increase customer satisfaction.  According to Packing Digest, between 2 to 11 percent of packaged products arrive at a distribution with some damage.  In many cases this damage could be avoided by ensuring that packaging materials and methods are suitable for the product being shipped.

A wide varieties of standards exist for rating and evaluating product packaging.  Many of these standard include laboratory test methods to verify containers and unitized loads.  The American Society for Testing and Materials (ASTM), the International Safe Transit Association (ISTA) and the  Technical Association of the Pulp and Paper Industry (TAPPI) have test standards that allow evaluation of boxes, cartons, and unitized loads placed on pallets.

Numerous international standards are also available through the International Organization for Standardization or ISO.  These standards include test methods for impact, drops, compression due to stacking, and vibration. 

ASTM Standards for Packaging

ASTM has many test standards for testing containers’ abilities to withstand dynamic stressors expected during shipping.  These include vibration and drop shock.  ASTM D5276 Standard Test Method for Drop Test of Loaded Containers by Free Fall  is such a standard. 

This standard is applicable to loaded boxes, bags, sacks, and cylindrical containers weighing 110 lbs (50 kg) or less.  It replicates the stresses induced by containers that are handled manually and subjected to free fall drop.

Other standards such as ASTM D999 and ASTM D4728 have been developed to test packaging containers for the effects of vibration.  These test methods can use  PSD profiles derived from MIL-STD-810 for truck shipment.

ASTM D7386 Standard Practice for Performance Testing of Packages for Single Parcel Delivery Systems evaluates the ability of shipping units to endure drop impacts, vibration, bridged impact, hazard impact, high altitude, concentrated impacts, tip over impacts, and rotational edge drops.

ASTI Standards for Packaged Packaging

ASTI standards include a wide variety of packaged product methods of evaluation.  These methods address the requirements for individual packaged products and palletized loads.  For some standards in the series, severities are varied depending on if the shipment is limited within the United States or is international.  

Test methodologies include vibration, inclined or horizontal impact, rotational flat and edge drop, compression, flat push testing for palletized loads, bridged impact, corner drop, face drop, and edge drop.

The key to using this set of standard is to understand the distribution environment of the packaged product so that distribution hazards can be identified.  It is also important to monitor products currently being shipped for types and frequency.  When improvements are required then appropriate test methods can be selected to evaluate those changes.

The Limitations of Cardboard

Cardboard while an excellent choice for many packaging needs has vulnerabilities. These issues include crushing, piercing, water resistance, compression during stacking, and failure when overloaded.  These vulnerabilities are aggravated by warm humid conditions.  

When evaluating the environmental stressors likely to be encountered by a shipped product it is important to remember that storage or transport may occur in uncontrolled environments where humidity and high temperatures are present.  For this reason, all the standards mentioned here include atmospheric conditioning at varied temperature and humidity levels.

Growing Demand for Containers

With a marketplace more reliant on online sales, cardboard is becoming increasingly in demand. Worldwide production of cardboard is increasing to meet this demand and prices for cardboard packaging is increasing. As consumers and OEMs strive towards more environmentally sustainable behaviors, it is predicted that the overall use of plastics in packaging will decrease, placing further demands on the cardboard industry.

New packaging development solutions are being sought to address environmental sustainability in transport packaging.  As these packaging designs are brought to market it is essential that they provide adequate protection to products .  

The Importance of Testing

Testing of shipping materials and methods is a cost effect way to avoid problems, given the expense and loss of customer satisfaction generated by damaged product in shipment.  While laboratory methods are not exact replications of the hazards associated with shipping, they have been developed through observations and field studies and are widely accepted.

Most of these tests provide simple pass/fail criteria but when a test plan has been tailored to defined to specify acceptable damage it can meet the product manufacturers requirements.  Furthermore, where testing may be unfeasible, analysis can often be used to determine the ability of packaging to protect the shipped product.

Ultimately, performing packaged product methods of evaluation provides important data that can be used to demonstrate your organization’s commitment to reducing the risk of damaged product.  This data can also be used as a baseline for quality management assessments of shipping and packaging procedures.

CVG Strategy Product Test and Evaluation

CVG Strategy has experience in developmental test and evaluation for a wide variety of industries including military and automotive.  Because of this we understand looking beyond a test to pass perspective.  We can help develop a test program that will return meaningful data and verify a products ability to survive harsh environments.

We also have extensive experience in environmental, EMI/EMC, and electrical compatibility testing for both military and commercial products.  CVG Strategy specializes in Independent Developmental Testing and Evaluation including development of Test Plans, providing Test Witnessing, and Analysis.  We also provide MIL-STD-810 Training Seminars and Webinars to enable product developers to create tailored test programs.

CVG Strategy is a consultancy offering coaching, mentoring, training and program development focused on areas including Business Process Improvement, ITAR and Export Compliance, Cyber Security and Quality Management Systems

 

Cybersecurity Maturity Model Certification (CMMC)

cybersecurity maturity model certification
cybersecurity maturity model certification

What is Cybersecurity Maturity Model Certification?

The Office of the Under Secretary of Defense for Acquisition & Sustainment has released the Cybersecurity Maturity Model Certification program.  The program will be made effective in new programs released by the Department of Defense (DoD) and will be a requirement for product and service providers.  This program has been formed to enhance the protection of unclassified information within the supply chain.  This information can be broken down into the following categories:

  • Federal Contract Information (FCI) – Information provided by or for the Government that is not intended for public release
  • Controlled Unclassified Information (CUI) – Information that requires safeguarding as defined by various government policies, regulations and laws.

