While tragedies in the aerospace industry are rare, they pose a significant risk to national security. To address these threats, the industry has implemented rigorous cybersecurity standards designed specifically for aerospace systems.
One of the most recognized of these is the Aerospace Cybersecurity Standard, formally known as NAS 9933. Understanding this standard is essential for aerospace organizations, contractors, and suppliers, as it guides how sensitive data and critical systems are protected.
Before The Aerospace Cybersecurity Standard
Before formal cybersecurity standards were introduced, the aerospace industry lacked a unified approach to protecting sensitive systems and data. While frameworks like NIST 800-171 and the CIS Critical Security Controls (CIS CSC) were adopted by some organizations, they were not specifically tailored to the unique challenges of aerospace operations.
This gap in comprehensive, industry-specific policies led to low adoption of cybersecurity measures. In fact, reports indicate that only 40% of aerospace businesses maintained a formal security policy, leaving critical systems vulnerable to cyberattacks that could have serious national security implications.
Recognizing this risk, the Aerospace Industries Association (AIA) collaborated with cybersecurity experts and government agencies to develop a dedicated Aerospace Cybersecurity Standard, NAS 9933. This standard provides tailored guidance for aerospace organizations, ensuring sensitive information and critical infrastructure are better protected.
Challenges in the Aerospace Industry
The Aerospace Industries Association (AIA) has identified several key challenges that could impact the long-term success of cybersecurity standards in the aerospace sector:
- Collaboration Across Organizations: There is a growing need for aerospace companies and government agencies to work together on joint security initiatives. Such collaboration fosters a stronger security culture while reducing regulatory burdens on providers.
- Adapting Existing Frameworks: Current frameworks like NIST 800-171 and the CIS Critical Security Controls (CIS CSC) must be tailored to meet the unique demands of the aerospace industry.
- Protecting Sensitive Information: The Department of Defense (DoD) must clearly mark Covered Defense Information (CUI) and implement a tiered system to ensure sensitive data receives the appropriate level of protection.
- Understanding the Threat Landscape: Aerospace organizations and cybersecurity professionals need a threat-based approach to defense, improving the ability to anticipate and respond to potential attacks.
Aerospace is already a highly regulated industry. Integrating existing frameworks with dedicated cybersecurity standards like NAS 9933, along with quality assurance and management processes, can create a comprehensive framework that strengthens both security and compliance.
CMMC, NIST, CIS CSC, and NAS 9933
The National Aerospace Standard 9933 (NAS 9933) was developed by the Aerospace Industries Association (AIA) to provide a tailored approach to cybersecurity in the aerospace sector. To fully understand this standard, it’s helpful to look at the frameworks that influenced its creation.
NAS 9933 is not a stand-alone framework. Instead, it complements existing cybersecurity standards like NIST 800-171 and the CIS Critical Security Controls (CIS CSC). These frameworks form the foundation for NAS 9933, ensuring that aerospace organizations have robust, industry-specific guidance for protecting sensitive data.
NIST 800-171 is widely used by aerospace organizations handling Controlled Unclassified Information (CUI). Given the sensitive nature of the data processed, this framework provides essential controls to mitigate risks to national security. As part of the evolving cybersecurity landscape, NIST 800-171 will eventually transition to the Cybersecurity Maturity Model Certification (CMMC), which introduces mandatory third-party compliance verification instead of self-certification.
For aerospace organizations engaged with DoD contracts, understanding the relationship between NAS 9933, NIST 800-171, and CMMC is critical. While NAS 9933 is currently voluntary, it works alongside NIST 800-171 and can extend to CMMC requirements as the industry adapts to new regulations.
CIS Critical Security Controls (CIS CSC) provides a globally recognized framework for cybersecurity. NAS 9933 builds on this framework by adding two aerospace-specific controls to the existing 20, creating a comprehensive cybersecurity standard tailored for the industry.
Organizations should choose which framework to combine with NAS 9933 based on the type of information they handle. For CUI, NAS 9933 should be used alongside NIST 800-171. For all other data, CIS CSC remains a reliable foundation. While CMMC full implementation may take another 2–3 years, proactive adoption of NAS 9933 ensures readiness and helps maintain eligibility for DoD contracts.
Aerospace Cybersecurity Standard NAS 9933
The Aerospace Industries Association (AIA) developed NAS 9933 in response to the industry’s lack of uniform cybersecurity standards. The goals of the standard are clear:
- Measure Cybersecurity Risk: Provide industry partners with a reliable indicator of a company’s cybersecurity profile, helping assess potential risk.
- Enable Reciprocity: Ensure a company’s cybersecurity level is recognized across the aerospace industry and critical infrastructure sectors, supporting national interests.
NAS 9933 complements existing frameworks, particularly NIST 800-171, and incorporates the Exostar Questionnaire Standard as a baseline. It also aligns with the control families within the CIS Critical Security Controls (CIS CSC) to create a comprehensive standard tailored to aerospace organizations.
Certification to NAS 9933 is entirely voluntary. Organizations interested in adopting the standard can purchase the full list of controls from the AIA Standards Store. While voluntary, partnering with a cybersecurity provider experienced in framework implementation, especially one familiar with NIST 800-171, can ensure a smoother and more effective adoption process.
RSI Security and Framework Compliance
Staying compliant with cybersecurity standards is essential for aerospace organizations, especially as frameworks like NIST 800-171 evolve and the CMMC moves toward mandatory third-party verification. RSI Security can help your organization navigate these changes and maintain compliance with industry best practices.
The aerospace industry is not alone in facing sweeping changes to the cybersecurity landscape. Rapid technological innovation creates new threats, and regulators are continually updating laws to keep pace. Critical infrastructure industries, such as aerospace, have proactively enacted security frameworks like NAS 9933 to address these risks.
Although adoption of NAS 9933 is voluntary, history shows that regulatory changes often follow major incidents. Implementing robust cybersecurity standards now not only protects your organization but also positions it as a leader in industry security practices.
The safest strategy is to stay ahead of emerging threats. Build resilience, ensure compliance, and set an example for the aerospace sector. Contact RSI Security today to develop a tailored plan for your cybersecurity and compliance goals.
Download Our CMMC Checklist