IoT Device Cybersecurity Guidance for Industry

IoT Device Cybersecurity
IoT Device Cybersecurity

Internet of Things (IOT) cybersecurity is becoming an issue of increasing concern as these devices continue to secure a larger marketplace presence.  This is due to the fact that IoT solutions are a cost effective means of achieving integration of connected devices.  IoT include smart home products, wearable technology, health monitoring devices, alarm systems, and transportation equipment.  They can also be found in industrial controls technology, agriculture, military, and infrastructure applications. 

IoT devices are functional, inexpensive, and easy to implement.  As a result there has been an amazing growth in this market.  Fortune Business Insights predict that IoT Technology will grow from 478 billion dollars in 2022 to 2.4 trillion dollars in 2029.

IoT Device Core Baseline Cybersecurity

To address the vulnerabilities of IoT platforms, the National Institute of Standards and Technology (NIST) has released recommendations for manufacturers of IoT systems for improving how securable the IoT devices they make are.  The IoT Device Cybersecurity CapabiIity Baseline provides six actionable items, four that should be conducted to assess pre-market impact, and two activities with primarily post-market impact.  Because these activities affect the process by which design specifications should be created, the document is primarily intended for the development of new devices.

Pre-Market Activities for Baseline IoT Security

IoT product manufacturers should consider the security of a product throughout its life cycle.  This includes an examination of integration into the customers probable usage and overall system requirements.  Because these factors will widely vary from product to product the following steps should be conducted:

  1. Identify expected customers and users, and define expected use cases.
  2. Research customer cybersecurity needs and goals.
  3. Determine how to address customer needs and goals.
  4. Plan for adequate support of customer needs and goals.

IoT Considerations After Product Release

It is important to define methods for communicating cybersecurity risks and recommended protocols.  These considerations should include a declaration of risk related assumptions.  It is important to remember that both the manufacturer and the consumer share a responsibility in implementing and maintaining security.

NIST has provided a list of six recommended security features that manufacturers should build into IoT devices.  These features should be considered when consumers are selecting a device.

  • Device Identification: The IoT device should have a unique identifier when connecting to networks. 
  • Device Configuration: An authorized user should be able to change the device’s configuration to manage security features.
  • Data Protection: Internally stored data should be protected by a device.  This can often be accomplished by using encryption.
  • Logical Access to Interfaces: The device should limit access to its local and network interfaces by using authentication of users attempting to access the device.
  • Software and Firmware Update: A device’s software and firmware should be updatable using secure protocols.
  • Cybersecurity Event Logging: IoT devices should log cybersecurity incidents and provide this information to the owner and manufacturer.

Additional Protective Steps

Because IoT devices often do not allow access to their built in management tools, implementing IoT devices can provide access points into networks that contain sensitive data.  Additionally, preventing access to devices from unauthorized persons can be a challenge in large industrial settings.  Therefore, segregation and isolation of these devices by using Virtual Local Area Networks (VLAN) should be considered when installing devices in a business setting.  

Cybersecurity of Increasing Concern for Businesses

Because many incidents go unreported, real losses to U.S. manufacturing from cybercrime are difficult to assess.  Even the most statistically reliable data is derived from a small survey of businesses conducted by the Bureau of Justice Statistics.   In a recent report from Douglas Thomas of NIST, estimated losses for all industries could be as high as between 0.9% and 4.1% of total U.S. gross domestic product (GDP), or between $167.9 billion and $770.0 billion.

The unfortunate reality for businesses is that those implementing IoT systems do not fully comprehend the vulnerabilities these devices present.  As with cloud computing, proper implementation is essential.  Common issues include insecure interfaces, lack of consistent device updates, and weak password protection.  It is therefore essential that those who select, install, and service IoT devices be trained and follow documented best practices to prevent data breaches.

Other actions can be taken to mitigate malicious threats on sites where IoT applications are used.  Performing data analytics can often allow an organization to identify threats before they become critical.  Another tool for protecting data is utilizing Public Key Infrastructure (PKI) to provide effective encryption of IoT networks.

Call for IoT Certification and Labeling

Because consumer based cybersecurity measures are at best reactive, there has been an effort to initiate a Certification & Voluntary Labelling Scheme to set a standard for manufacturers of IoT devices.  A labeling system would allow an easy way for developers of IoT applications to gain the confidence of consumers.  This international certification framework would involve third party assessments of  at accredited test facilities to and would be internationally recognized.  Currently, a pilot program is open for applications for case studies.

CVG Strategy Cybersecurity

There are many applications where  the benefits of IoT have yet to be fully explored.  As development of IoT sensors continue, they will contribute to the enhancement of such technologies as Artificial Intelligence (AI) and even smart cities.  However, as they rely on internet connectivity they have inherent vulnerabilities.

Many manufacturers implement such devices to control processes and gather critical data.  Because of this, the risk these devices present should be taken into consideration by an effective Information Security Management System (ISMS).  CVG Strategy can help your business implement ISO 27001 to exercise due diligence and compliance with contractual and regulatory data security.  

CVG Strategy is committed to assisting organizations doing business with the Department of Defense achieve CMMC to secure our defense manufacturing supply chain’s information secure.  As industry leaders in cybersecurity, ITAR, and risk based management systems.  We have experience with companies of all sizes and understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.

 

Economic Espionage by China Threatens United States

Economic Espionage by China
Economic Espionage by China

Economic Espionage by China Continues in Every Sector in the United States

Economic espionage efforts by China continue to pose a serious threat to the United States in both public and private sectors.  In the public sector hacking groups backed by the People’s Republic of China have infiltrated local and federal agencies.  These persistent attacks seem to be focused on gathering information.  According to an article by CNN, these agencies have included the Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Agency (CISA).

In the private sector Cyberreason has reported that China is conducting a global cyber espionage program to steal trade secrets, intellectual property, and sensitive information from companies in North America, Europe, and Asia.  Many organizations that have suffered these data breaches, which go back to 2019, are not even aware that their computer networks have been compromised.

These attacks have exploited vulnerabilities in a wide array of tools including the Microsoft Common Log File System (CLFS).  They often utilized multi-stage infection chains to remain undetected.  Other attacks have involved more standard forms of malicious software including spear-phishing emails.

A Call to Action Against Cyberattacks

While China is not the sole nation to threaten U.S. interests with cyberattacks, its activities have, unlike others, focused on economic espionage and intellectual property theft.  Clearly China intends to be the dominant economic global force by any and all means available.  U.S. businesses therefore must engage in effective strategies to protect their interests and remain vigilant. 

The FBI has warned U.S. executives of partnering with Chinese parties as vendors or customers.  Christopher Wray in a speech in February of 2022, pointed out that no nation presents a greater danger to the U.S. than China.  He went on to say that they are using hacking tools of increasing sophistication to cause indiscriminate damage.  Often these campaigns are conducted with the help of independent cyber criminals.

He mentioned the Microsoft Exchange hack in which over 10,000 American companies were attacked as an example of China’s efforts to steal information to create industrial bases in desired sectors.  He also stressed the enormity of China’s efforts exceed those of all of our other adversaries combined.

Mixed Responses from the Federal Government

The federal government’s responses to state sponsored cyber threats have had mixed results.  Recently the National Security Division of the Department of Justice announced it was terminating its “China Initiative” to counter an report on threats posed by China.  Efforts, in the way of proposed legislation, have been proposed to hold the agency accountable in its efforts to prosecute Chinese nationals involved in efforts to endanger U.S. national and economic security.

Meanwhile, the Department of Defense’s efforts to protect Controlled Unclassified Information (CUI) under the auspices of the Cybersecurity Maturity Model Certification has had an uneven start.  Changes in its management and dissatisfaction from companies striving to comply with costly cyber security solutions have led to revisions and delays in a final release of the program.