The CMMC is a cooperative effort between the DoD and industry to provide a set of processes and practices to protect information from multiple cybersecurity standards and frameworks. 

The Importance of CMMC

The security of CUI in the the Defense Industrial Base (DIB) has long been a source of concern for the DoD.  By establishing the CMMC framework, a criteria for cybersecurity requirements and basic cyber hygiene can be established for DoD contractors. 

CMMC requirements are largely based on NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.  There are however, other requirements including FAR 52.204-21.

Changes in Certification Requirements CMMC 2.0

In March 2021, an internal review of CMMC’s implementation resulted in a refinement of CMMC policy and program implementation.   These changes resulted in reducing CMMC levels from five to three.  The levels currently proposed are:

  • Level 1 – Foundational is comprised of the 17 practices described in FAR 52.204-21 and requires an annual self assessment.
  • Level 2 – Advanced is comprised of 110 practices which are aligned with the NIST SP 800-171 Revision 2 standard. This is a set of security practices and security standards for non-governmental organizations that handle CUI.  It requires that a third party assessment by conducted every three years for information deemed critical for national security.  It also requires an annual internal assessment
  • Level 3 – Expert includes over 110 practices based on the NIST SP 800-17 standard and includes further controls.  There is also a requirement for triennial assessments conducted by government representatives.  

The newly released requirements for assessments should support businesses in adopting CMMC.  The new requirements will reduce costs for companies at Level 1 and some companies at Level 2 by allowing self assessments to demonstrate compliance.

Emphasis has also been placed on increasing the oversight of third-party assessors to ensure professional and ethical standards.  Third party assessors will receive certification through the CMMC accreditation body.

Increased Flexibility in Implementation

In an attempt to establish a more collaborative partnership, the DoD will now allow companies under certain circumstances to achieve certification by making Plans of Actions and Milestones (POAMs).  POAMs are applied to identified deficiencies in an organization’s current level of cyber security application.  Originally  POAMs were not allowed by CMMC to be active at the time of assessment.

Allowance of POAMs is currently to be determined by the assessor and the DoD, not the organization under review.  These POAMs, when granted, will require adherence to strict timelines.  The CMMC will also now, in some cases, allow waivers for requirements.

CVG Strategy Information Security Management System Consultants

Businesses worldwide are under attack from players that are well funded and very focused on compromising proprietary data.  IT solutions alone are not sufficient to combat these forces.  Viable solutions include all stakeholders in an enterprise.  They include people, policies, procedures, risk analysis, incident responses, and an internal auditing process that yields constant improvement.

CVG Strategy provides cybersecurity consulting and training for large and small organizations.  Our experts can tailor a program using risk management process to identify information assets and interested parties.   We can create the documentation and provide the essential training to establish your ISMS and guide you through certification audits.
 

Our Information Security Management System experts can help you prepare for your organization’s CMMC certification.  CVG Strategy experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more.  

Maintaining Export Compliance in a Dynamic World

maintaining export compliance
maintaining export compliance

Continuing Changes in Export Compliance

Maintaining export compliance programs presents challenges to organizations of all sizes.  Given the complexity of the International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), Antiboycott Regulations, and various sanctions, this is not surprising.  Additionally, international political events are forcing agencies to continually make changes to these regulations to protect United States national security and foreign policy interests.

To further complicate issues the Bureau of Industry and Security (BIS) has increased enforcement and has also increased civil and criminal penalties for export violations.  At the same time changes in sanctions and Export Control Classification and the U.S. Munitions List (USML) make it more and more possible to unwitting violate the law. 

Small businesses are not alone in this predicament as major players such as Honeywell, Flir Systems, Apple, ExxonMobil, and Western Union have faced major penalties.  This holds true for those doing business under the scope of the Export Administration Regulations (EAR) and the International Trade in Arms (ITAR).

Developing a Capable Program

Both ITAR and EAR require that companies who export controlled items initiate and maintain viable compliance programs. The DDTC requires that a company who has restricted articles or performed restricted services to control their company with procedures that meet ITAR requirements in accordance with the Directorate of Defense Trade Controls DDTC Compliance Program Guidelines.  BIS requires that a company who has restricted articles or performed restricted services to control their company with procedures in accordance with the BIS Core Elements of an Effective Export Management and Compliance Program.

Many companies may have products or services that fall under both sets of regulations which can further increase complexity.  While ITAR and EAR are the primary regulatory requirements, businesses must also comply with the following as well when conducting exports:

  • Antiboycott Regulations per the Department of Commerce’s Office of Anti-Boycott Control (OAC)
  • U.S. Department of the Treasury’s Internal Revenue Service (IRS)
  • U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC)

Additionally many U.S. companies have operations in Canada and must harmonize their programs to meet requirements of the Canadian Controlled Goods Program (CGP).

CVG Strategy can tailor an export compliance program that will meet the specific requirements of a company.  We can provide a program that harmonizes requirements for sets of applicable regulations.  

We can then implement this program into a Quality Management System (QMS) so that the export compliance program can have necessary management commitment, monitoring, and evaluation.  

