View by Author

Most Recent Articles

Australian and US Navy ships conducting training exercises

Getting The Australian / NS Naval Collaboration Ready To Sail

By Published On: 14 March 2024Categories: Defence, Security

A key milestone for the Australian Nuclear Submarine program was achieved in December 2023 when the U.S. Congress approved legislation to sell Virginia Class submarines to Australia, allow the transfer of sensitive technology, and enable the maintenance of U.S. submarines in Australian shipyards.

Share This Article:

This is a historic achievement – the first time the U.S. has authorised the sale of nuclear-powered submarines to another nation.

Supporting those deepening ties is the recent graduation of Royal Australian Navy (RAN) officers from the United States Navy Nuclear Power School. This, together with the establishment of the Australian Submarine Agency in July 2023, shows the RAN’s commitment to devoting the personnel and organizational components needed to succeed with its submarine program.

Another component necessary for the success of the US/AU collaboration is a fully functional industrial ecosystem. Industrial partnerships will be crucial to the success of the AUKUS initiative by channelling American IT engineering and cyber consulting expertise into Australian security and defence consultancies. Other American industry players are also getting ready to ensure supply chains are in place and otherwise enable this expansion of submarine warfighting capability into Australia.

Part I – Regulation and Certification

We’ve created this article to share some of what our two companies have learned about the requirements for industrial collaboration in support of the new submarine strategy. The balance of this article is devoted to regulation and certifications, subsequent articles will focus on other aspects.

There are numerous US and AU defence programs, certifications and standards that need to be considered. Participants in this emerging collaborative ecosystem will need to conform to Australia’s Defence Industry Security Program (DISP), with requirements that can be a challenge for some providers. The program dictates physical, personnel, governance, and information/cyber security protocols, each of which have non-trivial timelines for completion of the vetting process. The Australian Defence Security and Vetting Service (DS&VS), which facilitates DISP assessments, has bandwidth constraints which are already stretched thin. Whilst industrial participants can’t expedite DS&VS processes, a keen understanding of DISP can ensure applicants have appropriate and mature artifacts to smooth DS&VS assessments.

Similarly, the US has stringent programs for handling and holding US Defense information and exports out of the US. Program participants in the new submarine collaboration will need to conform to the International Traffic in Arms Regulation (ITAR). ITAR regulations dictate that information and material pertaining to defence and military-related technologies may only be shared with US citizens unless authorization from the Department of State is received to export the material or information to a foreign person. And whilst the aforementioned legislation makes this authorisation simpler for AUKUS, ITAR compliance and assurance is still required.

In addition to logistics and access requirements, the US Department of Defense requires industrial participants, both internal and external to the US, to enact appropriate information/cyber risk management controls. US Government requirements are primarily authorized by the National Institute of Standards and Technology (NIST), with the NIST (SP) 800-171 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations being the guideline for compliance.1 Many Australian industry entities may be familiar with the NIST SP 800-53 NIST Risk Management Framework but be less so with NIST SP 800-171 and the certification of their organisation.

An extension of this is the US Cybersecurity Maturity Model Certification (CMMC), an equivalent of the Australian Essential 8 and ISM. To date, implementation of the NIST SP 800-171 to meet federal government cyber/information security requirements has been self-assessed by DIB organizations and adjudicated by the contracting officers and representatives (CORs) managing their DoD contracts. CMMC “1.0” was established in 2020 as the initial framework for certifying, via approved 3rd parties, that an industry partner meets appropriate cybersecurity standards, but never fully implemented. The CMMC has undergone significant change since then, with CMMC “2.0” recently published for public review and comment. Whatever combination of ITAR, CMMC, and Essential 8/CSM requirements are levied on the Australian industry, it will require a practised hand to properly navigate them.

We will continue to explore these and other foundation-building elements of the AUKUS agreement in subsequent articles.

1The Federal Acquisition Regulation (FAR 52.204-21), in conjunction with the Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012), establishes the contractual mandate for the security of information and information systems by US Defense Industrial Base (DIB) organizations.

About the authors

Craig Petrie, CSC, Lead Partner Integrated Security Services at Anchoram Consulting, Canberra Australia; a professional services consulting company focused on security, critical infrastructure, defence and the public sector. Anchoram has extensive experience in working with clients on the Defence Industry Security Program, Protective Security Policy Framework and the Information Security Manual.

Kevin Esser is a founding partner and chief business officer of G2 Ops, Inc. an engineering and cybersecurity services company serving branches across the U.S. Department of Defence. G2 Ops has been recognized six years in a row on the Inc. 5000 list as one of the fastest-growing private companies in the U.S.A. and has extensive experience applying the FAR/DFAR NIST 800-171 requirements to industry partners of all sizes.

A key milestone for the Australian Nuclear Submarine program was achieved in December 2023 when the U.S. Congress approved legislation to sell Virginia Class submarines to Australia, allow the transfer of sensitive technology, and enable the maintenance of U.S. submarines in Australian shipyards.

Craig Petrie CSC
By Published On: 14 March 2024Categories: Defence, Security

Share This Article:

Categories

Subscribe

Subscribe to our newsletter and get the latest news and information from Anchoram.

View by Author

Most Recent Articles

Author Profiles