Indeed, federal officials have shown limited abilities in preventing foreign governments from accessing government computer systems.  According to The 2021 Thales Data Threat Report, 47% of federal government respondents stated that they had experienced data breaches in the last calendar year.  These incidents included the DoD and CISA.

Assuming Responsibility in the Prevention of Cyberattacks

Organizations in the private sector have begun to realize the enormous threat that cyberattacks pose.  Their responses however, have been slow, and the levels of cybersecurity maturity attained thus far are leaving proprietary and sensitive data vulnerable.  While numerous advances in IT tools are available in assisting organizations in their fight against cyberattacks, organizations require management tools to evaluate risks, implement plans, and coordinate control mechanisms.

For many small to medium businesses, a severe data breach could spell the end of their enterprises.  Their challenges are confounded by the need to share data with suppliers, customers and other third parties.

Clearly, the path forward is not likely to get easier for those involved in the protection of data.  It is therefore the duty of all organizations to assume responsibility for their best interests and shape their entities to protect their futures.

CVG Strategy Can Help

Information Security Management Systems

CVG Strategy can assist your organization in implementing and maintaining a viable and dynamic Information Security Management System (ISMS) by achieving ISO 27001 certification.  An ISMS is a comprehensive approach to securing data that involves all stakeholders in a risk assessed managerial approach. 

It involves processes, facility security, people, and IT systems to engage in best practices.  It also involves a constant improvement approach so that threats can be continually assessed and addressed as they evolve.  This business system can help your organization remain vigilant against economic espionage and cyberattacks conducted by China and other nation states.

CMMC for Department of Defense Contractors

CVG Strategy is committed to the goals of CMMC in securing our defense manufacturing supply chain’s information secure.  As industry leaders in cyber security, ITAR, and risk based management systems.  We have experience with companies of all sizes and understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.

Many organizations find it beneficial to integrate CMMC requirements into an Information Security Management System (ISMS) such as ISO 27001.  The basis of ISO 27001 requires ongoing risk assessment and asset management.

It requires information security incident management to anticipate and respond to information security breaches. It requires a regular and systematic internal audit to review that management. ISO 27001 also requires the implementation of training and awareness throughout the organization to create a code of practice.

An ISO Information Security Management System (ISMS) is a comprehensive approach to keep confidential corporate information secure. It encompasses people, processes and IT systems and helps your business coordinate your security efforts consistently and cost effectively.

 

Export Compliance Program Management ISO 37301

Export Compliance Program Management
Export Compliance Program Management

Export Compliance Program Management

Effective export compliance program management poses challenges for organizations of all sizes and sectors.  U.S. export regulations such as the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR) are complex and under constant revision.  Compliance is further complicated for organizations that have multinational operations and must therefore comply with additional export controls.

CVG Strategy Export Compliance Management Systems

CVG Strategy export compliance specialists, drawing from decades of experience in the field, have created Export Compliance Management Systems.  These management systems include manuals, work instructions, forms, and attachments that address U.S. export legal and regulatory requirements.  Additionally, management systems are available to address requirements for the Canadian Controlled Goods Program.

These document sets address the all departmental functions in an export compliance system including those for planning, human resources, sales and marketing, engineering, vendor management, and production and services.  They also include the required processes for maintaining export compliance including item classification, screening, anti-boycott compliance, and incident response including instructions for conducting voluntary self disclosure.

Additionally, these documents contain imbedded tools for assessing and rating risks.  These tools can help members of a compliance team identify compliance risks in projects where extra diligence is required to maintain compliance obligations.

These management system document sets are fully compliant with ISO 37301:2021 Compliance Management Systems to provide a coherent method of integration into an organizations existing operations.

ISO 37301 Compliance Management Systems

ISO 37301:2021 is an international standard that can help establish and maintain a culture of compliance within an organization.  It can also extend these expectations to interested third parties.  Application of this standard can provide a basis for a sustainable organization by helping it meet its regulatory obligations.

Since ISO 37301 is structured along the same lines as ISO 9001:2015 it can be harmonized with an organization’s existing  Quality Management Systems (QMS).  While compliance functions are maintained independent from other functions, ISO 37301 compliance management can be integrated with other management processes.

Creating and implementing a successful compliance management system requires that the system fit the organization’s culture and specific regulatory requirements.  This is accomplished by defining a context of the organization that will allow for the creations of policies that are embedded in and reflected by the behaviors of all personnel and interested parties.  These policies should reflect core values and ethical practices incumbent on maintaining compliance to export laws and regulations.

As with any successful business undertaking, an effective export compliance program must start at the top.  Top management must be committed to strict adherence with export laws and regulations.  Management must also allot adequate resources to maintain and develop the compliance program as the business evolves. 

When implementing a compliance program, specific risks must be identified when determining the scope of a program.  These risks, once identified, can be addressed and monitored by the management system.  As with other ISO standards, ISO 37301 employs a Plan, Do, Check, Act methodology that provides an organization a means to engage in continual improvement of processes while accessing new risks and opportunities.

Flexibility in Implementation

There are numerous types of organizations that must comply to export laws and regulations.  Therefore a compliance program must vary to address differences in type, size, nature, and sector of business.  CVG Strategy Export Compliance Management Systems provide flexibility in implementation to be applicable to all types of export scenarios.

As an example, a business may design, service, manufacture, and export dual use products that are not enumerated by the United States Munitions List (USML).  Such an organization would need only comply with Export Administration Regulations (EAR) and not those of the International Traffic in Arms Regulations (ITAR).

Our Export Compliance Management System provides means to determine, tailor, and document which sets of laws and regulations are applicable to an organizations context, thereby preventing unnecessary burdens and overhead.

CVG Strategy Export Compliance Services

CVG Strategy, LLC is recognized the world over as the premier provider of customized Export Compliance Consulting, Export Compliance Programs, and Training that address critical U.S. Government and Canadian laws and regulations, from Export Administration Regulations (EAR), to the International Traffic in Arms Regulations (ITAR), Office of Foreign Asset Controls (OFAC), Canadian Goods Program (CGP) and other regulatory agencies.

CVG Strategy ITAR and Export Compliance experts have managed manufacturing and distribution businesses and have worked for multi-national organizations.  CVG Strategy’s experts are not ex-government employees, they understand the needs and goals of small to medium-sized operations in managing compliance requirements.  They also have expertise in the implementation and maintenance of a wide variety of management system standards.

Service Industry Quality Management ISO 9001-1:2015

service industry quality management
service industry quality management

Why Have a Quality Management System for Service Industry Businesses?

At first glance a Quality Management System (QMS) might appear inappropriate for service industry businesses.  There would appear to be a lack of metrics to serve as inputs, as a large portion of the product is not physical. 

Customer satisfaction however, is a very tangible item.  Think back on a meal at a restaurant or a hotel stay that left you less than satisfied.  How likely are you to return to that business?

What is a QMS?

A QMS is a framework that promotes consistent performance in an organization through implementation of policies, processes, and work instructions.  Continuous Improvement is achieved in a QMS through a Plan, Do, Check, Act methodology where a plan is implemented, monitored, and then changed as necessary to achieve desired levels of performance.  

An effective QMS requires active participation of top management in all of its phases including, establishment of policies and the regular review of internal audits. 

ISO 9001:2015

ISO 9001:2015 is an international standard quality management system that is applicable for service industry.  It provides a process approach to manage products and services with a customer focus.  It can be tailored to address multiple organizational business needs including supply chain quality and regulatory requirements in its context of the organization.

This standard is applicable for organizations of any size and in any number of industrial sectors.  Organizations certified to ISO 9001 can achieve a competitive advantage by showing their customer base that they apply quality management principles in the conduct of business.