Maintaining Export Team Knowledge and Awareness

While there are many factors to maintaining an export compliance program, most involve continuing education of all involved players in a business.  This includes any parties who interact with customers or potential customers, those involved with Export Control Classification, and in the case of ITAR those involved with facility and information security.  This education should stress the dynamics of export compliance and a need to stay abreast of developments as they occur.

CVG Strategy Export Compliance Experts

CVG Strategy has been helping our clients with their export compliance programs for over a decade.  We can provide guidance in establishing and maintaining export compliance programs. We can also assist with product Export Control Classification Determination.

CVG Strategy export experts know that knowledge is key. We can provide training in product classification, applying for licenses, screening potential customers, and securing data and facilities. We also include in our training which key US Government agencies and regulations specifically apply to your business.

Our training is available onsite and by webinar. Our classes are engaging and promote involvement by all participants. We also schedule time for questions you may have regarding your specific business applications.

We can also help you with export control classification of articles and technology and help with license requirements. Our specialists have classified thousands of products, services and technology over the years and provide you with confidence in your export business.

 

Susceptibility EMI/EMC Testing Standards

susceptibility emi emc testing

What is EMI Susceptibility?

susceptibility emi emc testing

EMI/EMC susceptibility is the vulnerability of an electronic device to electromagnetic energy that can result in disruptions to that device’s normal operation.  These disruptions can result in physical damage of the device, or unwanted operational events that can lead to property damage, injury, or death.

This is of special concern where safety critical devices are operated in environments that have large amount of electromagnetic interference  being generated by other devices.  Such product sectors include automotive, medical, aerospace, and defense.  These issues are becoming more significant because of the proliferation of wireless devices and because IC with lower supply voltages have lower noise margins.

Device susceptibility is generally attributable to three sources of Electromagnetic Interference (EMI);  energy that is conducted into a device from its incoming power or I/O, energy that is radiated from external sources, and Electrostatic Discharge (ESD).

Industry Standards That Address Susceptibility

U.S. Defense Standards

MIL-STD-461 is the generally applicable EMI/EMC standard for developmental test and evaluation.  Test methods include Radiated Emissions, Conducted Emissions, Radiated Susceptibility, and Conducted Susceptibility.   Susceptibility testing includes simulations of magnetic, radio frequency, Electrostatic Discharge (ESD), and Electromagnetic Pulse (EMP).

Standards for evaluating power related issues include MIL-STD-1275 for military vehicles. MIL-STD-704 for equipment on aircraft, and MIL-STD-1399 for shipboard equipment.

Medical Devices

Because medical devices operate in areas with many other devices, and because their function is safety critical, a number of standards are evolving to meet safety concerns.  One possibility is ANSI C63.27-2017 “American National Standard for Evaluation of Wireless Coexistence”.  Although its primary application is medical equipment it can be used for any wireless application.   As well as addressing radiated, conducted, and power related sources of interference, the standard also establishes testing protocols for evaluating wireless coexistence.

Automotive Standards

The automotive industry generally evaluates components with standards specific to the vehicle manufacturer.  Many of these test methodologies however, are derived from ISO 11452 and ISO 16750-2.  For heavy equipment SAE J1455 is useful for evaluating the effects of steady state electrical power, transients, noise, ESD, and electromagnetic sources.

The Importance of Proper Testing

Properly designed products and proper testing of them is essential to ensure that electronic products operate as intended.  It is important to be aware of the probable sources of EMI that will be prevalent in a products intended environment early in development.  Often this information can be found in the appropriate test standard.

Understanding the relevant standard can also help in the preparation of of an overall test strategy in the early stages of product development.  When preparing for testing, resources should be allotted for development of off-chamber equipment to simulate peripheral components and appropriately engage the equipment under test in a manner that will reflect performance of the product in the field.

It is also important to identify modes of operation of equipment and document any acceptable degradation of performance for those modes, thereby establishing clear pass/fail criteria.

CVG Strategy Experts

Our experts at CVG Strategy have extensive experience in Environmental/Dynamic and EMI/EMC testing for a number of industries and products, both military and commercial.  CVG Strategy specializes in Independent Developmental Testing and Evaluation including development of Test Plans, Test Procedures, Test Witnessing and Troubleshooting.

CVG Strategy is a consultancy offering coaching, mentoring, training and program development focused on areas including Business Process Improvement, ITAR and Export Compliance, Cyber Security and Quality Management Systems.

Cybersecurity Threats Trending Methods for 2021

Cybersecurity

Cybersecurity Threats

Cybersecurity Threats by Industry Sector

Cybersecurity threats remain a significant concern for organizations in every sector.  IBM’s 17th Cost of a Data Breach Report provided insights in to the nature of the threat environment in 2021.  This report provides an assessment of risks and strategies for protecting data and responses to data breaches.

Among its findings the report found that the average cost of a data breach rose by nearly 10% in 2021.  These costs were generally higher in organizations that did not have mature cyber security programs.  The average cost of a breach was 4.24 million dollars.  These costs were found to be higher in incidents where remote work was a cause of breach.

Healthcare remained the industry sector with the highest cost per breach for the eleventh straight year.  The cost of cyber attacks rose significantly in the public sector, rising by 29.5% to an average cost of 9.23 million dollars per incident.  The energy sector saw a sizable decrease in those same costs which is encouraging as this industry is a part of the critical infrastructure.

