If an awards show for crime existed, cyber criminals would be making the bulk of acceptance speeches. Cybercrime is considered among the fastest growing types of crime in the U.S. For companies in the aerospace and defense industry where government contracts can include safeguarding highly sensitive data, the stakes are much higher and cyber compliance regulations are far stricter. But protecting data from hackers is only one a piece of the compliance puzzle.
“The government doesn’t give you a ticket,” says Bob Aronson, chief revenue officer at Cre8tive Technology and Design, a company that provides customized, industry-specific solutions and outsourced services for enterprise resource planning (ERP) implementation. “The fine is potentially jail and out of business.”
Cre8tive is a partner company to Epicor, which is a software company with solutions aimed at manufacturing, distribution, retail and service industries. Cre8tive sells Epicor’s software solutions, such as its aerospace and defense solution related to reducing risks and staying compliant with numerous strict government requirements. Aronson is quite familiar with the aerospace and defense industry – he served as a captain in the U.S. Air Force and worked with NASA and the space program. He was also the senior vice president of sales at Epicor before joining Cre8tive.
“Ninety percent of Cre8tive’s customers fall into the aerospace and defense manufacturing industry,” he says, “and we’ve got lots of credibility; many of our team are veterans with a real-world aerospace background, so we never really sell our customers anything – we educate them on what technology can do for them.”
The aerospace and defense solution from Epicor is available in the Azure Government Cloud, which is a highly secure environment for government agencies and their partners, which includes fab shops that provide parts and equipment for the Department of Defense.
Aerospace and defense manufacturers face numerous regulatory compliance challenges, as the governmental- and industry-mandated regulatory requirements might best be described as “stringent.” International Financial Reporting Standards, the Sarbanes-Oxley Act requirements, ISO/AS9100 and International Traffic In Arms Regulations are just a few that need to be accounted for while under a government contract and the Epicor solution is built to assist.
With Epicor’s robust infrastructure, aerospace and defense manufacturers have access to a comprehensive approach to automating the compliance process. Furthermore, the solution provides the ability to generate a complete audit trail of all changes made to records and data, which is an important process for manufacturers under government contracts. In fact, Epicor’s solution helps clients meet strict requirements set by the Defense Contract Audit Agency.
Cybersecurity Maturity Model Certification (CMMC), which was established by the DoD in 2019, is something every manufacturer under a defense contract should be familiar with. The CMMC is a program designed as a unified standard for cybersecurity consistency for all defense contractors. It’s essentially setting the rules these companies must abide by to protect sensitive defense information.
The Defense Industrial Base (DIB), which includes manufacturers that provide equipment for the armed forces, includes more than 300,000 companies. According to the Office of the Under Secretary of Defense, the DIB is the “target of increasingly frequent and complex cyberattacks. To protect American ingenuity and national security information, the DoD developed CMMC 2.0 to dynamically enhance DIB cybersecurity to meet evolving threats and safeguard the information that supports and enables our warfighters.”
Aronson notes that the majority of the companies in the supply channel for the DoD are “very small. Most of which do a very poor job on compliance and cyber security. It’s their biggest threat.” He believes most of these companies are simply lacking the knowledge of the risks and some are as equally uninformed about the rules. And there is also the cost issue to contend with, as ERP solutions with a high level of cybersecurity compliance management solutions aren’t cheap.
“And it does cost more,” Aronson says of the technology. “It has a very specific capability and there's a premium that you would pay for it. And sometimes smaller companies like to do things on pencil and paper. And for the most part, if everything goes according to plan, that could be okay.”
It’s not uncommon for senior leadership at fab shops to equate investments in cybersecurity to an insurance contract, says Keith Downing, cyber security manager at Greater Machining & Manufacturing, an Iowa-based company with years of experience serving the aerospace industry.
“You are basically trying to tell somebody they have to spend more for insurance,” Downing says, “but you don't get rich off of buying insurance. So, if a business leader has the option of buying $1 million machine or spending $1 million on cybersecurity, it becomes difficult to try and tow that line.”
Downing says in recent years with more “big players” getting hacked and with the headlines about Russian cyberattacks against Ukraine’s power grid, more people are becoming aware of cybersecurity issues and more accepting that they should do their part in keeping up on technology that can protect their data.
“You're trying to defend an area and you don't know when somebody is going to strike or from where or what tactics, tools or techniques they’re going to use,” Downing says. “It does require a lot of staying ahead of the game.”
Fortunately, Greater Machining & Manufacturing has used Epicor’s ERP solution with Cre8tives’s A&D Solution for more than a year and has enjoyed the perks they didn’t have with their previous ERP. Specifically, Downing says they were interested in Epicor’s technology related to how his company can manage major compliance issues related to the Defense Federal Acquisition Regulation Supplement (DFARS) and the Federal Acquisition Regulation (FAR), which includes regulations related to prioritizing security and purchasing procedures, respectively.
Yet another compliance issue Greater Machining & Manufacturing has to contend with, which Epicor helps to manage, is related to the National Institute of Standards and Technology’s cybersecurity requirements, which are designed to safeguard controlled unclassified information.
Downing says managing these regulatory issues is akin to cleaning up a messy room where half the battle is figuring out what you’re going to sort and where you’re going to put it.
“The thing I like about Epicor is if you're trying to do certifications or anything like that, it’s an awful lot of paperwork” he says, “The thing I like about Epicor is they already have those buckets in order, which makes it easier on our end.”
While the massive amount of compliance and regulatory rules aerospace and defense manufacturers follow have their purpose, they can really put a damper on productivity. Downing can attest to the workflow issues that security regulations put on throughput.
“There is no quicker way for people to try and put my head on a pike than the drop too many security controls on them too quickly,” he says. “Many cyber security controls are put in place to make people think more, to make people slow down, to make people make better decisions than they already do.”
After implementing Epicor’s ERP, Downing says the security controls were improved, particularly in regard to speed, which he says is due to the database system Epicor developed, which utilizes the Microsoft SQL server – a relational database management system known for its ability to efficiently store and retrieve data.
“If you run something on the database that Epicor uses, as far as Microsoft SQL,” Downing says, “what would happen in five seconds would sometimes take over five minutes with our previous software.”