Atlas Tool Works is a small family-owned company that provides specialized machining and turning of tight tolerance parts, precision sheet metal fabrication, metal stamping, and complex engineered assemblies. It has 72 employees, and a long history of commitment to quality and continuous improvement.
Atlas leadership knew they needed to improve their cybersecurity. The company, being part of the U.S. Department of Defense supply chain, was required to comply with the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards or risk losing their DoD contracts. Leaders also realized that improving the company’s overall cybersecurity would protect the confidentiality, integrity, and availability of information.
Understanding the Requirements
Lacking a full-time information technology staff, Atlas Tool Works needed support to decipher the guidelines, perform an assessment, identify gaps, and execute the improvements before the December 31, 2017 compliance deadline.
Atlas contacted the Illinois Manufacturing Excellence Center (IMEC), its local representative for the Manufacturing Extension Partnership (MEP), for assistance.
Using the NIST Cybersecurity Self-Assessment Handbook as a guide, IMEC team members worked with Atlas to decipher and break down the security requirements into understandable steps.
“The [security requirements] were ambiguous as far as how it applied to us specifically,” said Zach Mottl, chief alignment officer for Atlas. “It felt open-ended, so we weren’t sure where to begin.”
Together with Atlas and its contracted IT provider, IMEC determined that Atlas was only 40% in compliance with the cybersecurity guidelines. They then set about hashing out an improvement plan—for network setup, policies and procedures, IT system requirements, worforce rules and training—and an implementation timeline to ensure full compliance before the deadline.
“Going through this process was great for our organization,” said Mottl. “It’s all about developing good habits. In manufacturing there are many procedures in place like ISO (International Organization for Standardization) for the manufacturing operations, but you forget about processes related to information systems.
“The cybersecurity requirements are all about managing risk, protecting data, not letting intrusions in, and notifying the appropriate people when things happen. As a small business, we often create workarounds to simplify our work and with administrative practices in particular. But with the DFARS compliance, that is unacceptable and we now understand how essential that is for our company’s security.”
Atlas executed the implementation plan and now meets the requirements. Key changes as a result of the assessment included server room locks with passcode protection, settings changes on the server and router to track who was accessing files, and creating a log in the server for forensics records. The company also updated its hardware and software, added stricter email encryption, and offered workforce training to understand the new language and security precautions.
Mottl added, “Addressing the DFARS compliance requirements was important for us to become a more robust and secure organization. I know all businesses would benefit from the assessment, not just defense contractors.”
Results:
- Increased cybersecurity compliance from initial assessment of 40% to 100% compliance in 6 months
- Full compliance to DFARS Cybersecurity requirements
- Increased awareness and participation by staff in information security programs and reporting
David Boulay is President of IMEC, a public-private partnership committed to driving growth through enterprise excellence.