Breach Containment

The length of time required to identify and contain data breaches averaged 287 days.  It was noted that longer incident response times led to more expensive cyber incident costs.  Contributing factors in the length of time for containment were the type of attack, types of Artificial Intelligence (AI) security measures, and cyber program maturity.

Organizations that utilized fully deployed security AI systems experienced an 80% reduction in breach costs as compared to organizations that failed to.  This would justify the continued increase of implementation of AI security.

Hybrid Cloud Environments

Hybrid cloud systems incorporate public and private cloud services with on-premises infrastructure.  As would be expected, organizations with larger cloud presence had higher costs associated with breaches.  While hybrid cloud systems tend to be safer than strictly public cloud systems, marked differences in costs associated with the maturity of their system management was noted.

Types of Data Compromised

Customer Personally Identifiable Information (PII) and Intellectual Property were among the record types that had the greatest amount of compromise.  Employee PII was high and comprised 26% of the total.  When assessing the real costs of data loss it is difficult to surmise the loss of trust in an organization from customers, partners, and employees.  These incidents result in damage to an organization’s reputation and can diminish important relationships.

Prominent Cybersecurity Threat Attack Vectors

Cyber criminal methods have remained consistent.  Some of the familiar attack vectors were compromised credentials, phishing attacks, and attacks allowed through cloud misconfiguration.  Malicious insiders, vulnerabilities in third party software, and social engineering attacks have also continued to be strong security risks.  Business email attacks were smaller in number, comprising 4% of attacks, but accounted for the highest average total cost per incident at just over 5 million dollars.

Zero Trust Strategies

The zero trust framework assumes that an organization’s information security is always at risk from both external and internal threats.  It thereby relies on continuous validation of data, users and resources by means of AI.  These strategies are usually employed by organizations with more mature information security management systems.  Indeed only 20% of organizations that were part of the study had fully deployed a zero trust system.

It was found however that the cost of data breach was significantly less, over 42% less, for those who had employed zero trust methodologies.  This is encouraging because another 37% of organizations are planning for full or partial implementation of zero trust policies.

Cybersecurity Threats are Avoidable

Most cybersecurity incidents are preventable and can be mitigated through simple and common-sense approaches to improving security.  A 2020 study from the Ponemon Institute found that 51% of organizations surveyed had experienced a significant business disruption in the last two years.  This annual report, titled the Cyber Resilient Organization Report also found, that organizations that incorporated an enterprise wide Cybersecurity Incident Response Plan (CSIRP) had half the number of incidents.

Having a plan is important.  For that plan to be effective it must be based on a reasonable assessment of an organization’s specific information security risks.  Furthermore, that plan must undergo regular review to both the threat profile, and the policies, processes, and procedures to counter the changes in threat.

Continuing assessment is particularly important in the cybersecurity arena because new threats are constantly emerging.  Additionally as new information technologies are introduced they create new vulnerabilities.  Institutionalizing risk management allows an organization to develop and maintain cybersecurity programs that can evolve to meet the changing nature of cybersecurity threats.

An ISMS requires an information security incident management to anticipate and respond to information security breaches.  It requires a regular and systematic internal audit to review that management.  ISO 27001 also requires the implementation of training and awareness throughout the organization to create a code of practice.

An effective ISO 27001 Information Security Management Systems (ISMS) is an excellent solution that involves all segments of a business to ensure that processes are in place to protect sensitive information.  The basis of ISO 27001 requires ongoing risk assessment and asset management.

CVG Strategy Information Security Management Consultants

CVG Strategy ISO 27001 consulting services help organizations plan, create, upgrade, and certify a robust and effective Information Security Management System (ISMS).  Because our team of experts bring extensive experience and deep information security process control expertise (including certifications as Exemplar Global Lead Auditor ISO/IEC 27001:2013 Lead Auditor) we can help you achieve ISO/IEC 27001 certification on time and on budget.

We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more.  Contact us to learn more.  We are also ready to help businesses involved in Controlled Unclassified Information (CUI) ready themselves for Department of Defense (DoD) CMMC requirements.

Developmental Test and Evaluation for Defense Products

Developmental Test and Evaluation

Developmental Test and Evaluation

What is Developmental Test and Evaluation?

Developmental Test & Evaluation (DT&E) refers to testing performed on components and subsystems designed for use on U.S. defense platforms.  This testing is conducted at various stages in the development and acquisition process to verify that the product meets specified levels of performance.

DT&E is normally conducted by the designer of the equipment.  These tests are usually performed in a laboratory setting.   DT&E should not be confused with operational test and evaluation that is performed on full up military platforms in representative field settings.

DT&E can be used to verify and validate designs of components and subsystems.  This can  include product improvements, and integrations of hardware and software.

When labratory testing may not be feasible, DT&E can include modi eling, analysis, and simulation.It encompasses the use of models, simulations, testbeds, and prototypes or full-scale engineering development models of the system.

Properly Executed DT&E is Essential

Properly conducted, this testing can decrease the costs and scheduling requirements of failure in Field/Fleet testing.  It also serves to demonstrate that the design and development process is complete.  Effective Developmental Test and Evaluation can, by catching materiel deficiencies early on, allow sufficient time for required design modifications. 

This can reduce the overall program costs.  This is because the product will more likely survive the predicted environmental stresses and meet operational requirements.  The Defense Science Board Report, Test and Evaluation Capabilities, December 2000 estimated that correction of defects added 10 to 30 percent to system costs.

