Standard issue

Deadline looms for cybersecurity mandate affecting government contractors

Posted on Nov 15, 2017 :: Back Office Operations
Jessica Thiel
Posted by , Insight on Manufacturing Staff Writer

AS A COMPANY THAT’S worked for the defense industry for nearly two decades, Schutt Industries is familiar with meeting stringent requirements. That experience has helped prepare it for complying with a new Department of Defense standard.

Developed by the National Institute of Standards and Technology, NIST 800-171 goes into effect Dec. 31 and applies to all companies doing contracting work with the government. It’s designed to protect controlled, unclassified information in non-federal information systems and organizations.

Steve Schutt, vice president of sales and operations for Schutt Industries, says the company, a manufacturer of military and industrial cargo handling equipment, has known about the impending deadline for a couple years. It has worked extensively this year to ensure compliance and is finalizing details ahead of the deadline.

“I think the communication of what they were requiring was communicated early and pretty clear of what the expectation was,” Schutt says. “Like any type of compliance, you have to get into the weeds to understand.”

Complicating that further, the requirements are specific and different for each organization and can affect physical security or cybersecurity and the exchange of information, Schutt says. The Clintonville company has worked with a third-party organization to evaluate what Schutt Industries is doing as an organization and comparing that to the standard. It is identifying gaps in security and working to address those.

As a company of about 100 employees, Schutt says meeting the standard as a smaller manufacturer has presented challenges, but it also means his company is more nimble and adaptable than larger organizations.

“Like anything, you don’t stop your business for one thing,” Schutt says. “You’re doing everything in parallel to running your business.”

Not all companies are as well prepared as Schutt Industries is to meet the challenge, says Wil Cox, senior manufacturing specialist for the Wisconsin Manufacturing Extension Partnership.

The WMEP has been working to help prepare companies meet the deadline for the past 18 months.

Cox says there’s virtually no way for all affected organizations to comply by Dec. 31. With the state’s “vibrant and vital” defense supply chain, the standard applies to many companies, Cox says. The WMEP identified around 100 working for Oshkosh Corp. alone.

“I think this is kind of the eventuality here of people not wanting to address something that’s come to fruition,” he says. “The standard itself is just too huge to do in a small amount of time. It is somewhat onerous and laborious to get through all this.”

For small- to medium-sized companies trying to do the work themselves, it can present a particular challenge, Cox says. As they drill down to one level in addressing issues, they may find they still have many more to go, he says. SMMs often don’t have someone on staff versed in risk assessment — or in some cases, even IT.

That was the case for Convenience Electronics, a McFarland-based manufacturer of custom cable assembly that employs 42 and is working to meet the standard.

“We’re not programmers, and we’re not technical enough to become certified in house,” says Harry Lum, Convenience Electronics president, of the decision to seek the help of a third-party vendor.

After doing some research and coming across around 200 government requests for quotes with no bids, Lum decided to pursue becoming a government contractor. He says becoming a NIST-approved supplier will help his business.

“Adding another layer of protection is even better for our customers so they know their information is protected,” he says.

“You can use that as a sales point.”

Dean Popek, chief financial officer of Racine Metal-Fab, says many smaller companies don’t see themselves as vulnerable to threats, but after attending a conference and participating in a webinar on cybersecurity, he decided the company needed to take action.

“I saw this speaker, I attended this webinar and I lost a lot of sleep,” Popek says. “This is something that’s very real for smaller companies.”

The 65-employee company worked with accounting and business consulting company Wipfli to create a plan to address security. It included an internal vulnerability scan, conducting email phishing exercises that led to training sessions for employees, and developing an incident response plan.

For companies looking to address cybersecurity, Popek recommends seeking help from an outside source. He says it’s valuable to have someone not vested in the company come in and evaluate the situation.

For its part, Cox says the WMEP is prepared to assist and is working to develop a standard approach that makes it easier for companies to start the process. The organization’s role is to help guide companies toward compliance and conduct gap analyses, but not to act as a contractor doing the work. Cox likens the process to getting certified in ISO, which has a big focus on risk mitigation.

He encourages companies to get online and look at the standard to begin to understand it. Even if a company isn’t in full compliance, Cox says it can start with letting the defense industry know it is working toward a solution. The supply chain is not going to shut off on Dec. 31, he says. Schutt feels confident about his company’s position. He recommends other companies take a holistic, step-by-step approach and address one problem at a time.

“There’s a lot of moving pieces to all of this. There’s a lot to take in,” he says. “We’re going through it like a lot of companies are going through it, and we’re learning more about it as we progress.”