Every Business Model Incorporates Process

Processes are a part of every employee function.  Where those processes can be defined, consistent performance of tasks can be accomplished.  When team members have the ability to offer feedback into process improvement they will be less frustrated by imposed systems that aren’t working as well as they should.  A frustrated employee is less able to provide a positive experience to a customer and satisfied customers means a successful business. 

Buy in by all stakeholders is the backbone of QMS and it provides the inputs for continual improvement.  These inputs can then be documented to provide dynamic process development that can evolve as a business grows.

Offsetting Quality Management System Costs

Service Industry businesses often operate with tight margins.  The immediate perception for many is that a QMS is an expensive undertaking.  While some cost is involved, these costs can often be offset by savings in process efficiency.  They of course can also be offset by the increased profitability of a satisfied customer base. 

It is important to realize that a QMS is scalable to a business’s size and is built around the context of the organization.  This means that a QMS should be built around the specific boundaries, scope, and requirements of a business.  This allows for a determination of scope and complexity for a given company’s QMS.  When a thorough analysis is made the argument could be made that a service industry business cannot afford to be without quality management. 

Achieving the highest possible return on investment is important, regardless of which quality management systems standard you organization implements. Taking advantage of all the features of that standard requires an understanding of Quality Management Systems and the growing number of requirements businesses face in their specific sectors.

CVG Strategy

Our Exemplar Global Lead Auditor Consultants can help you with implementing a quality management system, which will include a risks and opportunities procedure.  CVG Strategy has prepared, trained and implemented quality management systems for manufacturing companies in many business sectors.

Our quality strategy allows clients new to Quality Management Systems to rapidly implement a tailored system.  That is because everything we do as consultants is processed based. Our Quality Experts have experience with ISO9001:2015, AS9100D, ISO 13485:2016, ISO 27001:2013 and Association of American Railroads (AAR) M-1003 and can readily deliver compliant procedures and work instructions.

We can provide expertise coupled with an outside perspective to assist you in tailoring a QMS that fits your organization’s specific requirements.  We have assisted organizations in establishing programs in ISO 27001, ISO 13485, ISO 14971, AS9100, and ISO 9001.

CVG Strategy is a consultancy offering coaching, mentoring, training and program development focused on areas including Business Process Improvement, ITAR and Export Compliance, Cyber Security and Product Test and Evaluation

 

Understanding CMMC Requirements for DoD Suppliers

Understanding CMMC Requirements
Understanding CMMC Requirements

Understanding CMMC Requirements is critical for businesses of all sizes in the defense industry.  This need is becoming more urgent as final release of CMMC 2.0 is expected to occur in 2023.  Failure to achieve an appropriate level of Cybersecurity Maturity Model Certification in a timely manner may impede an organization’s ability to participate in Department of Defense (DoD) contracts.

The Importance of Establishing a Standard for Basic Cyber Hygiene

The defense industry supply chain is reliant on the flow of data through a vast number of networks both within and across multiple manufacturer’s systems.  Securing this data is essential for maintaining national security.  The rapid increase in cyber-espionage aimed at the industrial sector places this data at an increased risk.  While a number of cybersecurity approaches exist in the industrial sector, most are not appropriate or adequate for the protection of controlled and uncontrolled defense information.  

CMMC 2.0 has been developed as a means of implementing a risk based management approach with baseline requirements that are adaptive to changing cyber threats.  It also includes a certification process to ensure that organizations DoD contractors comply with CMMC.  This will allow for the integration of companies of all sizes and at all levels to maintain the resiliency and integrity of the defense manufacturing supply chain.

CMMC Levels of Compliance

As opposed to CMMC 1.0, CMMC 2.0 has three different levels of CMMC compliance.  While Level 3 compliance is reserved for programs that the DoD considers of high priority, Level 1 and 2 determinations are based on the type of information an organization is using, Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

As defined in 48 CFR 52.204-21, FCI refers to information provided or generated by the U.S. government that is not intended for public release.  This information is generally created in the development of a contract for a product or service. 

CUI as defined in 32 CFR 2002.4, is information that the U.S. government creates or possesses, or any information created for the Government, that is controlled by a law or regulation.  The CUI definition does not include classified information.  It would therefore include, unclassified information that falls under the jurisdiction of the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR).

CMMC Level Requirements

  • Level 1 (Foundational) applies to organizations that deal solely with FCI.  Level 1 requirements for cybersecurity are based on requirements detailed in FAR 52.204-21.  These 17 controls protect contractor information systems by limiting their access to authorized users.
  • Level 2 (Advanced) applies to organizations that work with CUI.  Level 2 requirements include the 14 levels and 110 controls contained in NIST 800-171.  
  • Level 3 (Expert) applies to organizations working on high priority projects critical to U.S. national security.  Level 3 will include the controls for Level 2 along with additional controls that have yet to be announced.  These controls will be designed to reduce the risk from Advanced Persistent Threats (APTs). 

CVG Strategy’s Experience and Commitment

CVG Strategy is committed to the goals of CMMC in securing our defense manufacturing supply chain’s information secure.  As industry leaders in cybersecurity, ITAR, and risk based management systems.  We have experience with companies of all sizes and understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.

Many organizations find it beneficial to integrate CMMC requirements into an Information Security Management System (ISMS) such as ISO 27001.  The basis of ISO 27001 requires ongoing risk assessment and asset management.

It requires information security incident management to anticipate and respond to information security breaches. It requires a regular and systematic internal audit to review that management. ISO 27001 also requires the implementation of training and awareness throughout the organization to create a code of practice.

An ISO Information Security Management System (ISMS) is a comprehensive approach to keep confidential corporate information secure. It encompasses people, processes and IT systems and helps your business coordinate your security efforts consistently and cost effectively.

Implementation of ISO 13485:2016 for Medical Devices

Implementation of ISO 13485:2016
Implementation of ISO 13485:2016

 

ISO 13485:2016 Applicability 

Implementation of ISO 13485:2016 Quality Management System (QMS) is applicable to organizations involved with the any of the steps in a medical devices life cycle, including design, calibration, production, and disposal.  This voluntary international standard allows for the variances in regulatory requirements particular to the organization’s region of application.  Because ISO 13485 shares the basic structure of other QMS it can be integrated into an overall management system.   

Devices Under the Scope of the Standard

ISO 13485:2016 includes in its scope a large variety of medical devices with the exception of pharmacological and immunological products.  These include: equipment involved with diagnosis, prevention, monitoring, life support, disinfection, conception, and in vitro analysis of specimens.  Its reach extends to the associated services, software, processed materials, and support activities related to these devices.

The standard also addresses the control of the work environment in the medical device industry for sterile devices that require contamination control.  These controls address requirements for documented procedures for both facility and personnel.

Requirements for Design and Development

As can be expected, there are detailed requirements addressing the design and development of medical devices.  Firstly, verification should be conducted to that the equipment performs as defined in design inputs.  These evaluations must be conducted using statistical techniques that include a rationale for sample sizes.  Furthermore, evaluations should be performed with the equipment connected to interfaced equipment in its regular use.

Validation evaluations are also required for medical devices.  These evaluations should be performed on representative equipment.  These validations an include clinical and or performance evaluations in accordance with relevant standards.

As well as ensuring that a design is suitable for use, ISO 13485:2016 also has controls for ensuring that the product is suitable for manufacturing.  This step involves verification that the manufactured product can meet design requirements.

Purchasing Requirements for Medical Devices

Given the importance of the level of quality required for medical devices it is understandable that Implementation of ISO 13485:2016 requires significant requirements on the procurement process.  It is therefore important that suppliers be selected based on their ability to meet an organization’s requirements.  The performance should be regularly assessed and the degree of diligence should be proportional to the associated risks.

Criteria for evaluation of suppliers is to be conducted prior to the selection of suppliers.  these criteria can include product specifications, acceptance procedures, supplier personnel qualifications, or any other stipulations mandated by the QMS.

