How a DoD Sub-contractor Used Cybersecurity Compliance to Secure New Business & Prepare for The Future
December 31st, 2017 is a date that likely stands out for most manufacturing companies in the Department of Defense’s (DoD) supply chain. This date marks the deadline by which these companies were obligated to meet DFARS requirements to safeguard Covered Defense Information (CDI) from compromise or risk loss of DoD awards or opportunities to bid on future contracts.
Midwest Precision, LLC (Midwest), like other small to medium-sized manufacturing companies, faced these compliance constraints. Founded in 1953, the company specializes in close tolerance CNC machining of all types of Stainless Steels, Nickel Alloys, Titanium, Aluminum, Steel, and Brass in complex configurations. Their organization is made up of 52 dedicated employees who are proficient in machining complex shapes from challenging materials with close tolerances and have experience in assembly and kitting, quality assurance, engineering, and Lean manufacturing.
Midwest has earned contracts from the likes of Lockheed Martin – a blessing which also came with an extra compliance task. Above and beyond DFARS compliance, Midwest was asked to comply with its prime contractor’s (Lockheed Martin) custom framework to achieve an “acceptable” Exostar Capability Score of 3.00 or better. At the time, Midwest had a Capability Score of 0.61.
The president of Midwest Precision was determined to increase their Exostar Capability Score by adopting the best practices outlined in the NIST SP 800-171 requirements. During a cybersecurity education program that TechSolve conducted in late 2017, he asked TechSolve’s staff to provide guidance to their networking team in order to achieve the Exostar Capability Score improvement.
Prior to the December 31, 2017 deadline, TechSolve:
- Collaborated with Midwest’s networking team on the initial cybersecurity assessment
- Developed a customized Plan of Action & Milestones (POAM) based on the results of the assessment
- Created an Incident Response Plan (IRP) and System Security Plan (SSP)
Additionally, over the next four months, TechSolve:
- Assisted Midwest with the execution of the POAM by providing technical guidance and templates for Midwest’s policies and procedures
- Provided clarification on the spirit of the framework’s control
- Researched solutions for what fit their business needs and corporate culture
- Provided Midwest the ability to conduct unlimited vulnerability scans for the next year
As a result of all of this work, TechSolve was able to help Midwest Precision increase their Exostar Capability Score from a Level 0 score of 0.61 to a Level 3 score of 3.82. This exemplary score was a 3.21 improvement indicating a solid performing cyber risk management program.
Since Midwest Precision’s achievement of the Level 3 Exostar Capability Score of 3.82, Midwest has been asked to bid on new DoD contracts related to the AGM-114 Hellfire air-to-surface missile (ASM) that could potentially increase Midwest’s DoD contracts by $1.5 M or more per year. Midwest Precision attributes being asked to bid on that contract to its achievement of compliance with the NIST SP 800-171 and it increased Capability Score. Their Level 3 Capability Score has already become a marketing key differentiator on government contracts. In addition to this benefit, Midwest Precision has also benefited from this project by:
- Decreasing the time and cost of this effort by utilizing TechSolve’s cybersecurity expertise to quickly and accurately implement solutions that would have otherwise required months of research and investigation
- Retaining $12M in DoD contracts (including $6M from Lockheed Martin)
- Investing $23K in hardware and software that will not only protect them from cyber attacks; but will also increase the efficiency of management of future government projects
- Transforming Midwest Precision’s corporate computer hygiene and instilled the understanding that cybersecurity will be an ongoing continuous improvement effort
Cybersecurity Compliance and Beyond
The December 31st deadline marked more than the end of the first step towards NIST SP 800-171 compliance for manufacturers. From 2016-2017 alone, cyberattacks on manufacturers increased by 600%, placing manufacturers second only to the government in most cyberattacks per sector. The cybersecurity of a subcontractor is a key consideration for prime contractors like Lockheed Martin. Just as Midwest Precision experienced, going beyond compliance to reach a “quality” Exostar rating can be a competitive differentiator in the marketplace for DoD contractors and their subs.
The reality of cyber threats means that steps towards compliance are more than just an exercise, but just one of many efforts manufacturers need take to protect their business. Whether or not a manufacturer is a DoD contractor, the time is now to work closely with an expert to reach beyond compliance to protect your business today and prepare your business for the cyber threats of tomorrow.
For manufacturers interested in help reaching cybersecurity compliance or taking the next steps beyond, they can reach out to an expert here or click here to subscribe to our mailing list to receive updates on cybersecurity and other emerging technologies, tips and invitations to educational sessions.
Tech Tuesday is a weekly series by TechSolve designed to help manufacturers keep up with emerging technologies and identify ways to translate them into their own manufacturing environments.
UPCOMING EVENT: Cybersecurity Bootcamp
Wednesday, February 5th from 7:30 AM – 12:00 PM
TechSolve Office, 6705 Steger Drive, Cincinnati, OH 45237
NIST MEP and the Ohio Manufacturing Extension Partnership (MEP) partnered with TechSolve to offer a FREE half-day workshop to kick start your company’s cybersecurity program. Designed for manufacturing owners/executives, HR/policy managers, and office managers, this Cybersecurity Bootcamp aims to help you walk away knowing how to manage cybersecurity-related risks and understand where your company is vulnerable.
The workshop includes breakfast, lunch, informative breakout sessions specific to your job role, and networking. You’ll leave armed with information on how you can protect your company from cyber risks and a prioritized risk mitigation program.