If an awards show for crime existed, cyber criminals would be making the bulk of the acceptance speeches. That’s because their style of theft is considered among the fastest growing types of crime in the United States. To say the least, public and private citizens alike have been on high alert to protect their personal and sensitive information.
For companies in the aerospace and defense industry where government contracts can include safeguarding highly sensitive data, the stakes are much higher and cyber compliance regulations are far stricter. But protecting data from hackers is only one piece of the compliance puzzle.
“The government doesn’t just give you a ticket,” says Bob Aronson, chief revenue officer at Cre8tive Technology and Design, a company that provides customized, industry-specific solutions and outsourced services for enterprise resource planning (ERP) implementation. “The fine potentially is jail and being out of business.”
Cre8tive is a partner company to Epicor and sells its software solutions, such as Epicor’s aerospace and defense solution that was developed to reduce risks and stay compliant with the government’s numerous and strict security requirements. Aronson is a great partner for Epicor as he is quite familiar with the aerospace and defense industry – he served as a captain in the U.S. Air Force and worked with NASA and the space program. It doesn’t hurt that he was also the senior vice president of sales at Epicor before joining Cre8tive.
“Ninety percent of Cre8tive’s customers fall into the aerospace and defense manufacturing industry,” he says. “We’ve got lots of credibility. Many of our team are veterans with a real-world aerospace background, so we never really sell our customers anything; we educate them on what technology can do for them.”
The aerospace and defense solution from Epicor is available in the Azure Government Cloud, which is a highly secure environment for government agencies and their partners. This includes fab shops that provide parts and equipment for the Department of Defense (DoD).
Aerospace and defense manufacturers face numerous regulatory compliance challenges, as the governmental- and industry-mandated regulatory requirements might best be described as “stringent.” International financial reporting standards, Sarbanes-Oxley Act requirements, and ISO/AS9100 and International traffic in arms regulations are just a few that need to be accounted for while under a government contract and the Epicor solution is built to assist.
With Epicor’s robust infrastructure, aerospace and defense manufacturers have access to a comprehensive approach to automating the compliance process. Furthermore, the solution provides the ability to generate a complete audit trail of all changes made to records and data, which is an important process for manufacturers under government contracts. In fact, Epicor’s solution helps customers meet strict requirements set by the Defense Contract Audit Agency.
Cybersecurity Maturity Model Certification (CMMC), which was established by the DoD in 2019, is something with which every manufacturer under a defense contract should be familiar. The CMMC is a program designed as a unified standard for cybersecurity consistency for all defense contractors. It’s essentially setting the rules these companies must abide by to protect sensitive defense information.
The Defense Industrial Base (DIB), which includes manufacturers that provide equipment for the armed forces, includes more than 300,000 companies. According to the Office of the Under Secretary of Defense, the DIB is the “target of increasingly frequent and complex cyber attacks. To protect American ingenuity and national security information, the DoD developed CMMC 2.0 to dynamically enhance DIB cybersecurity to meet evolving threats and safeguard the information that supports and enables our warfighters.”
Aronson notes that the majority of the companies in the supply channel for the DoD are “very small and most of them do a very poor job on compliance and cybersecurity. It’s their biggest threat.”
He believes most of these companies are simply lacking the knowledge of the risks and some are as equally uninformed about the rules. And there is also the cost issue to contend with, as ERP solutions with a high level of cybersecurity compliance management solutions aren’t cheap.
It’s not uncommon for senior leadership at fab shops to equate investments in cybersecurity to an insurance contract, says Keith Downing, cyber security manager at Geater Machining & Mfg., an Iowa-based company with years of experience serving the aerospace industry.
“You are basically trying to tell somebody they have to spend more for insurance,” Downing says, “but you don’t get rich off of buying insurance. So, if a business leader has the option of buying $1 million machine or spending $1 million on cybersecurity, it becomes difficult to try and tow that line.”
But in recent years with more “big players” getting hacked and with the headlines about Russian cyber attacks against Ukraine’s power grid, more people are becoming aware of cybersecurity issues and more accepting that they should do their part to keep up on technology that can protect their data.
“You’re trying to defend an area and you don’t know when somebody is going to strike or from where or what tactics, tools or techniques they’re going to use,” Downing says. “It does require a lot of staying ahead of the game.”
Fortunately, Geater Machining & Mfg. has used Epicor’s ERP solution with Cre8tive’s A&D Solution for more than a year and has enjoyed the perks they didn’t have with their previous ERP system. Specifically, Downing says they were interested in Epicor’s technology related to how the company can manage major compliance issues related to the Defense Federal Acquisition Regulation Supplement and the Federal Acquisition Regulation, which includes regulations related to prioritizing security and purchasing procedures, respectively.
Yet another compliance issue Geater Machining & Mfg. has to contend with, which Epicor helps to manage, is related to the National Institute of Standards and Technology’s cybersecurity requirements. These are designed to safeguard controlled unclassified information.
Downing says managing these regulatory issues is akin to cleaning up a messy room where half the battle is figuring out what you’re going to sort and where you’re going to put it.
“If you’re trying to do certifications or anything like that, it’s an awful lot of paperwork” he says. “The thing I like about Epicor is they already have those buckets in order, which makes it easier on our end.”
While the massive amount of compliance and regulatory rules aerospace and defense manufacturers follow have their purpose, they can really put a damper on productivity. Downing can attest to the workflow issues that security regulations put on throughput.
“There is no quicker way for people to try and put my head on a pike than for me to drop too many security controls on them too quickly,” he says. “Many cybersecurity controls are put in place to make people think more, to make people slow down and to make people make better decisions.”
After implementing Epicor’s ERP system, Downing says the security controls were improved, particularly in regard to speed, which he says is due to the database system Epicor developed, which utilizes the Microsoft SQL server – a relational database management system known for its ability to efficiently store and retrieve data.
“If you run something on the database that Epicor uses, as far as Microsoft SQL,” Downing says, “what would happen in 5 sec. would sometimes take more than 5 min with our previous software.”