The protections required are outlined in NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The security controls to protect CUI are grouped into families. There are fourteen families, compromising just over 100 individual control measures.
Jaime Mondragon and Robert J. Reynolds started J & J Machining, LLC five years ago in Anaheim, CA. They opened with a single industrial unit and a plan. Thanks in part to their combined 50 years of aerospace experience and the willingness to take risks they are growing fast. They have three units now totaling 6000 sq.ft. and are ready for more manufacturing space. J & J is an AS9100 certified and NIST 800-171 compliant production driven manufacturing facility with 16 employees running two shifts on 13 multi-axis CNC milling and turning centers. Their claim to fame is service, support and a collaborative mentality with customers.
Robert Reynolds is president at J & J and handles sales. He freely admits that their 4- axis milling and 2- axis turning is standard fair in a machine shop their size, but he points out how thought process is what drives their abilities. The thought of how to program a part and think creativity. The thought of how his customer needs them to be a proactive team member. The thought of how to offer more for less. “As a tier one supplier to the biggest names in aerospace we are a member of their respected teams,” tells Robert. “Being a team member is an important aspect of how we do business. The aerospace game used to be very adversarial where they would grind you on price and you would reluctantly do it, but that has changed. We work with our customers, and they with us to achieve our mutual goals.” Little by little tier ones like J & J are learning how they can best serve the aerospace industry. Attrition is a sad thing, but it is the backbone of growth with any forward-thinking business and J & J picks up when others have dropped the ball. That ball can be anything from quality and delivery to not being NIST compliant. “Where other companies our size might hesitate, we step into the void and take a risk,” continues Jaime. Robert and Jaime agree that the gamble isn’t always fun, but in only five short years it is paying off for them.
After attending the 2019 Department of the Navy Gold Coast event for small businesses Robert came back with cyber security on his mind, specifically the NIST 800-171 protocols. He remembers listening as an admiral stood at the podium and explained how the US government is less worried about successful cyber-attacks happening with companies like Boeing, Raytheon, Northrop and so forth because they have all the necessary IT people and protocols in place. “The admiral stated that the US gets attacked by offshore adversaries at a very high and alarming rate,” details Robert. “Then this is the part that really hit home. He looks out into the audience and says the most susceptible to attack are you. He was talking about J & J and all the other smaller tier one and tier two suppliers to those large aerospace companies. Companies like ours make a prime target because we don’t have the budget and manpower to employ a team of cyber security experts.” Smaller manufactures supply 70% of what the DOD buys. Smaller to midsize organizations like J & J don’t have IT infrastructure, they don’t have protocol understanding, and they don’t have all the tools needed to keep data safe. Robert began to look into ways J & J could overcome this challenge.
Renee Young is a cyber security expert with Aslan Consulting. She shows J & J owners Robert Reynolds and Jaime Mondragon some of the latest software upgrades.
Robert and Jaime have learned over decades of being in the aerospace manufacturing business that embracing the new doesn’t always lead directly to a sale, but it certainly offers up opportunities. Many shops the size of J & J want to fight the system and not implement programs like ISO or AS, thinking that somehow the system is keeping them down if they don’t see dollars rolling in. “Manufacturers don’t always see the value in taking extra steps even though those steps are making them a better company and they are producing better parts,” explains Jaime. “So often the if it costs money, the I don’t want to do it attitude comes into play with the smaller shops. We look at things a little differently and play the long game. Where others see cost, we see the value of being at the forefront.” J & J decided in late 2019 to take the leap into becoming NIST 800-171 compliant for 2020. “When you start at the beginning of something you have time to work through all the changes, the growth, the development, and the understanding,” explains Robert. “It makes you an expert on implementation and all these systems improve your organization. The cyber compliance protocol requires you to do things like monitor your cyber activity. If you have an incursion, you need to know you had it, understand that you had it, then follow a recovery protocol. It sounds like a lot, and it is, especially when it is outside the scope of our expertise. We looked at the investment and the in the whole scope of things the cost is minimal, but we didn’t even know where to start. That’s when I brought in Renee Young a cyber security expert with Aslan Consulting to get us on the right road.”