Once products have been purchased by the organization, their quality shall be verified according to documented processes.

Installation and Servicing Activities

Unlike many QMS, ISO 13485 includes requirements for organizations that install and service products.  The standard requires that methods of installation and servicing be performed in accordance to documented procedures.  It also requires that these services be documented and records retained.  Furthermore it is incumbent on the service provider to validate methods of installation and service.  

Identification and Traceability of Medical Devices

Identification of devices is to be performed that can provide a unique identity of the product during all phases of its life cycle, including manufacturing, storage, and installation.  This should be performed in accordance with applicable regulations.

Generally, the standard requires documentation of procedures to maintain traceability of medical devices.  This requirement applies to manufactures and customers of devices.  This traceability should protect medical devices from from unauthorized alteration, contamination, or damage.

Monitoring and Measurement

Implementation of ISO 13485:2016, as with most QMS, requires establishing monitoring and measurement activities.  This standard is no different in that it places requirements on the organization to gather information that will provide feedback.  Here though, special attention is given to complaint handling.  For this standard, specific protocols are built around the handling of complaints including sharing of data with relevant third parties and regulatory authorities.

Corrective Action and Preventative Action (CAPA)

A major feature of ISO 13485:2016 are Corrective Action and Preventative Action (CAPA) processes.  These processes correspond to requirements for the Food and Drug Administration (FDA) as defined in Section 820.100 of Title 21.  

Corrective actions include the following:

  1. A thorough analysis of all involved processes and relevant documentation.  This should include a complete identification of existing and potential sources of nonconformity.  This information should utilize statistical methodologies to detect recurring issues;
  2. Identification of non-conformity causes;
  3. Identification of  required actions needed to prevent recurrence nonconformance;
  4. Conducting appropriate planning and documentation of actions;
  5. Ensuring through verification that actions taken do not have adverse affects;
  6. Conducting a review of actions to determine effectiveness;

Preventative actions include:

  1. The determination of potential nonconformities;
  2. The evaluation of actions to address the potential nonconformities;
  3. Documenting these actions;
  4. Conducting analysis to verify that preventative actions do not have adverse effects;
  5. Conducting regular reviews of these actions

Additional Jurisdictional Requirements for Medical Devices

Medical Devices Regulation and the Food and Drug Administration (FDA)

In  the United States, it is a requirement for manufacturers of medical devices to establish and comply with quality systems to ensure consistency in product quality.  Under the jurisdiction of the Food and Drug Administration (FDA), the Current Good Manufacturing Practices (CMGP) are defined under Part 820 of the Code of Federal Regulations Title 21.  Because this places additional requirements on those organizations involved with medical devices in multiple countries, the FDA has signaled its intent to harmonize the U.S. Quality System Regulation with the international standard.

European Medical Devices Regulation

For organizations involved in medical devices the European Union, Medical Devices Regulation (EU 2017/745) establishes requirements beyond those stipulated in ISO 13485:2016.  These include additional risk analysis and management tasks specific for each individual device and a requirement for sufficient financial coverage to handle potential product liabilities.

CVG Strategy Can Help 

Given the potential risks of harm involved in the design and manufacture of medical equipment, requirements and regulations are rigorous.  Aside from ISO 13485 medical device manufacturers may also need to comply with:

CVG Strategy Quality Management experts can assist your organization in the Implementation of ISO 13485:2016.  Our team has helped organizations meet international requirements for many medical devices.

Our quality experts understand the importance in processes and process improvement.  We offer a variety of Quality Management services to assist in the implementation and continual improvement of effective systems that save money and ensure customer satisfaction. 

 

Infrastructure and Manufacturing Cyberattacks Continue

Infrastructure and Manufacturing Cyberattacks
Infrastructure and Manufacturing Cyberattacks

Infrastructure and the manufacturing sector concerns pose tempting targets for cyberattacks.  Widespread effects that can harm vast sectors of society can occur when these systems are compromised.

When considering Cyber Security first thoughts usually go to computers and information technology, but industrial devices and processes can fall victims as well.  On May of 2021 the Colonial  Pipeline Company was targeted by a ransomware attack.  The pipeline supplied nearly half of the gas, diesel, and jet fuel to the U.S. east coast.  The outage resulted in over 10,000 gas stations being without fuel.

In a similar incident in 2019 the Cybersecurity and Infrastructure Security Agency (CISA) reported on a cyberattack that effected the Operational Technology (OT) of a natural gas compression facility.  This event led to a controlled shutdown that lasted for about two days.  The attack involved ransomware using a Spearphishing Link. 

The event was finally rectified when replacement equipment was installed and configurations reloaded.  Perhaps the biggest takeaway from this event is that the facility’s emergency response plan focused on physical emergency scenarios and that no plan was in place for cyber incidents. 

A Large and Serious Problem Not Easily Solved

Most industrial sites were constructed before the age of cybersecurity.  Where information technology has been introduced, legacy systems are often in place with little or no IT support.

Many facility managers or maintenance personnel have insufficient expertise in IT and requisite cybersecurity protocols.  This has created systems with high vulnerabilities that are extremely difficult to secure.  These type of attacks have occurred at petrochemical facilities, and even nuclear power plants, making this a very real threat beyond the immediate sites.

Risk Management and Cyber Security

Successful integration of risk management to address cybersecurity involves the foundation of a program that outlines processes.  These processes must include participation from external parties.  

The management system should include functions that:

  • identify processes and assets that require protection
  • implement protections 
  • detect events and anomalies continuously
  • respond to events 
  • recover from events

Information Security Management Systems

An Information Security Management System (ISMS) is a collection of policies, procedures, and controls that systematically address information security in an organization.  It provides a framework to conduct risk assessment and risk management.  The most widely recognized and instituted ISMS in the business environment is ISO 27001.  It shares many of the features of a quality management system such as ISO 9001. 

Because an ISMS is a management system it incorporates mitigation strategies beyond technical solutions such as firewalls and anti virus programs.  As such, an ISMS must be designed to the specific requirements and risk profile of an organization.  This would include the establishment of objectives for the establishment of security controls and the identification of all information assets within the organization (this includes electronic data, people, and paperwork.

Once these steps have been accomplished a risk assessment can be undertaken to identify and rank vulnerabilities.  Involvement of all stakeholders is important in this process, including clients, customers, and supply chain participants.  Then the necessary policies and procedures can be developed taking into account the specific regulatory requirements applicable for an organization’s industry. 

These policies and procedures should not only involve mitigation strategies but should include incident response procedures in the event that a data breach should occur.  As with many management systems, buy in from all levels of an organization is required starting at the top.  Once instituted the program can be monitored, audited, and reviewed for effectiveness so that a continuous improvement cycle is in effect.

IoT Device Recommended Security 

IoT devices are widely used in industrial controls technology, agriculture, military, and critical infrastructure applications.  IoT devices are functional, inexpensive, and easy to implement.  As a result there has been an amazing growth in this market.  Presently the global market value in the trillions of dollars.

NIST has provided a list of six recommended security features that should built into IoT devices to prevent infrastructure and manufacturing cyberattacks.  These features should be considered when consumers are selecting a device.

  • Device Identification: The IoT device should have a unique identifier when connecting to networks. 
  • Device Configuration: An authorized user should be able to change the device’s configuration to manage security features.
  • Data Protection: Internally stored data should be protected by a device.  This can often be accomplished by using encryption.
  • Logical Access to Interfaces: The device should limit access to its local and network interfaces by using authentication of users attempting to access the device.
  • Software and Firmware Update: A device’s software and firmware should be updatable using secure protocols.
  • Cybersecurity Event Logging: IoT devices should log cybersecurity incidents and provide this information to the owner and manufacturer.