MIL-STD-810

MIL-STD-810 is an effective standard for Developmental Test and Evaluation, that when properly employed can provide evaluation of environmental factors throughout a product’s life cycle.  It is a collection of 29 laboratory test methods with numerous procedures. 

The standard has stressed with increased emphasis the need for tailoring test parameters and durations to effectively evaluate these factors.  It has had to do so because of the reluctance of industry to initiate the required management and engineering processes.  In essence, it is easier to test to cookie cutter specifications that to assess the actual severities of environmental stresses.

MIL-STD-461

MIL-STD-461 is an EMI/EMC standard for developmental test and evaluation.  This standard is broken out into nineteen various methods.  These methods include Radiated Emissions, Conducted Emissions, Radiated Susceptibility, and Conducted Susceptibility.

MIL-STD-461 testing includes radiated and conducted test methods.  These methods involve simulations of magnetic, radio frequency, Electrostatic Discharge (ESD), and Electromagnetic Pulse (EMP) sources of potential disturbance.  Susceptibility requirements are determined by type of equipment, type of platform the equipment is to be operational on, and location of the equipment on that platform. 

MIL-STD-1275

MIL-STD-1275, Characteristics of 28 Volt DC Input Power to Utilization Equipment in Military Vehicles, specifies test methodologies that simulate the nominal 28 VDC voltage characteristics in military ground vehicles power distribution networks.  General Requirements for Equipment Under Test (EUT) include;  Operational Voltage Ranges, Transient Waveforms, Ripples, Spikes, Surges, and Starting Disturbances.

MIL-STD-704

This standard is used to evaluate a product’s ability to operate as specified when powered in an aircraft power distribution network.  MIL-HDBK-704-1 thru -8 define the test methods and procedures.   These each of these documents cover a specific power type such as; AC 60 Hz, AC variable frequency, AC 400Hz, as well as tests for DC power equipment. 

MIL-STD-1399 Parts 1 and 2

As with equipment designed for use in aircraft and land vehicle, there are electrical compatibility requirements for shipboard equipment.  This standard provides test methodologies to ensure that these products meet requirements for operating in extremely noisy electrical power networks.

Compliance by Analysis

In many cases products can be assessed to be compliant by analysis.  This is particularly of value when the product to be tested is too large to be feasibly tested in a laboratory setting, or when such testing is deemed to be unsafe.  Compliance by Analysis methods can also be used to identify potential design deficiencies early in  product development, giving ample time for required modification.

Compliance by analysis can involve any of the following:

  • Computer modeling and simulation – This testing is normally done early in product development to assess potential design vulnerabilities so that required design modifications can be undertaken as soon as possible.  This method is particularly well suited for the evaluation of the product to dynamic (vibration, resonances, and shocks) and thermal stresses.
  • Acceptance by Similarity – This method can be used where the product is nearly identical to products already tested, and there is no reason to believe that differences would pose environmentally induced issues.
  • Testing of Coupon Samples – In certain cases there can be significant savings by using coupon samples instead of entire systems.  This is of particular value in the assessment of specific materials and coatings. 

CVG Strategy Test and Evaluation Expertise

CVG Strategy Test and Evaluation experts have decades of experience in developmental test and evaluation.  We can assist you in developing a test program that will reduce risks associated with product failure and required redesign.

Our product test experts can perform a product life cycle analysis to tailor test methods in MIL-STD-810.  We can perform engineering analysis to identify potential design deficiencies prior or in lieu of testing  Furthermore, our test and evaluation team can manage evaluation programs, write test plans, witness testing, and create test report summaries.  We have decades of experience in environmental and EMI/EMC testing in both commercial and military applications.

CVG Strategy is a consultancy offering coaching, mentoring, training and program development focused on areas including Business Process Improvement, ITAR and Export Compliance, Cyber Security and Quality Management Systems.

EMC Test Plans, A Requirement for Proper Testing

EMC Test Plans
EMC Test Plans

EMI/EMC Test Plans

EMI/EMC Test Plans are important in preparing for your trip to the lab.  The test plan should communicate all relevant information about testing requirements and the nature of the system to be tested.  This will allow the test laboratory to sufficiently assess the requirements needed to complete testing.  These requirements include: size of chamber, number of antennae positions, numbers of cables to be tested, power supplies, and specific measurement and susceptibility equipment.

Equipment Modes of Operation

Representative functionality is a requirement in EMI/EMC testing for both commercial and military applications.  The EMI/EMC test plan should include a description of all modes of operation that the Equipment Under Test (EUT) is to be tested.  The plan should also provide a description of all peripheral and support equipment required to attain this functionality. 

A description of the EUT’s normal operation should be defined  for susceptibility testing.  This description should include any accepted deviations from normal operation so that an assessment can be made in evaluation of susceptibility.

EUT Safety During Operation

EUT operation can often lead to potentially hazardous conditions.  The test plan should notify the lab if any potential hazards are posed by the equipment to be tested.  This will allow for any precautionary measures to be made ahead of time.  Because susceptibility testing can produce unforeseen equipment malfunctions, the EMI/EMC test plan should also include emergency shut down procedures.

Standard Specific Requirements

Every standard will have requirements for EMI/EMC test plans.  These include: product identification, description, power requirements, cable requirements and descriptions.  Certain standards, like MIL-STD-461, have very detailed EMI/EMC testing requirements and require specific information to be present in the test plan.  

