Effective cybersecurity is essential to running a healthy business, maintaining production operations and protecting information. Ensuring Boeing suppliers understand their own cybersecurity maturity and posture is also critical to our shared goal of a healthy, stable, and efficient supply chain and production system. In order to protect both commercial and defense-related businesses and support our production operations, Boeing has adopted security principles in accordance with National Institute of Standards and Technology (NIST) Cybersecurity Framework and expects similar efforts from suppliers to adequately protect the supply chain. Boeing does not require suppliers to be certified under any specific framework; however, the expectation is that all suppliers will adopt security practices in accordance with an industry-leading security framework such as ISO 27001 or the NIST Cybersecurity Framework.
The Boeing Company collaborates with its suppliers to clearly establish responsibilities and capabilities in order to best manage cybersecurity risk associated with the products or services provided. Suppliers may review the Terms of Use of Boeing Information and Electronic Systems to preview Boeing’s contractual cybersecurity expectations.
To better understand the cybersecurity posture of our suppliers, Boeing has established a cybersecurity questionnaire to measure a supplier’s cybersecurity maturity through Exostar’s Partner Information Manager (PIM) portal. Review the PIM resource webpage for more information.
In the event where incident reporting is needed, please email [email protected].
Suppliers must ensure goods delivered to Boeing (including electronic systems and software) satisfy the relevant civil aviation regulations for safety, airworthiness and quality, including but not limited to:
When it comes to data security for unclassified information systems, the United States government’s primary means of ensuring cybersecurity throughout the supply chain has been through compliance with Federal Acquisition Regulations (FAR) and Defense Federal Acquisition Regulations (DFARS).
The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard for future Department of Defense acquisitions. CMMC addresses Controlled Unclassified Information and will supplement the NIST 800-171 controls set forth in DFARS 252.204-7012. CMMC contains three increasingly progressive levels, ranging from Foundational (Level 1) to Expert (Level 3; that will utilize a sub-set of requirements form NIST-SP-800-172). More about the CMMC can be found at:
The Defense Industrial Base (DIB) Sector Coordinating Council (SCC) CyberAssist website provides trusted resources to assist DIB companies and suppliers of varying sizes with implementation of cyber protections and awareness of cyber risk, regulations and accountability for their supply chain. The website has a specific CMMC section that provides suppliers with resources to navigate CMMC awareness and implementation.