CVG Strategy

Infrastructure and Manufacturing Cyberattacks will remain posing a threat to the international community.  

CVG Strategy consultants provide training to make your entire team aware of cyberattacks and how to employ processes to prevent these threats.  We can assist with reviews of policies, risk assessment approaches, and best practices to build management systems capable of handling complex cybersecurity requirements.

Our ISMS consulting services help organizations plan, create, upgrade, and certify a robust and effective Information Security Management System (ISMS).  Our team of experts bring extensive experience and deep information security process control expertise (including certifications as Exemplar Global Lead Auditor ISO/IEC 27001:2013 Lead Auditor) to ensure that you achieve ISO 27001 certification—on time and on budget.

 

ITAR Requirements – Export Compliance Program

ITAR requirements
ITAR requirements
Photo by Pixabay

Essential Features of an ITAR Compliance Program

International Traffic in Arms Regulations (ITAR) compliance is a requirement for companies entering markets with defense related applications.  To establish an effective ITAR compliance program all segments of a business must be involved.  Important features of an ITAR program include the following:

  • Registration with the Directorate of Defense Trade Controls (DDTC)
  • Establishing an Export Compliance Officer
  • An effective and continuous training program for all employees
  • Effective Cybersecurity
  • Visitor Access Control
  • A continuing review and evaluation of the ITAR program

DDTC Registration

DDTC registration is a requirement for organizations involved with the manufacture, export, temporary import, brokering, provision of technical services, or involved with technical data of ITAR controlled items as defined on the United States Munitions List (USML) Part 121 of the ITAR.

Export Compliance Team

The primary positions for the development and maintenance of a compliance program are the Empowered Official and the Export Compliance Officer.

The Empowered Official is an individual directly employed by an organization who is legally empowered to authorize license applications.  The Empowered Official verifies the legality of transactions and has the right to refusal of any license application.

An Export Compliance Officer (ECO) is the appointed individual of an organization who has the prime responsibility and approval authority for the ITAR export compliance program.  As such the ECO duties include maintaining DDTC registration, submission of Technical Assistance Agreements (TAA), creation of Technology Control Plans (TCP), ensuring that information and facility security is maintained, filing of Temporary License Exemptions (TLA), record keeping, and submission of Voluntary Disclosures.

Export Compliance Training

Regular training is a requirement for all involved employees in an export compliance program. This is a requirement by both the Bureau of Industry and Security (BIS) and the Department of State Directorate of Defense Trade Controls (DDTC).

Cybersecurity Requirements

The security of classified and Controlled Unclassified Information (CUI) in the the Defense Industrial Base (DIB) has long been a source of concern for the Department of Defense (DoD).  In response the DoD has established the Cybersecurity Maturity Model Certification (CMMC) framework, a criteria for cybersecurity requirements and basic cyber hygiene can be established for DoD contractors.

CMMC requirements are largely based on NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. There are however, other requirements including FAR 52.204-21.

Facility Security

Maintenance of site security is essential for the protection of information.  This security includes control of facility access, posting of areas of limited access, and visitor badges.

Review and Evaluation of the Export Compliance Program

The export compliance program should be audited and reviewed at regular intervals.  This review should be conducted with the participation of upper management.

The Risks of ITAR Violations

Companies attempting to find a quick fix will often overlook the complexities involved in meeting ITAR requirements and place themselves in legal jeopardy.  Because of this they place themselves at risk of failing to comply with ITAR and facing severe penalties.  These penalties can include civil fines as high as $500,000 per violation or criminal fines of up to $1,000,000 and 10-years imprisonment per violation.  They can also include being barred from future exports and a loss of reputation of a business.

Meeting ITAR Requirements Effectively

Meeting ITAR requirements effectively should include by in from the top down.  It must involve all employees.  It must ensure security of a company’s facilities and maintain control of sensitive data.

A properly established program can continually protect a business by integrating with Quality Management Systems (QMS) to evaluate itself.  This allows for a means to detect risks in ITAR Compliance and adjust procedures accordingly.

CVG Strategy

If you are part of a large corporation or a small company with a part-time compliance person, CVG Strategy has the compliance and training programs to help you meet ITAR requirements.  Often smaller businesses often don’t have the bandwidth to dedicate to adequate export compliance.  Because of this we offer outsourced Export Compliance Officer services.  We also offer signs and accessories to aid in Visitor Access Control on our ITAR Store.

CVG Strategy, LLC is recognized the world over as the premier provider of customized ITAR Consulting and ITAR & Export Compliance Programs and Training that addresses critical U.S. Government regulations, from Export Administration Regulations (EAR), to the International Traffic in Arms Regulations (ITAR) and Office of Foreign Asset Controls (OFAC) and other regulatory agencies and more.

Cybersecurity Strategy and Business Management

cybersecurity strategy
cybersecurity strategy

Having a Cybersecurity Strategy is Essential

Having an effective cybersecurity strategy to protect information assets is a necessity in today’s business world.  News stories and alerts appear daily, informing us of yet another threat or data breach that has put at risk the valuable data and security of millions of people.  This endless pressure can lead to paralysis induced by fear, but fear is not a strategy. 

As Sun Tzu, author of the Art of War said, “He who exercises no forethought but makes light of his opponents is sure to be captured by them.”  Sadly, the modern business world is often too caught up in a tactical perspective at the expense of a strategic one.  Strategy involves vision, risk management, and a hankering for moving beyond the status quo. 

Learn From Those in the Lead of Cybersecurity Strategy

Having accepted the need for action, one need not re-invent the wheel.  A number of organizations who must respond effectively are setting excellent examples.  The Department of Homeland Defense (DHS) is such an example. 

In its publication, Cybersecurity Strategy the DHS lays out its plan of battle in a series of goals.  These goals include Five Pillars:

  1. Risk Identification
  2. Vulnerability Reduction
  3. Threat Reduction
  4. Consequence Mitigation
  5. Enabling Cybersecurity Outcomes

Risk Identification

Identifying the evolving nature of the threat landscape through a risk assessment can inform an organization of the scope of the problem and the nature of the cybersecurity strategy that must be employed.  As the nature of cyber attacks are constantly changing, effective strategies will require constant monitoring with goals of improvement of extent processes and controls.  

Vulnerability Reduction

For the DHS Vulnerability Reduction includes denial of access to malicious cyber activity and maximizing collaboration between stake holders.  This is an excellent practice for businesses as well.  Employing appropriate  policies and working together with all departments, employees, customers, and vendors is a major step is an important part of an effective cybersecurity strategy.

Threat Reduction

The DHS seeks to reduce cyber threats by countering transnational criminal organizations and sophisticated cyber criminals.  While as executed by the DHS, such activities lay well beyond the purview of most companies, employing effective technological and security systems to protect your organization’s information is essentially performing the same task.

Consequence Mitigation

Having an action for mitigating the effects of a cybersecurity incident is of extreme importance to a business, its vendors, and customers.  Such responses must be planned for and coordinated across the board to minimize the damage as quickly as possible.  Because the nature of future incidents is unknown, strategies developed to address them should be flexible in order to enable solutions that are adaptive.

Enabling Cybersecurity Outcomes

This pillar is composed of two goals: To support policies and activities that enable improved cybersecurity risk management, and to execute these policies in an integrated and prioritized way.  

Examples of enabling outcomes would include allocation of resources to ensure proper cloud system configurations and ensuring that software and hardware used don’t increase attack vectors.

ISO 27001 Information Security Management System (ISMS)

Fortunately for businesses who are serious about developing a comprehensive cybersecurity strategy, ISO 27001 employs all of these principals into action.  It incorporates people, processes, and IT systems to coordinate security efforts consistently and cost effectively.  CVG Strategy can help your business develop a cybersecurity strategy that is appropriate to your business goals, culture, and marketplace. 