The Value of Proper Test and Evaluation Documentation

Product Test and Evaluation is a critical step in any product development program and a sizable investment of resources.  Properly prepared test documentation will help ensure that the testing performed will both verify and validate a product.  Test plans are essential for proper execution of a test by defining tasks to be performed by both the test facility and the test witness.  They also provides the necessary information for the lab to create a viable Test Report which is a necessary record of your product’s conformity to applicable requirements.

CVG Strategy Test Plan Templates

CVG Strategy offers Test Plan Templates for EMI/EMC and Electrical Compatibility Testing.  These plans have been developed for MIL-STD-461, MIL-STD-1275, MIL-STD-1399, and MIL-STD-704.

EMI/EMC and Electrical Test Plan Packet

  1. Test Plan Template (protected PDF).  This document provides essential information concerning: Equipment Under Test (EUT) set up, execution of each procedure, pass/fail criteria, and tolerances per the relevant standard.  All test plans are written per the requirements of DI-EMCS-80201C.
  2. Test Plan Addendum (Word Document).  This document is to be completed by the customer.  It addresses equipment to be tested specific information including:  EUT Description, EUT Set up, Modes of operation, and Performance Checks.
  3.  Test Lab Data Sheet (PDF form).  This document is used to document procedures to be performed and essential test parameters.  It also documents test facility report requirements per DI-EMCS-80201C.
  4. Test Label (Word document)  This label is to be used to identify the test performed in photographs.
  5. Tests to Be Performed (PDF form).  This form communicates to the test facility all test procedures to be performed during test sequence.
  6. Procedure Specific Worksheets (PDF form).  These worksheets are included where appropriate to assist the test witness in recording test events.

CVG Strategy

Our experts at CVG Strategy have extensive experience in EMI/EMC.  We can provide requirement analysis, write EMC test plans, perform test witnessing, and provide troubleshooting and analysis of EMI/EMC test failures. 

We also have expertise in Environmental testing and evaluation of product design in a number of industries and products, both military and commercial.  CVG Strategy specializes in Independent Developmental Testing and Evaluation including: Development of Life Cycle Environmental Profiles, Test Plans, Test Witnessing and Troubleshooting.

CVG Strategy is a consultancy offering coaching, mentoring, training and program development focused on areas including Business Process Improvement, ITAR and Export Compliance, Cyber Security and Quality Management Systems.

Quality Management System Documentation Creation

Quality Management System Documentation
Quality Management System Documentation

ISO 9001: 2015 Quality Management System Requirements

Proper documentation is the cornerstone of ISO 9001:2015.  Creating a system of documentation that is appropriate to your company’s requirements is crucial.  This is because the documentation defines the manner in which it will conduct business.  Paying attention to the design of your Quality Management System (QMS) at the offset can provide an efficient system that avoids a cumbersome bureaucratic framework.

Types of documents that comprise ISO 9001:2015 documentation are:

  • Scope Statement
  • Quality Policy
  • Quality Objectives
  • Process Flowchart
  • Work Instructions
  • Records

Fitting the Documentation to a Company’s Requirements

The formation of each of these categories is critical and requires detailed analysis to properly implement.  There is no specific requirement as to format or layout.  Because each company has a unique business model, “cookie cutter” methods of implementing a quality system can have diminishing returns.

Quality Management System Documentation should be created understanding the context of the organization.  This requires that all stakeholders be included.  Moreover it should be concise and user oriented. 

ISO 9001:2015 documentation provides instructions on how your QMS is run and ultimately how your company is run. Therefore, properly structured documentation can actually make your operations easier.  This is because well designed program can integrate ISO-14001, lean methodologies, and regulatory requirements into your QMS.

Defining a Continuous Improvement System

An ISO 9001:2015 QMS, if well incorporated and conceived in its documentation, is a powerful tool that can enhance a business’s potential by creating intelligent processes, quality products, and a satisfied customer base.

As your company grows, so too will its QMS.  A program started out on the right path can therefore easily grow to facilitate new aspects and players in your company’s scope, objectives, and goals.  It can also adapt to non-conformities in your products and services that arise and create viable opportunities for improvement.

Control of Documented Information

Documents included in a QMS include those specified by the standard and those deemed necessary by the organization to support its activities, products, and services.  Once created, these documents require controls to ensure and maintain their validity.  These controls include mechanisms for identification, review, and approval. 

This information is then required to be readily available to its intended users, to be appropriately preserved, and have effective version control.  These document control mechanisms must themselves be documented.

Evaluation of Effectiveness

Once a QMS is defined it can be put into action and evaluated.  These evaluations assess the ability of the polices and procedures to meet customer requirements and manage risks.  When conformity of products and services or the degree of customer satisfaction is found to be less than desirable, improvements to the quality management system and its documentation can be executed.

These evaluations can be the result of monitoring, measurement analysis, or internal audits.  The results from these findings are to be reviewed by the management of the organization so that relevant solutions can be developed and discussed.

Benefits of ISO 9001:2015

Competitive advantage

A properly tailored QMS ensures that business objectives constantly feed into your processes and working practices.  By establishing a suitable framework around the context of organization and effectively implementing assessments and evaluation, a Quality Management System can evolve as your business grows.

Improves business performance

Having a comprehensive ISO 9001:2015 QMS helps your managers to raise the organization’s performance above and beyond competitors who aren’t using management systems.  The certification also makes it easier to measure performance and better manage business risk. 