J & J doesn’t have a dedicated server room full of computers. They like most manufacturing facilities of their size have a single dedicated server monitored by NeQter Labs hardware. NeQter Compliance Engine is a plug-and-play solution for network-wide visibility and control. It features SEIM tool, activity monitoring, vulnerability scanning and inventory management.
Along with companywide training Renee brought in software and hardware that sits outside the J & J network and monitors what is going in and out. “Like most things in the IT world there is a subscription price to keep everything up to date,” tells Renee. “We work with large and small companies and government agencies, but manufacturing like J & J is an industry I only had a vague knowledge of. So, we had to learn about what it is like to be a CNC machine shop that specializes in aerospace parts and incorporate our IT knowledge to meet the specific NIST standards. We are a tech company and cyber security is our specialty throughout many industries. We customized our products, our software, our training and the price to meet the needs of J & J. We were able right away to jump start J & J’s program. Of the 14 families of technology on day one we had six of them already answered. With a minimum of training J & J was able to check off 30 of the 110 components in a little over a month. For me it is very gratifying seeing the progression and how much they are embracing the system we are putting in place together. You don’t need to understand all the nuances that happen in a machine shop to be able to help a company in the technology department. Both Robert and Jaime have decades of experience in manufacturing and they thought me what I needed to know to put in place the best possible solution for them as an organization. Willingness to engage is a big part of process. The owners in this case really want us to be here helping them with the process. It takes leadership from within the organization along with our assistance to make it all come together.”
As an AS9100 certified company quality is a top priority and a team effort at J & J Machining. Left – Quality manager Ismael Navarro uses one of their comparators to inspect a part. Right – General manager Jaime Mondragon and Ivan Escobar discuss features that need to be verified off the print.
Bringing in a consulting company has costs associated with it, but Robert touts how they have actually saved money by streamlining the processes. Learning the language was a big part of the challenge. Bringing in a consultant was a good way to create a pathway to compliance. As they got more and more immersed into the protocols they understood more and more and needed Aslan less and less. In some ways cyber security has to become a companywide part of the work culture like AS or ISO. The guy sweeping the floors doesn’t need to know about it, but anyone who has access to the network has to have an understanding of what the network is and does. J & J’s customers share files with them through a secure portal, but once the file has been downloaded and resides on the J & J network it is their responsibility to keep it safe. These days everything from your credit card and phone can be hacked easily, so J & J are on the front lines when it comes to keeping their information secure. “We feel small, but companies like J & J are a big part of the supply chain that keeps the country safe,” continues Robert. “It seems like a mountain of learning, but once implemented it becomes second nature same as using CAD/CAM, same as following AS, same as programming the CNCs. We had a network in place already so that gave us a bit of a head start. If everyone had individual computers, then every computer would have to have a monitoring station. As it is now the server is setup in my locked office and those of us with a need have user terminals connected to it. So, we have one box to monitor all our workstations. It sits outside the network but monitors what goes in and out.” If one of J & J’s customers calls and says they had an intrusion, they need to find out what subcontractor it came from. J & J are in a position to immediately upload the relevant data. It might clear them, or it could implement them, but the important aspect is traceability. “Everything we do in manufacturing is based on traceability,” adds Jaime. “For us the traceability on parts goes back 7 years, but data has become such a commodity that we have to have traceability on that too. It isn’t a matter of placing blame but shutting down the threat and securing the breach.”
After only five years in business J & J is still growing. They started with only a single industrial unit and now they have three totaling 6000 sq.ft. They are a production based mill-turn house specializing in aerospace, medical and semi conductors. They have 13 CNC machining centers with multi axis turning and 4 axis milling.
You can be a great shop and make the best parts with complex features and tight tolerances, but it won’t matter if you are not compliant in the digital universe. J & J are learning that this is a new normal, and soon if you are not on board you will be left behind. “They said we are going to change to ISO and they did,” concludes Robert. “They said we are going to change to AS and they did. Now they are saying NIST 800-171 and they will make it mandatory. The digital universe is where it’s at. If you can’t manage today’s environment digitally, you are not in today’s environment. It was a big decision for Jaime and I to make this investment. There is a fine line between cutting edge and bleeding edge and you never know what edge you are on until you fully commit. I’m here to tell you we are cutting edge thanks to our partnership with Renee and Aslan Consulting. Follow it, learn it, get with it or you will be out of the loop.”