CMMC Still on Schedule. Is Your Business?

CMMC Still on Schedule
CMMC Still on Schedule

CMMC Still on Schedule Despite Covid-19 Setbacks

The Cybersecurity Maturity Model Certification (CMMC) is still on schedule according to articles posted by National Defense Magazine.  CMMC was developed by the Department of Defense and industry as an effective means of implementing a risk based management approach to cybersecurity.  The first draft (Version 1.0) was released in January 31, 2020. 

This approach to cybersecurity will be accomplished by establishing baseline requirements for vendors in the defense industry.   By the end of September 2020 the DoD required at least some companies to meet certain criteria of cybersecurity when responding to requests for proposals.  By 2026 all new DoD contracts will require compliance.

Auditor Classes on Schedule as Well

Auditing of businesses involved in DoD contracts will occur by qualified third parties.  These auditors will be qualified by means of CMMC Certified Third Party Organizations (C3PAO).  Plans are still underway to get the first round of C3PAO classes running in May or June of this year.  These audits will be performed on site.

Businesses Urged to Get Started

Katie Arrington, chief information security officer at the office of the undersecretary of defense acquisition commented that businesses should start implementing Level 1 requirements immediately.  She was quoted as saying “CMMC level one are 17 controls, no cost, that you can implement today that can help you be secure”.  She also stressed a need for urgency saying “Waiting isn’t an option for any of us right now”.


SPRS Cybersecurity Assessment Requirements

To press companies toward compliance, and assure that the CMMC is still on schedule, the DoD created an interim ruling, DFARS 252.204-7012, to require Supplier Performance Risk System (SPRS) assessments in September of 2020.  This has left businesses, especially second and third tier suppliers, scrambling to meet requirements.  The SPRS Cybersecurity Assessment is a requirement for all businesses providing products or services to the Department of Defense (DoD).  The SPRS assessment is to be completed by the contractor before DoD contracts can be awarded.  

The assessment is based on a scoring methodology of security requirements based on the NIST SP 800-171 DoD assessment methodology. The methodology is comprised of three levels (basic, medium and high).  The interim rule requires a basic level self-assessment to be completed by the contractor.  Medium or high assessments must be completed by the government. 

Self-attestation to NIST 800-171 is already a requirement under current regulations, however the interim ruling allows the government to inspect compliance more carefully.  CMMC will not be required for for Commercially Available Off-the-Shelf (“COTS”) procurements at or below the micro-purchase threshold.

NIST SP 800-171

NIST SP 800-171 comprises the backbone for a collection of cybersecurity best practices and controls to protect Controlled Unclassified Information (CUI) in the DoD supply chain.  It is comprised of 5 levels of cybersecurity maturity levels:
  • Level 1 – Basic Cyber Hygiene
  • Level 2 – Intermediate Cyber Hygiene
  • Level 3 – Good Cyber Hygiene
  • Level 4 – Proactive
  • Level 5 – Advanced/Progressive

Each of these levels require an organization to have a minimum number of controls in place.  To verify compliance an organization will need to be audited by a certified third party assessor organization (C3PAO).

CMMC Controls

CMMC is currently comprised of 171 controls involving people, processes, and technology.  These include controls for access, configuration management, incident response, media protection, and situational awareness among others.  While having these controls in place is essential, CMMC does not provide a means for effective management of these controls. 

The Need for Effective Cybersecurity in Businesses is Very Real

As of the beginning of the year about $600 billion dollars of domestic product is lost through cyber theft per year.  A large part of this is being undertaken by the Peoples Republic of China and the Democratic People’s Republic of Korea.  For businesses involved in the manufacture or development of defense materiel, this is especially concerning. 

Because of Covoid-19 many companies have had to institute remote work before establishing sufficient cyber protocols.  At this time companies are being urged to remain diligent.  Of late many businesses have had problems with Zoom.  While Zoom is not alone with regards to vulnerabilities, its links to China make it a poor choice for members of the defense industrial base.

Concerns Over Industry Costs

In April of 2021 it was announced that The Defense Department was conducting an “internal assessment” of the CMMC.  There have been a number of voices that have raised concerns about the costs of meeting CMMC to smaller businesses in the DoD contractors.  Among them is Lauren Knausenberger, the Air Force Chief Information Officer, whom Fedscoop reported as having mixed feelings about locking out smaller innovative suppliers.

CVG Strategy CMMC Consultants

CVG Strategy is committed to getting businesses on track and competent with cybersecurity.  The CMMC  is still on schedule is your business?  We are assisting businesses in performing their SPRS assessments and providing guidance as to how to move forward. 

Our Cybersecurity Consulting Services help organizations plan, create, upgrade, and certify a robust and effective Information Security Management System (ISMS). 

Interim CMMC Version Released After Leadership Change

Interim CMMC Version Released
Interim CMMC Version Released

An Interim CMMC version was released on September 29, 2020 finishing off a tumultuous month at the organization.  On September 2, 2020 two members of the Cybersecurity Maturity Model Certification Accreditation Board were voted off in the midst of a conflict of interest controversy involving a pay to play strategy.  Karlton Johnson is now the chairman of the board.

DoD Interim Ruling

The interim ruling, DFARS 252.204-7012 Interim Rule, places immediate cybersecurity requirements on Department of Defense (DoD) supply chain contractors.  Among the changes is a requirement for vendors to complete security compliance with NIST SP 800-171 DoD assessment methodology. 

This assessment is to be completed by the contractor before DoD contracts can be awarded.  The DoD has encouraged contractors to respond immediately.

This assessment is based on a scoring methodology of security requirements.  The methodology is comprised of three levels (basic, medium and high).  The interim rule requires a basic level self-assessment to be completed by the contractor. 

Medium or high assessments must be completed by the government.  CMMC will not be required for for Commercially Available Off-the-Shelf (“COTS”) procurements at or below the micro-purchase threshold.

Self-attestation to NIST 800-171 is already a requirement under current regulations.  However the interim ruling allows the government to inspect compliance more carefully.

This new enforcement will become effective on November 30, 2020 and is a requirement for the award of government contracts.  This gives those affected little time to respond as the DoD is only receiving comments through November 22.

Supplier Performance Risk System (SPRS)

The SPRS is the DoD’s web-enabled enterprise application that gathers, processes, and displays data about the performance of suppliers.   DFARS clause 252.204-7012 will require contractors to have assessments completed.  After completion contractors will have an opportunity to access their SPRS score and rebut the findings.

Background on CMMC

CMMC was created  by the Office of the Under Secretary of Defense for Acquisition & Sustainment as an effective means of implementing risk based management approaches to cybersecurity.  It is a cooperative effort between the DoD and industry and is  coordinated by the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB).

The CMMC was enacted to place cybersecurity requirements on DoD contractors to achieve levels of cybersecurity maturity to protect Controlled Unclassified Information (CUI)  and Federal Contract Information (FCI) in the DoD supply chain. 

The CMMC (Cybersecurity Maturity Model Certification) Accreditation Body will approve Third Party Assessment Organizations (C3PAOs).  These Third party organizations, when accredited, will be authorized to conduct CMMC assessments and grant CMMC certifications.  The CMMC is still on target for full implementation in 2025.

Reactions to the CMMC Interim Ruling

There has been some disappointment voiced by federal contractors on the  immediacy of this change because the industry will, in effect, have limited ability to respond.  This is because this ruling was not published as a proposed draft. 

Additionally, many small business owners have expressed concerns about the increased cost involved in hiring third party cybersecurity assessors to verify compliance to the National Institute of Science and Technology standard.  To many the assessments seem redundant with final requirements of the CMMC.

The Importance of a Secure Supply Chain

The security of supply chain in the Defense Industrial Base is vital to the U.S.  There has been a broad recognition of the lack of sufficient security among suppliers to the DoD.  As with other industries,  defense contractors have been behind the curve on securing sensitive data.  Cyber supply chain risks include theft of information, tampering, and insertion of malicious software.