It establishes criteria for expectation for your supply chain in terms of product quality and dependable delivery.  It also instills confidence in your brand by consistently meeting customer requirements. 

Quality Management Attracts Investment

Achieving ISO 9001 certification can greatly enhance brand reputation and can therefore be a useful promotional tool. It sends a clear message to all interested parties that your company committed to high standards and continual improvement. 

Saves you money

Evidence shows that the financial benefits for companies that have invested in and certified their quality management systems to ISO 9001 include operational efficiencies, increased sales, higher return on assets and greater profitability.  Other saving can be gained by effectively identifying and mitigating risks such as product liability and product recalls.

CVG Strategy QMS Consultants

CVG Strategy quality experts focus on processes and process improvement in all our work.  Understanding Quality Management System Documentation development is a fundamental aspect of our work as consultants, helping our customers make their business run more efficiently and improving customer satisfaction.

There are many consulting companies providing support in ISO 9001:2015. What sets CVG Strategy apart from the rest is our approach. We fine-tune our statement of work depending on your capability and goals. Some clients have us serve as an advisor while they generate the documentation and implement the program themselves.

Many of our clients outsource the Quality Manager role to one of our experts, and we write the quality manual and supporting documentation set and provide all the training.  Some use our expertise to include other quality guidelines and standards into their ISO 9001:2015 QMS including food, hazardous materials, and products for department of defense.

CVG Strategy is a consultancy offering coaching, mentoring, training and program development focused on areas including Business Process Improvement, ITAR and Export Compliance, Cyber Security and Quality Management Systems.

ISO 27001 Prevents Cyberattacks – ISMS for Data Security

ISO 27001 Prevents Cyberattacks
ISO 27001 Prevents Cyberattacks

ISO 27001 Prevents Cyberattacks

Implementing an ISO 27001 Information Security Management System (ISMS) prevents cyberattacks.  The Ponemon Institute in a 2017 study found that a typical firm experiences 130 security breaches each year. 

Mitigating these breaches requires more than advanced IT practices, it requires a dedicated management system.  ISO/IEC 27001 is such a system.  It includes processes for human resource security, physical and environmental security, and dealing with information security incidents.

The Real Cost of Cyber Attacks

The Cost of Malicious Cyber Activity to the U.S. Economy , released by the Whitehouse in February of 2018, estimates that such attacks cost the U.S. economy between $57 billion and $109 billion in 2016.  In 2021 an insurance company paid out $40 million in ransom.  However, these attacks can inflict damage that is difficult to assess or quantify in dollar amounts.  While most incidents are kept out of the public eye, a few attacks, like the Colonial Pipeline attack in May of 2021, do make headlines.

What is ISO 27001?

ISO 27001 is an international standard and widely accepted Information Security Management System.  The role of an ISMS is to preserve confidentiality, integrity and availability of information.  It accomplishes this task by applying risk management processes.  An effectively tailored program can meet this challenge because it is part of the organization’s processes and management structure. 

Implementation of an effective ISMS requires an assessment of the organization’s objectives, security requirements, and organizational processes.  These assessments include a consideration of the size and structure of the organization so that the ISMS is scaled to meet the needs of the organization.

Once these influencing factors have been defined a risk assessment can be conducted.  This process should:

  • identify the information security risks
  • identify the risk owners
  • assess the potential consequences of an undesired occurrance
    assess the realistic likelihood of the occurrence
  • determine the levels of risk
  • establish priorities for treatment of the risk (e.g. implementation of information security controls)

The Advantage of Implementing an ISMS

Because ISO 27001 is configurable to your company’s requirements it is an effective means of organizing data security.  This is because it includes a complete process and involvement of all stakeholders in monitoring and preventing cyberattacks.  ISO 27001 also includes training to maintain a high state of awareness for all employees.

An ISMS can readily address numerous issues because centers it around policies and processes that are adopted from top management down and includes all stakeholders including third parties. 

As and example, a continual challenge of organizations is to ensure that software is up  to date.  However, this can be a challenge in organizations because of segregation of tiers and organizational turf battles.  With an effective ISMS these issues are identified and dealt with at a management level and communicated through policies, procedures, and work instructions.  Additionally, because metrics are established for criteria, monitored, and analyzed, deficiency in processes can be identified and remedied.

The security of data is not only of great concern to your organization.  It is of interest to your customers, investors, and partners.  ISO IEC 27001 certification shows that your company is a responsible partner and maintains an active interest in monitoring and mitigating cyberattacks.

CVG Strategy Cyber Security Consulting and Training

Cyber Security Consulting

CVG consultants have over a decade of experience with ISMS, Quality Management Systems (QMS) and Export Compliance.  We understand that each business has a unique set of requirements that demand tailored solutions.  Developing these solutions assessing an organization’s culture and involving all stakeholders.  Using this information, we can develop programs that are effective and can adapt as a business grows.

Cyber Security Training

Training is an essential component for any viable ISMS.  Despite major advances in organizational cyber security, human error continues to be a major cause of data breach.
 
While more sophisticated variants of malicious software are being developed, phishing remains a prominent way for hackers to gain access to sensitive information.  Thus, a very well designed cybersecurity framework can be defeated by an employee clicking on an email attachment.  This is a cause of increased concern as the remote workforce continues to expand.
 
