Freedom Metal Finishing has been an approved supplier for dozens of top prime manufacturers for over 30 years, but that meant nothing to a few of them regarding cyber security.
Freedom owner Keith Eidschun says he received notice in late 2021 from several aerospace primes that his company in Clearwater, Florida, needed to show certification that their computer systems were locked down and nearly bullet-proof.
It was all part of a new program from the National Institute of Standards and Technology (NIST) that recommends significant upgrades in computer systems used by U.S. manufacturers, including electroplating, anodizing, and other finishing operations.
Ultimately, it was an unexpected cost of nearly $200,000 that Freedom Metal Finishing — as well as numerous other finishing operations doing work with sophisticated OEMs — had to invest to stay active as a supplier in some programs.
Possibly Kicked Off Approved Supplier List
“They were ready to kick us out,” Eidschun says of the letter he received from Lockheed Martin. “I couldn't believe it. I told them we've had their approvals for 30 years, and they just said if we didn’t have a certification by a certain date, we would be off our approved supplier list.”
The requirements are part of the Software Bill of Material (SBOM) Requirements for Critical Software measure by the U.S. Department of Homeland Security. It is a recent action regarding installed software on some contractors’ systems, including those in the finishing industry.
Most of the notifications included phrasing such as “Your Organization Administrator is required to immediately review these sections and enter a response to ensure compliance and minimize disruption to future business,” which meant shops had to comply with numerous — and expensive — cybersecurity requirements.
The process started in 2019 through a “Memo Assessing Contractor Implementation of Cybersecurity Requirements” that most military and government contractors were sending to their subs, including those in the finishing industry.
As the U.S.’s cyber defense agency, Homeland Security’s Cybersecurity and Infrastructure Security Agency Director Jen Easterly, says, they are leading the national effort to understand, manage, and reduce risk to the cyber and physical infrastructure Americans rely on daily.
“Since CISA was established in 2018, the threats we face have become more complex, more geographically dispersed,” Easterly says. “And they affect the entire cyber ecosystem, from Federal civilian government agencies to businesses large and small, to State and local governments and, ultimately, the American people.”
Time-Consuming and Expensive to Upgrade
Eidschun says that about 18 months ago, he began hearing from some of his aerospace and defense customers about the need to upgrade his IT systems, something that he knew would be time-consuming and expensive at the same time.
“It was so specific to certain aspects of our operations,” he says. “We had to upgrade our routers and other hardware, which was a fairly big burden, but then we had to have backup systems, and now I have two servers. It's slightly like ITAR (International Traffic in Arms Regulations). You can only let so many people off-site, and it's just increasing every little thing we a do just a bit more.”
Eidschun says he was sent a NIST security manual and checklist by one of his customers to implement, and he had difficulty understanding all the requirements it was asking for.
“A lot of shops don't understand what this is, and they think that there are people out there that offer services, and they'll just put it all on the cloud through a protected base,” he says. “That's not even close to what the scope is. You need somebody to implement it, and there's a whole system that goes with it. It's basically like AS9100 or any quality system you must adhere to.”
Several other shops around the U.S. say they are going through the same issue that Eidschun’s shop went through, but they didn’t want to speak about what their solution process was going to be.
Requirement for an SBOM for All “Critical Software”
Eidschun says he was notified that beginning last fall, per Executive Order 14028, all new Lockheed Martin solicitations include a requirement for an SBOM for all “critical software” as defined by the NIST. The solicitation requirement entails that a shop notify its procurement representative if a resultant contract will include the delivery of critical software with the submitted offer.
Essentially, if the shop will be able to ascertain job requirements and specs from a customer’s computer system — such as details of the coating, blueprints of the parts, or any other technical aspect of the project — then the finishing shop needs to adhere to the NIST requirements for their systems.
“If critical software will be delivered (and sold to the government), the contract will include a requirement for an SBOM to be delivered with the software,” Lockheed Martin told its suppliers.
Luckily for Eidschun, he had already reached out to an IT contractor with whom he had worked in the past and who he felt was qualified enough to go through the NIST checklist booklet and understand what all the requirements meant. Injecting multiple requirements – talking about two different things
NIST Checklist Includes over 100 Security Requirements
Josh Wilson, a partner with RaptorGuard, a cybersecurity firm based in Oklahoma, worked with Eidschun to review the NIST checklist and implement its protocols.
