RISE for aerospace and defence, the security considerations.

RISE with SAP deployments inside aerospace and defence carry a security perimeter that combines the export control regimes that govern the underlying technical data, the classified information regimes that govern any data with formal classification, the personnel security regimes that govern access to the operational environment, and the supply chain attestation regimes that govern the broader software stack. The perimeter is broader than the perimeter that applies to the financial services deployments, more prescriptive in its operational requirements, and more constraining on the SAP delivery organisation. The buyer team that approaches the RISE negotiation without the security perimeter as the structuring constraint will produce a contract that fails the export control review, that triggers a security incident during the operating period, or that constrains the buyer ability to compete for classified or controlled programmes that depend on the SAP estate. This article walks through the security perimeter that applies to aerospace and defence deployments and the contractual structure that supports the controlled deployment.

The security perimeter for aerospace and defence RISE deployments

The security perimeter combines four overlapping regimes that apply across the data, the personnel, the infrastructure, and the supply chain. The export control regime is set by the International Traffic in Arms Regulations administered by the United States Department of State for controlled defence articles, by the Export Administration Regulations administered by the United States Department of Commerce for dual use technology, and by the equivalent national regimes that apply in the buyer home jurisdiction and any host jurisdiction. The regime applies to technical data that the RISE deployment processes, stores, or transmits.

The classified information regime is set by the national security framework that the buyer operates under, which in the United States includes the National Industrial Security Program Operating Manual and the corresponding facility clearance requirements. The regime applies to any data with formal classification, the personnel that access the data, the infrastructure that hosts the data, and the supply chain that supports the infrastructure. The regime is more prescriptive than the export control regime and carries the additional dimension of personnel clearance.

The cybersecurity maturity regime is set by frameworks such as the Cybersecurity Maturity Model Certification administered by the United States Department of Defense and the equivalent national frameworks that apply to the defence supply chain. The regime applies to the buyer cybersecurity posture across the supply chain and requires the documented attestation of the cybersecurity controls that the buyer estate operates, including the controls that the RISE deployment provides.

Classified and controlled data restrictions

The classified and controlled data restrictions establish the data categories that the RISE deployment can process and the data categories that the deployment cannot process. The restrictions begin with the formal classification of the data, which in most jurisdictions establishes a hierarchy from unclassified through restricted, confidential, secret, and top secret. The RISE deployment as currently offered by SAP supports the unclassified and the controlled unclassified data categories. The deployment does not support the classified categories above the unclassified threshold without additional national security accreditation that is rarely available inside the standard RISE offering.

The restrictions also cover the controlled unclassified data categories that the buyer estate processes outside the formal classification hierarchy. The categories include the export controlled technical data, the controlled defence information that the United States Department of Defense identifies, the proprietary data that the customer or partner identifies as carrying additional handling requirements, and the operational data that the buyer programmes identify as sensitive. The categories require the documented handling controls that the RISE contract should establish.

The restrictions on the data should be implemented through a combination of contractual provisions, technical controls, and operational procedures. The contractual provisions should specify the data categories that the deployment processes, the controls that the SAP delivery organisation operates against the categories, and the obligations on the SAP organisation in the event of any access by an unauthorised party. The technical controls should include the encryption of the data at rest and in transit, the customer managed key management, and the logical isolation of the controlled data from the wider deployment. The operational procedures should cover the access authorisation, the access review, and the access revocation processes that apply to any personnel that interact with the controlled data.

Personnel security and clearance requirements

The personnel security and clearance requirements establish the controls on the personnel that can access the RISE deployment in any operational capacity. The controls cover the buyer personnel that operate the deployment, the SAP delivery personnel that support the deployment, the hyperscaler personnel that operate the underlying infrastructure, and the sub processor personnel that support any aspect of the deployment.

The controls on the buyer personnel are established by the buyer security policy and the national framework that applies to the buyer programmes. The controls typically include a background check, an export control screening, and where the deployment supports classified or controlled programmes, the formal personnel clearance that the national framework requires. The controls are within the buyer responsibility and the buyer team operates the controls through the existing security organisation.

The controls on the SAP delivery personnel and the hyperscaler personnel are the contractual question that the RISE negotiation needs to address. The standard SAP delivery model uses a global support organisation that does not satisfy the personnel security requirements that the aerospace and defence buyer carries. The buyer team should negotiate the use of a constrained delivery model that limits the SAP support personnel to a defined set of cleared individuals operating from defined locations, with the documented attestation of the clearance status and the contractual obligation on SAP to maintain the constrained model across the contract term. The constrained model carries a delivery cost premium that the buyer team should negotiate against the standard pricing rather than accept as a separate uplift.

Supply chain and software bill of materials controls

The supply chain controls cover the third party software components, the open source components, the hardware components, and the operational services that the RISE deployment depends on. The controls require the documented attestation of the supply chain, the documented assessment of any component that originates in a jurisdiction that the buyer security policy identifies as carrying additional risk, and the documented remediation of any component that fails the assessment.

The software bill of materials provision establishes the buyer right to receive the bill of materials for the RISE deployment, with the documented detail of the components, the versions, and the source of each component. The provision supports the buyer cybersecurity attestation and the buyer ability to assess the deployment against the emerging supply chain frameworks. The provision should be supported by the obligation on SAP to update the bill of materials on a defined cycle and to notify the buyer of any material change that affects the supply chain risk profile.

Negotiating the security schedule

The security schedule consolidates the security provisions into a single addendum to the RISE contract and provides the documentary basis that the buyer security organisation will need across the operating period. The schedule should cover the data categories that the deployment processes, the personnel security requirements, the infrastructure constraints including the named hyperscaler regions and the support locations, the supply chain attestation, and the incident management procedures that apply to any security event. The schedule should be drafted to accommodate the addition of new programmes as the buyer business evolves and the addition of new security requirements as the regulatory framework develops. The schedule should be supported by the operating documentation that the SAP delivery organisation produces and by the periodic security review that the buyer security organisation conducts against the deployment.

Conclusion: the security perimeter is the structuring constraint

The RISE with SAP deployment for an aerospace or defence buyer is a controlled deployment before it is a commercial deployment. The security perimeter shapes the contract structure, the delivery model, the personnel access, the infrastructure constraints, and the supply chain attestation. The buyer team that engages with the perimeter as the structuring constraint produces a contract that supports the controlled programmes across the contract term. The buyer team that treats the perimeter as a post signature concern produces a contract that fails the export control review, that triggers a security incident during the operating period, or that constrains the buyer ability to compete for the classified or controlled programmes that depend on the SAP estate. The structuring approach is the difference between a sustainable controlled deployment and a deployment that creates security exposure across the seven year contract term.