The Office of the Inspector General (OIG) for the US Department of Defense (DoD) released Audit of the Cybersecurity of Department of Defense Additive Manufacturing Systems (DODIG-2021-098) [1] in July 2021, to determine "whether DoD [sites] secured additive manufacturing (AM) systems to prevent unauthorized changes and ensure the integrity of the design data." The audit report recommends requiring "all AM systems to obtain an authority to operate in accordance with DoD policy before their use" [1], and requiring "AM system owners to immediately identify and implement security controls to minimize risk until obtaining an authority to operate." [1] The DoD Chief Information Officer (CIO) responded that existing DoD regulations require both of these for "all IT systems, including AM systems" [1]. Such cyber security rules can help guard against vulnerabilities such as design file theft or digital thread hacking, as well as unauthorized prints on AM systems that can impact the safety and integrity of parts used in defense systems, expose critical intellectual property to bad actors and even cause manufacturing facilities to shut down. To improve AM system vendors' understanding of these cybersecurity requirements for DoD and the US Government (USG), we discuss in this paper the process for obtaining an Authority To Operate (ATO) certification for an IT system per DoD and USG cybersecurity regulations, i.e., the Risk Management Framework (RMF) process from the US National Institute of Standards and Technology (NIST) [2]. We also describe resources for AM system vendors to understand and implement the RMF process for obtaining an ATO certification, particularly in the DoD environment. [1] Department of Defense Office of Inspector General. 2021. Audit of the Cybersecurity of Department of Defense Additive Manufacturing Systems (DODIG-2021-098). https://www.dodig.mil/reports.html/article/2683843/audit-of-the-cybersecurity-of-department-of-defense-additive-manufacturing-syst/ Full report at: https://media.defense.gov/2021/Jul/07/2002757308/-1/-1/1/DODIG-2021-098.PDF [2]NIST Information Technology Laboratory Computer Security Resource Center. 2021. About the Risk Management Framework (RMF): A Comprehensive, Flexible, Risk-Based Approach https://csrc.nist.gov/projects/risk-management/about-rmf
[1]
Joint Task Force Transformation Initiative,et al.
Security and Privacy Controls for Federal Information Systems and Organizations
,
2013
.
[2]
Joshua Lubell,et al.
Cybersecurity Framework Version 1.1 Manufacturing Profile
,
2020
.
[3]
Yuval Elovici,et al.
Digital Audio Signature for 3D Printing Integrity
,
2019,
IEEE Transactions on Information Forensics and Security.
[4]
Nadya Bartol,et al.
Supply Chain Risk Management Practices for Federal Information Systems and Organizations
,
2015
.
[5]
Susan Hansche,et al.
Committee on National Security Systems
,
2005
.