Defense Department officials want to accelerate the adoption of additive manufacturing to solve frontline and logistical challenges alike under a recent policy change, even as the department’s watchdog raises new concerns about how the military secures its 3D printing systems.
In June, DoD issued its first additive manufacturing policy. The publication follows closely on the heels of DoD’s first-ever additive manufacturing (AM) strategy, released in January.
Insight by Sonatype: Stephan Mitchev, acting CTO at USPTO, discusses how USPTO is looking at supply chain issues to address cybersecurity concerns. Dr. Stephen Magill, VP of product innovation at Sonatype, provides an industry perspective.
The new policy lays out roles and responsibilities for AM through the department. It states DoD will use the practice to “support joint force commanders and [combatant command] theater requirements, transform maintenance operations and supply chains, increase logistics resiliency, and improve self-sustainment and readiness for the military services.”
Tracy Frost, director of DoD’s Manufacturing Technology (ManTech) program, said DoD wants to align the department’s various additive manufacturing activities to accelerate the technology’s use throughout the military.
“[AM] has been around for a long time, but as it’s being utilized today, it’s cutting edge technology,” Frost said during a July 14 event hosted by George Mason University’s Center for Government Contracting. “It’s distributed and accessible through its smaller footprint, and it’s lower cost. It’s innovative, allowing us to create new designs like we’ve never seen before. And it allows us to iterate and prototype more quickly, supporting rapid design cycles.”
The military services are now working on implementation plans to further advance the new policy, while a Joint Additive Manufacturing Working Group led by Frost’s office continues to oversee AM efforts from the Pentagon.
The Defense Logistics Agency is also running a joint platform for sharing 3D printing models called the “Joint Additive Manufacturing Model Exchange,” Frost said. Her ManTech office is additionally identifying AM training needs and helping to fund research into qualifying metal AM parts.
Angela Tymofichuk, deputy assistant secretary of the Air Force for logistics and product support, said the use of AM is growing throughout the service where personnel need spare parts for aging equipment and face diminishing sources of manufacturing in certain sectors. She said the Air Force is pushing AM into operational use through its major commands, and the service now has an accountable property management system with associated training in place for 3D printers.
“We have innovation ‘sparks cells’ across the Air Force where their whole intent is to put these innovative technologies and processes in the hands of our highly creative and innovative airmen and see what they can do,” Tymofichuk said during the GMU event.
Despite the momentum behind the department’s use of AM, the DoD Inspector General raised new security concerns in a redacted audit released last week. The watchdog found DoD five DoD component sites did not consistently use cybersecurity controls at their AM sites, leaving both the systems and the design data at risk.
“The DoD components did not consistently secure or manage their AM systems or design data because AM users considered the AM systems as ‘tools’ to generate supply parts instead of information technology systems that required cybersecurity controls,” the report states. “In addition, the DoD components incorrectly categorized the AM systems as stand-alone systems and erroneously concluded that the systems did not require an authority to operate.”
DoD officials agreed with the IG’s recommendations to treat AM systems as Information Systems under DoD policy and require 3D printing systems to get an ATO. The Air Force told the IG it was releasing a policy requiring an ATO for AM systems in May, with full compliance required by May 2022.
But cybersecurity is still a problem in both the AM industry and in DoD, according to Joe Veranese, business systems manager at America Makes, the National Additive Manufacturing Innovation Institute, which serves as a link between the department and industry.
“If you don’t secure those machines . . . you make the data available to a bad actor, you make the data compromisable by a bad actor, a flaw can be introduced,” Veranese said in an interview with Federal News Network. “And the thing with additive is you can bury a flaw under 17 layers of stuff and never see it until it fails. So you have to be able to understand and have confidence in the file that is being printed.”
Many small and medium manufacturers don’t update their machines because it takes them out of operations, costing the companies in lost production, according to Veranese. And a firmware update can crash a machine, taking it offline even longer, he said.
Meanwhile, as the DoD IG revealed, DoD often wasn’t updating their machines, securely using removable media and leaving other parts of the process open to potentially malicious actors because they considered the AM systems as tools, rather than computer systems. Veranese also said DoD feels comfortable not following typical IT protocols because they airgap their 3D printing systems, effectively blocking them off from the Internet.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
But malicious code and other flaws can still be introduced, Veranese said, requiring the department and industry to adopt a new mindset around the cybersecurity of additive manufacturing.
“It’s making people believe this is something important,” he said. “I don’t stand inside the yellow tape around this big machine because I could lose a finger. Well, I don’t share my password or put my password on a little sticky note on my monitor, because it could be compromised. It needs to be that innate. And until that is really accepted that way, we’re going to continue to have problems.”
The new DoD policy on AM systems requires officials to ensure the “cyber-physical infrastructure and processes are secure and capable of supporting the use of AM across the life cycle of weapons systems.” It states the department will conduct periodic cyber risk assessments for AM systems and institute processes specific to AM to prevent data exploitation.
Frank Kelley, vice president of Defense Acquisition University, suggested DAU could develop some training for DoD personnel on AM security.
“I think it’d be a great thing for DAU to come up with sort of a class where all elements of the acquisition workforce are represented, give them a problem, where adaptive manufacturing might be the solution,” Kelley said during the GMU event. “And then we slip in a bad file and see if they catch it before they go to print and see if we’re actually exercising good security procedures and protocols.”