Proper cyber protocols must be consistently reinforced through training that is informative and engaging.  Effective training should include review of basic procedures such as using appropriate network security and not allowing unauthorized access to work areas.  It should also include a review of all ISMS policy and procedure changes.
 
CVG Strategy has been involved in business training for over a decade.  Our experts take pride in effective and engaging training sessions that ensure that participants retain important information.

Product Test Standards and Specifications

Product test standards
Product test standards

Using Product Test Standards to Develop a Test and Evaluation Program

There is a seemingly endless amount of product test standards and specifications.   These documents set criteria for compliance, provide guidance for evaluation, and sometimes assist in the development of analysis and test programs of both consumer products and military products.  They are all constantly evolving as new revisions are released periodically.

Some product test standards offer very clear and concise parameters for product evaluation.  Other test standards can be vague in the details of their requirements.  The quality of writing and organization can also greatly vary.  Many have annexes and appendices full of extremely in depth information that can clarify a test’s methodologies and intents.

Military Test Standards

MIL-STD-810

MIL-STD-810 – Environmental Engineering Considerations and Laboratory Tests is a prominent standard for the evaluation of climatic and dynamic stresses that occur in the expected life cycle of a defense product.  It is a vast standard comprised of 29 test methodologies and numerous appendixes and addendums. 

Utilizing this standard fully involves understanding how to tailor testing to adequately reflect expected environmental stresses. The determination of these stresses is accomplished through a Life Cycle Environmental Profile (LCEP).  These stresses and their severities serve as inputs to the Environmental Issues/Criteria List (EICL) which in turn provide a baseline for design and aid in the selection of relevant test procedure parameters.

MIL-STD-461

MIL-STD-461 is an EMI/EMC standard for developmental test and evaluation.  This standard is broken out into nineteen various methods.  These methods include Radiated Emissions, Conducted Emissions, Radiated Susceptibility, and Conducted Susceptibility.

MIL-STD-461 testing includes radiated and conducted test methods.  These methods involve simulations of magnetic, radio frequency, Electrostatic Discharge (ESD), and Electromagnetic Pulse (EMP) sources of potential disturbance.  Susceptibility requirements are determined by type of equipment, type of platform the equipment is to be operational on, and location of the equipment on that platform. 

MIL-STD-1275

MIL-STD-1275, Characteristics of 28 Volt DC Input Power to Utilization Equipment in Military Vehicles, specifies test methodologies that simulate the nominal 28 VDC voltage characteristics in military ground vehicles power distribution networks.  General Requirements for Equipment Under Test (EUT) include;  Operational Voltage Ranges, Transient Waveforms, Ripples, Spikes, Surges, and Starting Disturbances.

MIL-STD-704

This standard is used to evaluate a product’s ability to operate as specified when powered in an aircraft power distribution network.  MIL-HDBK-704-1 thru -8 define the test methods and procedures.   These each of these documents cover a specific power type such as; AC 60 Hz, AC variable frequency, AC 400Hz, as well as tests for DC power equipment. 

MIL-STD-1399 Parts 1 and 2

As with equipment designed for use in aircraft and land vehicle, there are electrical compatibility requirements for shipboard equipment.  This standard provides test methodologies to ensure that these products meet requirements for operating in extremely noisy electrical power networks.

Commercial Test Standards

There are a wide variety of test standards for commercial product evaluation.  These standards ensure that regulated products meet industry accepted levels of performance capability and product safety.  Selection of the appropriate standards requires that you understand the requirements of the market sector and the regulatory requirements of the nations in which the product is to be sold.

IEC 60529

IEC 60529 is a standard used in a variety of industries.  This standard provides means of evaluating a product’s ingress protection.  Product ratings are defined an IP code.  This code classifies the degrees of protection provided against the intrusion of solid objects (including body parts like hands and fingers), dust, accidental contact, and water in electrical enclosures.

Using Product Test Standards to Develop a Test and Evaluation Program

Each product test standard should be treated by the reader as unique as to its perspective and purpose.  MIL-STD-810H for example places a huge emphasis on tailoring parameters of test methods to reflect the environmental stresses the product to be tested will encounter throughout its life cycle.  This perspective is not as applicable to standards for compliance where strict parameters and procedures are required.This can present a challenge to managers of test programs,especially those who are working with a product that is being released to new markets. 

Allocating the time and resources to grasp the entirety of required test procedures can be daunting.  Test laboratories can provide guidance but it is beyond their scope to advocate management strategies to best establish programs fit for your product.  Test laboratories cannot give recommendations on product test standards and still remain an independent evaluating body.

CVG Strategy Experts

CVG Strategy has experience in developmental test and evaluation for a wide variety of industries including military and automotive.  Because of this we understand looking beyond a test to pass perspective.  We can help develop a test program that will return meaningful data and verify a products ability to survive harsh environments.

We also have extensive experience in environmental, EMI/EMC, and electrical compatibility testing for both military and commercial products.  CVG Strategy specializes in Independent Developmental Testing and Evaluation including development of Test Plans, providing Test Witnessing, and Analysis.  We also provide MIL-STD-810 Training Seminars and Webinars to enable product developers to create tailored test programs.

CVG Strategy is a consultancy offering coaching, mentoring, training and program development focused on areas including Business Process Improvement, ITAR and Export Compliance, Cyber Security and Quality Management Systems