Hostile nation states including, China, Russia, Iran, and North Korea are actively involved in theft and sabotage of DoD information.  Because of the inherent complexities of managing a multi tiered interconnected supply chain it is essential to provide a uniform set of requirements for all members.  This latest revision to the CMMC is a stop gap measure to shore up vulnerabilities until its full implementation is complete.

CVG Strategy

The Interim CMMC Version released in October underlines the governments commitment to protecting the DoD from the very immediate and intrinsic threat of data breach.  In response to these developments CVG Strategy is providing consulting services to help your organization ramp up to compliance for DFARS 252.204-7012 and NIST 800-171

CVG Strategy, will also be providing pre-assessment training, implementation and subject matter support as final CMMC requirements roll out.

Trends in Quality Manufacturing – Innovation & Integration

Trends in Quality Manufacturing
Trends in Quality Manufacturing
Mechanics fixing the roto of a helicopter

Trends in quality manufacturing are emerging in reaction to Covid-19 and various international political issues.  Industries are having to rethink products, processes, markets, and strategies to remain competitive and viable.  Many analysts have suggested that at this time a fundamental paradigm shift is required for many businesses to achieve resiliency.  This view is echoed in the recently released 2020 Georgia Manufacturing Survey

Manufacturing Requirements and Challenges

Skilled Workforce

Many industries are noting a shortage of labor force with required skill sets.  This shortage pertains to basic skills required for job performance as well as technical acumen.  In some states, industry is teaming up with education to shore up this critical shortage.  Often businesses are offering education incentives to bolster their existing workforce capabilities. 

Many companies are reluctant to actively engage in external training.  Additionally many do not perform cross team training to ensure adequate staffing at all times.

Information Security

As is in all enterprises, manufacturing is experiencing increasing risk from data breaches.  Businesses in all sectors have been behind the curve in implementing effective cybersecurity strategies. 

Manufacturing facilities face increased vulnerabilities to cyber attacks due to the use of digital devices such as programmable controllers on industrial internet.  Often these devices are legacy devices that lack proper security.  Additionally, the rapid increase in Internet of Things (IoT) devices are often installed and operated without sufficient regard to security.

Secure Supply Chain

The global supply chain is having to be rethought of in light of recent events involving China and Covid-19.  A secure supply chain is essential for producing a quality product that meets customer requirements on schedule.  Many manufacturers are seeing value in diversifying their supply chains to mitigate risks.  This includes moving away from foreign sources for critical items.

Reconsideration of supply chain vulnerabilities is also including outsourcing.  Trends in quality manufacturing in 2020 are showing a rapid movement towards reshoring manufacturing back to the United States.  This growth in manufacturing in the United States is expected to continue in growth in coming years.

International Trade and Tariffs

Recent international political events have changed import and export laws.  This again is effecting the viability of supply chains.  It is however, also effecting the customer base because of changes in tariffs and export law.  Often this is driving manufacturers to compete with products that are innovative and of higher quality in lieu of competing in low priced goods.

New Directions in Manufacturing

Modernization

To remain competitive many manufacturers are modernizing their shop floors.  This digital transformation includes an integration of information across silos.  Manufacturing ERP (Enterprise Resource Planning) is allowing organizations to better collect, store, manage and analyze big data.  As a result organizations are better able to monitor the pulse of the business and make better informed decisions based on predictive analytics.

The implementation of robotics and advanced sensor technology, including RFID, is helping produce higher quality goods more efficiently.  Technology is assisting both manufacturing and quality management teams to improve the continuity of quality manufacturing through automation and better monitoring capabilities.  Often these technologies can be implemented with relatively low investments in capital.

Challenges for Quality Management

Trends in quality manufacturing are changing the nature of the industry at a rapid rate.  As a result Quality Management Systems (QMS) must adapt to a new dynamic.  Today quality systems must examine and mitigate supply chain risks, manage data security, while ensuring that quality products are consistently being produced that meet or exceed customer expectations.

To meet these challenges quality management systems must integrate information from more stakeholders.  QMS must analyze this information as well as data from automated systems to dynamically monitor business sectors and respond appropriately.  Because of this process improvement becomes a daily activity with results yielding almost instant data for analysis.

CVG Strategy Quality Management Consultant Services

CVG Strategy quality management experts can help you create and maintain a Quality Management System that is tailored to the unique requirements of your organization.  We have extensive experience in ISO 9001:2015, AS9100, and ISO 27001.  A properly developed QMS can mitigate risks and create continuous process improvement.  This is especially important at a time when manufacturing is undergoing such rapid change.

Canada to Suspend Exports to Turkey

Canada suspends exports to Turkey
Canada suspends exports to Turkey

Foreign Affairs Minister Francois-Philippe Champagne has announced that Canada will suspend export of arms to Turkey over concerns of human right violations.  Champagne stated on October 5, 2020 that “Canada continues to be concerned by the ongoing conflict in Nagorno-Karabakh resulting in shelling of communities and civilian casualties.”  The suspension will allow Canada’s export regime to conduct an assessment of this situation.

Background on the Nagorno-Karabakh Conflict

The Nagorno-Karabakh region is composed primarily of ethnic Armenians, who have attempted to separate from Azerbaijan.  This has led to a war between Armenia and Azerbaijan in 1988 through 1994.  Although a cease fire has held between the two countries, no settlement has been reached over the Nagorno-Karabakh issue. 

Officially, no nation currently recognizes Nagorno-Karabakh as an independent state.  Recent resumptions of hostilities has raised concerns that a dramatic escalation of the conflict might ensue.  During the latest Azerbaijani offensive more that 220 people have been killed.

Canadian Concerns of Turkish Involvement

Canada is concerned that Turkey may be involved in backing Azerbaijan by supplying technology in the conflict.  Of special concern is the possible use of Canadian drone technology by Azerbaijani forces.  Project Ploughshares, a Canadian peace institute, claims in a recent report that UAVs with Canadian supplied  WESCAM EO/IR sensors were used in recent airstrikes.  Turkey may have also exported UAVs with these sensors to Libya.

Turkey has openly supported Azerbaijan in this conflict  It has however, denied accusations of involvement in recent events.  It has also claimed that Canada is employing double standards in its actions, siting Canada’s export of arms to countries with military involvement in Yemen.

Turkey has only recently imported Canadian military goods.  In 2019 Turkey purchased over $150 million of defense goods making it Canada’s third largest customer.

Canada’s Next Move

Following the announcement that Canada will suspend arm exports to Turkey Prime Minister Justin Trudeau has requested Champagne to work with European allies on the escalation of military action in the area.  It has called upon Armenia and Azerbaijan to negotiate through the Organization for Security and Co-operation in Europe. 

The export of defense goods and technology is a complex issue given the number of international conflicts and potential conflicts.  Canada has justifiable reasons for concern for its export policies regarding Turkey, though some might argue that this should have been conducted earlier.

Clearly Canada is not alone in its concern about the Nagorno-Karabakh conflict.  Russia, France, and the United States have called for cessation of hostilities in the region and have asked involved parties to resume negotiations.

CVG Strategy Export Compliance Consultants

Negotiating export of goods requires constant diligence of businesses in both Canada and the United States.  CVG Strategy has over a decade of experience assisting organizations develop and maintain effective export compliance programs.  Our experts can help you with both U.S. and Canadian export law. 

We provide export control classification, program audits, and export compliance team training.  We also offer a wide variety of ITAR signs, badges and accessories to defense goods suppliers that help ensure facility security.

