Aerospace and Defence compliance 2.0: Greater focus on risk-based security, CCM, and blockchain
The heavily regulated aerospace and defence industry, which is estimated to be valued at $1,600 billion in the year 2025, has been dealing with stringent and complex compliance requirements mandated by governments and internal stakeholders. Due to the sensitive nature of products and services delivered by aerospace and defence companies, there are restrictions imposed on raw material usage, third-party contracts, manufacturing processes, upgrades, and even hiring practices. Guidelines issued by regulatory agencies such as the Federal Aviation Administration (FAA) and the European Aviation Safety Agency (EASA), as well as export control laws in the U.S., the European Union, and other parts of the world, emphasise the need for watertight compliance workflows and supporting data technology stacks to minimise the risk of compliance fines and penalties. Compliance programmes need to be agile and highly responsive, considering export controls evolve with changes in geopolitical conditions and foreign policy.
For instance, recently, the U.S. restricted the export of its defence and dual-use technologies to Hong Kong. We are seeing similar scenarios in today’s volatile, uncertain, complex, and ambiguous (VUCA) world where countries are taking drastic measures to safeguard national security and achieve foreign policy or commerce-related objectives. Moreover, there are unified standards such as Cybersecurity Maturity Model Certification (CMMC), which ensure that only defence companies who meet a certain maturity level in terms of cybersecurity practices are eligible to become impanelled suppliers. It is no surprise then that robustness of a compliance programme plays a critical role in ensuring business continuity of aerospace and defence companies.
The need for compliance programmes to be responsive to legislative developments and to address divergent measures across key jurisdictions has only intensified in recent months and years. This is because the pace of development and imposition of export control measures, particularly relating to defence and aerospace-related goods and technology, has increased. This has been accompanied by an increased divergence and fracturing of the approach and measures implemented by Western nations which have formerly acted with a greater degree of alignment. For example, this has been evidenced in the divergent approach by different EU member states with respect to the licensing of arms and defence related materials to Saudi Arabia; with the approach to export control policy in Europe vulnerable to further divergence in the context of Brexit; and whilst differing approaches again have been in evidence across European states and the US with respect to restrictions on the export of controlled technology targeting China, with a particular focus on Huawei at present.
All the while, the complex compliance challenge facing businesses is accompanied by an increased appetite on the part of regulatory authorities to investigate, enforce, and penalise breaches of export controls.
The need for enterprise-wide transformation of compliance programmes
Considering such restrictions have been in place for decades, and since aerospace and defence companies have had ongoing compliance programmes for that time, what has led to a consensus that those programmes may need a facelift? First, the amount of data that needs to be monitored to drive compliance processes has increased manifold, with blueprints, drawings, photographs, plans, instructions, and documentation existing in the form of PLM data, emails, data in shared drives, and legacy data – in both unstructured and structured formats. Legacy compliance processes are not able to cope up with the volume, variety, and velocity of data generated today. Moreover, regulators such as the U.S. International Trade Administration (ITA) and the U.S. Department of Defense have become increasingly vigilant with sensitive data going digital. There are regulations in force that mandate how such data is protected and where that can or cannot be moved.
Traditionally, global aerospace and defence organisations have relied on country-level compliance processes and IT delivery, resulting in siloed data and lack of centralised visibility with minimal data sharing. This has resulted not only in non-standardised information management but has also increased IT costs and redundancy, along with poor visibility into the efficacy of compliance programmes across geographies. There have also been issues with mapping compliance requirements with corresponding technology interventions, partly due to scarcity of domain expert resources and challenges around interpretation of prevalent laws.
The compliance requirements for aerospace and defence organisations have been ever-evolving but have always been reactive and focused on trying to keep up with obligations.
A roadmap for a modernised compliance programme
Building a global brand with standardised, transparent, scalable, and highly responsive compliance processes would require aerospace and defence companies to overcome a major roadblock: localised compliance mechanisms. Here are four ways companies can alleviate the challenges discussed so far and bolster their global compliance programmes:
Common control framework: Establish a common control framework that can be presented in enterprises’, entities’ and countries’ hierarchical structures, allowing firms to easily understand the specific arrangement that must be taken to meet any regulatory, compliance, and other standard requirements.
Streamlined information management: Establish standardised processes to discover, classify, and segregate all existing information based on requirements laid out by local regulators. Next, implement a zero-trust architecture that prioritises a network-centric data security strategy, restricting data access based on business needs. With solutions such as attribute-based access control where authorisation to access sensitive information is granted based on subject attributes, environmental attributes, and resource and action attributes, companies can achieve an authorisation model that is highly dynamic, context-aware, and risk-intelligent.
Continuous compliance monitoring: Move away from a reactive approach to compliance management towards a more proactive approach, which is very different from merely conducting audits at regular intervals. Through real-time monitoring of access control, policy-based enforcement on IT assets, firewall administration, application governance, and more, and by continuously comparing performance with compliance requirements, companies must uncover operational or technological gaps that need immediate resolution. Further, enterprises need to ensure ‘security and compliance-by-design’ and think about functionalities such as export control checks at the time of designing the digital journey.
Blockchain for improving compliance posture: Ensure future readiness by making strategic investments in next-generation enablers such as distributed ledger technology (DLT), which delivers greater transparency, enhanced security, and easier traceability. In the export control space involving very high volumes of record-keeping requirements, blockchain is a natural fit. It will streamline the process of recording export/re-export and shipping documents, allowing them to be easily traced and retrieved quickly and cost effectively. Such digital ledgers would also prevent the risk posed due to human errors and unauthorised access, which otherwise could lead to severe compliance lapses.