“He's very smart with IT, but we had to do a lot of reading on the cybersecurity requirements,” he says. “We went through all the quality requirements, and then we had to write a procedure for how we do things and train everyone. It's just turned into another big headache.”
The security requirements in NIST’s SP 800-171 checklist alone included over 100 security requirements that must be implemented. DoD methodology assigns each of the 110 NIST SP 800-171 controls a weight of 1, 3, or 5 points. Scoring starts at the lowest possible score of -203, and the points earned for each control are met up to the maximum of +110.
The list also included items such as:
- Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
- Limit system access to the types of transactions and functions authorized users can execute.
- Control the flow of CUI by approved authorizations.
- Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
Wilson says the federal government has used the NIST requirements for several years and is now pushing it out to companies they do business with — non-federal networks housing FCI or CUI — to help reduce the cyber threats. The finishing industry is now seeing what has been in place for a while.
“Enough time has passed over the past five or six years to where it is becoming more accepted that as the tools become cheaper and the threats become more rampant, it's become more accepted in every industry to have this in place,” Wilson says. “When you start getting into government contracts and special access to portals to gain awarded contracts, you must comply with the information flow it encompasses.”
Wilson and Eidschun collaborated on upgrading Freedom Metal Finishing systems as they read through the requirements and began to understand what additional equipment would need to be installed and what new company procedures would be implemented.
Similar Feeling to when Nadcap Introduced
Eidschun says he had the same feeling over the past year about the NIST requirements for IT security as he did many years ago when the National Aerospace and Defense Contractors Accreditation Program (Nadcap) program was first introduced.
“Not everyone believed it would be anything in our industry,” Eidschun recalled. “Everyone ignored it until it became a requirement. They put it on all the DoD contracts and all the purchasers in the DoD, and then they just cut everybody off. About 80% of the Honeywell suppliers in Florida got whacked because they didn't get that approval. I think the same thing will happen with the cyber issue.”
Wilson had worked with Freedom Metal Finishing in the past, so his familiarity with their systems was already known when they started working on the NIST checklist. Plus, Wilson says Eidschun had diligently kept his systems up to date.
“He was already asking for a better infrastructure to do business more effectively and scale up,” Wilson says. “If you handle your business needs and treat it as something that is not like a redheaded stepchild, it can work for you. But you do have to have the right people in place, and you have to have a lot of trust.”
Eidschun and Wilson began considering ways to upgrade the IT system to meet the NIST specs. Still, then Freedom Metal Finishing was sent a letter in late 2020 from one of their top customers — a major aerospace prime — that put a deadline date to have their system updated and meeting specifications.
“They sent us an email and said, ‘You're cut off on this day,’” Eidschun recalls. “The first phone call I made was to Josh to tell him that our timeline just got way expedited on everything.”
‘Trying to Figure Out What We're Supposed to Do’
Wilson says he spent nearly 140 hours going through NIST documentation to grasp the requirements — “Just trying to figure out what it is we're supposed to do,” and then set milestones for implementing new equipment and other necessities.
More importantly, Freedom Metal Finishing needed to document extensively how they were making the security upgrades and what internal protocols — controls, parameters, and protocols tied to technical — they were putting in place to meet the NIST requirements.
“It's an ongoing whiteboard to mitigate risk,” Wilson says. “It shows timeline, it shows intent, and it shows actionable items. Risk is everywhere, but at the end of the day, all this is about is managing risk.”
When Eidschun had completed everything necessary to comply with the NIST requirements, he estimated he spent more than $200,000 on the project, which was probably far less than expected because he had been keeping his system updated annually and adding security measures already.
But even spending tons of money doesn’t always thwart the hackers; in November, the Boeing Company confirmed that some of its operations were impacted due to a 'cyber incident' that a ransom gang quickly claimed responsibility for.
Ransomware and Company Info Held for Hostage
Reports say Boeing was given a six-day deadline to contact the ransom group before it said it would publish all the data it had stolen in the alleged attack.
Eidschun says the company's size doesn't matter and that anyone with an IT infrastructure system — even electroplaters, anodizers, or powder coaters — must beef up their systems.
“Just in the last year, I’ve heard some stories about companies getting hacked by Russia and Homeland Security showing up at their door,” he says. “Ransomware and company information are being used as a hostage for money, and shops may be losing approval to do work with big primes if they don’t have the NIST checklist in place.”
Visit https://freedommetalfinishing.com and https://raptorguardllc.com