Cybersecurity
Effective cybersecurity is essential to running a healthy business, maintaining production operations and protecting information. Ensuring Boeing suppliers understand their own cybersecurity maturity and posture is also critical to our shared goal of a healthy, stable, and efficient supply chain and production system. In order to protect both commercial and defense-related businesses and support our production operations, Boeing has adopted security principles in accordance with National Institute of Standards and Technology (NIST) Cybersecurity Framework and expects similar efforts from suppliers to adequately protect the supply chain. Boeing does not require suppliers to be certified under any specific framework; however, the expectation is that all suppliers will adopt security practices in accordance with an industry-leading security framework such as ISO 27001 or the NIST Cybersecurity Framework.
The Boeing Company Requirements
The Boeing Company collaborates with its suppliers to clearly establish responsibilities and capabilities in order to best manage cybersecurity risk associated with the products or services provided. Suppliers may review the Terms of Use of Boeing Information and Electronic Systems to preview Boeing’s contractual cybersecurity expectations.
- SP5- The Boeing Terms of Use and Cybersecurity Supplement
- NIST SP 800-171
- Additional requirements as applicable
To better understand the cybersecurity posture of our suppliers, Boeing has established a cybersecurity questionnaire to measure a supplier’s cybersecurity maturity through Exostar’s Partner Information Manager (PIM) portal. Review the PIM resource webpage for more information.
In the event where incident reporting is needed, please email Abuse@boeing.com.
Commercial
Suppliers must ensure goods delivered to Boeing (including electronic systems and software) satisfy the relevant civil aviation regulations for safety, airworthiness and quality, including but not limited to:
- Title 14, Parts 21 and 25 in the Code of Federal Regulations (CFR)
- Parts 21
- Parts 25
- European Aviation Safety Agency (EASA) Part 21.A.139
- 14 CFR Part 21.137 – FAA Design Holder Reporting Requirements, “Quality System”
- 49 CFR Parts 15 and 15.20 – Sensitive Security Information (SSI) for restriction of information
- FAA Order 1600.75 – Protecting Sensitive Unclassified Information (SUI) [Restricted Document]
- Defense requirements as applicable
Defense
When it comes to data security for unclassified information systems, the United States government’s primary means of ensuring cybersecurity throughout the supply chain has been through compliance with Federal Acquisition Regulations (FAR) and Defense Federal Acquisition Regulations (DFARS).
- Basic Safeguarding of Covered Contractor Information Systems – FAR 52.204-21
- Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities – FAR 52.204-23
- Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment – FAR 52.204-25
- Safeguarding Covered Defense Information and Cyber Incident Reporting – DFARS 252.204-7012
- Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services – DFARS 252.204-7018
- NIST SP 800-171 DoD Assessment Requirements – DFARS 252.204-7020
Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard for future Department of Defense acquisitions. CMMC addresses Controlled Unclassified Information and will supplement the NIST 800-171 controls set forth in DFARS 252.204-7012. CMMC contains three increasingly progressive levels, ranging from Foundational (Level 1) to Expert (Level 3; that will utilize a sub-set of requirements form NIST-SP-800-172). More about the CMMC can be found at:
Defense Industrial Base Sector Coordinating Council Cyber Assist
The Defense Industrial Base (DIB) Sector Coordinating Council (SCC) CyberAssist website provides trusted resources to assist DIB companies and suppliers of varying sizes with implementation of cyber protections and awareness of cyber risk, regulations and accountability for their supply chain. The website has a specific CMMC section that provides suppliers with resources to navigate CMMC awareness and implementation.
Resources
- Cybersecurity & Infrastructure Security Agency’s (CISA) National Cyber Awareness System (including Cyber Tips, Incidents and Vulnerabilities)
- Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST SP 800-171)
- Office of the Secretary of Defense FAQs for DFARS 252.204-7012
- Aerospace Industries Association Resources
- Exostar Cybersecurity Resources
- Supply Chain Risk Management Practices for Federal Information Systems and Organizations – NIST 800-161
- NIST Framework