Supply Chain Quality Management in Uncertain Times

supply chain quality management
supply chain quality management

Recent events have illustrated the need for effective supply chain quality management.  Industries in any sector are vulnerable to unforeseen changes in global economic and political forces.  Indeed, the veracity of supply chains are even subject to microscopic viruses that can render entire companies inoperable.

The Role of a Quality Management System in Supply Chain Processes

A role of any quality management system is to identify risks.  There are numerous risks involved in procuring items essential to the delivery of a product or service.  Some are obvious such as price, consistent quality of items, and logistics that effect timely delivery.  Others are more nuanced, such as the reputational risk associated with the actions of the procurer or supplier.

Regardless of the complexities involved, a risk assessment should include profiles of all supply chain members and identify potential vulnerabilities.  This can be challenging in many instances because a supplier may contend that certain information of this nature is proprietary.

Reputational Risk in the Supply Chain

Accountability of sourcing has become more complex with the advance of globalization.  This can lead to undesired and often unforeseen consequences that can damage a product’s reputation. 

Recently, increased scrutiny has being leveled at the use of forced labor in countries with poor human rights records.  International legislation has been applying pressure on governments that are involved in these practices.  An example of this is a ban on goods from the Xinjiang province of China. 

Globalization of the supply chain involves the import and export laws associated with the involved countries.  Here again vulnerabilities exist.  There are levels of complexities that must be dealt with to ensure that regulations prohibiting foreign corrupt practices are not violated

Clearly, involvement with a supply chain partner that does not share common core values can lead to serious marketing issues.  This is because once a brand has been associated with malfeasance it can be difficult to reform it.

Cybersecurity and Supply Chain Risk

Cybersecurity has become a major concern for businesses worldwide.  Currently the business world is generally in a game of catch up to protect sensitive data of their enterprises as well as of their customers. 

The supply chain has repeatedly been shown to be the most vulnerable area for many companies.  This is because it can often be unclear as to who is managing the risks of data breach.  Partnering with suppliers that employ an industry appropriate Information Security Management System (ISMS) is crucial for establishing data security policies and practices that protect all parties.

CVG Strategy Consulting Services

CVG Strategy consultants have extensive experience in the creation and maintenance of quality and information management systems.  Our areas of expertise include ISO 9001, AS9100, ISO 27001, NIST 800-171, and CMMC.  This allows us to tailor a system that meets your organizations specific requirements for increased security and customer satisfaction. 

We can help you assess your entire risk profile, including your supply chain, so that you can form internal and external policies and procedures to promote the continued growth of your enterprise.

Cuban Asset Control Regulations Amended

Cuban Asset Control Regulations
Cuban Asset Control Regulations

The U.S. Department of Treasury released amendments to Cuban Asset Control Regulations on September 24, 2020.  The amendments pertain to 31 CFR Part 515 and have been released as a final ruling to further implement President Donald Trump’s foreign policy towards Cuba.  The ruling is effective immediately.

Specific Prohibitions of the Regulations

The Office of Foreign Assets amendments removes a general license for persons subject to U.S. jurisdiction to participate in or organize certain clinics, workshops, athletic or non-athletic competitions, and exhibitions previously allowed during the Obama administration.  The new restrictions as published in the Federal Register include:

  • Restrictions on lodging, paying for lodging, or making reservations for lodging, at certain properties in Cuba.
  • Restrictions on importation into the United States of Cuban-origin alcohol and tobacco product.
  • Professional research and professional meetings in Cuba.
  • Public performances, clinics, workshops, athletic and other competitions, and exhibition.

Reasons for Cuban Restrictions

The restrictions were announced on September 23, 2020 by President Trump as “… part of our continuing fight against communist oppression”  He went on to say that “these actions will ensure U.S. dollars do not fund the Cuban regime.” 

Human rights violations in Cuba have been taking place for decades.  The Human Rights Watch has documented arbitrary detention and short-term imprisonment, restriction of information, prosecution of journalists, political imprisonment, and prohibition regarding freedom of association.  The U.S. Department of State has been monitoring these abuses and

Cuban Asset Control Regulations are also being amended as a result of U.S. trade policies that seek to holding the Cuban Communist Party accountable for its support of the regime in Venezuela. 

Export of Goods to Cuba

The United States maintains a comprehensive embargo on trade with Cuba.  The export or reexport of goods to Cuba are subject to the Export Administration Regulations (EAR) which are administered by the Bureau of Industry and Security (BIS).  The export of goods is generally prohibited unless authorized by exemptions specified in section 746.2(a)(2) of the EAR.

  • Exceptions to the embargo are made for certain categories of goods.  These include:
  • Medicines and medical goods.
  • Goods that would ensure the safety of civil aviation.
  • Telecommunication items usable by the Cuban people.
  • Items necessary for the improvement of U.S. and international environmental conditions.
  • Items that meet the needs of the Cuban people.

CVG Strategy Export Compliance Services

Businesses of all sizes are challenged by the complexity of ever changing export regulations.  CVG Strategy has been helping businesses establish and maintain viable export compliance programs.  Our experts have extensive experience in the Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR).  We also provide engaging and up to date training to keep your export compliance team current.

Employee Cybersecurity Negligence a Risk

Employee Cybersecurity Negligence a Risk
Employee Cybersecurity Negligence a Risk

Employee cybersecurity negligence is still a major cause of risk for businesses.  Despite an increased emphasis on training people, human error and bad habits continue to endanger sensitive information.

Data Breaches on the Rise

Institutions of all types have seen a dramatic increase in the number of cyber attacks.  This has been especially the case during the pandemic with an increase in the number of people working remotely.  These attacks are hitting every sector of business and government.  While expensive to large enterprises they can lead to the demise of small businesses.

Remote working has led to increased dependency on teleconferencing and working outside of facility controlled wi fi networks.  In many cases businesses have not created sufficient policies in place for remote access.  Often this has resulted in inappropriate technologies being employed.  As a result meetings have been “zoombombed” and sensitive information has been exposed.

More Training Not Necessarily the Solution

Although it may seem counter intuitive, more training on cyber security best practices does not always lead to long term changes in behaviors.  Many breaches are caused by actions most would recognize as unsafe.  These include leaving a computer unlocked and unattended, connecting to unsecured wi fi, falling for a phishing scam in an email, or sending emails with critical information to wrong parties.

Generational Differences in Behaviors

Many might be tempted to conclude that millennials, having grown up with continual access to technology, would have a superior grasp of cybersecurity practices.  However often millennials are less concerned about sharing sensitive data.  Additionally, because this generation is used to more instantaneous results they often will practice long ingrained short cuts to get a job accomplished quickly, thereby bypassing security measures. 

Older employees are often not as aware of current cyber threats of information security protocols and can be less likely to incorporate new procedures and protocols, again reverting to old habits.

Responding to Human Error and Negligence

While cyber criminals continue to develop increasingly sophisticated tools to accomplish their goals, relatively unsophisticated methods such as phishing remain extremely effective.  Phishing attacks prey upon human gullibility with fake emails and phony sites to gain access to sensitive information.

The solution to effective data security, therefore, cannot be solely addressed with IT solutions.  An anti virus program will probably not prevent all acts of employee negligence.  When data security risks are realistically evaluated, the resulting question is not “what should we do if we are hacked?” but “what should we do when we are hacked?”

To develop effective data security plans an organization requires an Information Security Management System (ISMS).  CVG Strategy can help you develop an effective ISMS that is tailored to large corporations or small business owners.  We specialize in ISO 27001 and NIST 800-171.  We can also assist those working in the defense industry achieve Cybersecurity Maturity Model Certification (CMMC).

An ISMS can help an organization realistically assess their employee cybersecurity negligence risks and develop appropriate policies to mitigate data breaches.  It also provides mechanisms for creating incidents response plans to address breaches when they occur.  Furthermore, certification in an appropriate ISMS conveys to those you partner with your organization’s commitment and diligence to data security.