Atlas Tool & Die Works, Inc.
Faced with a new customer requirement for compliance to the recently released NIST Special Publication SP 800-171, Atlas Tool & Die Works realized their small manufacturing business must act quickly and address the government regulation. NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations is a requirement for all Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) to meet the DFARS minimum security standards. Lacking a full-time information technology staff, Atlas needed the extra support and called upon IMEC as a trusted resource to help decipher the guidelines, assess their current vulnerabilities and execute the improvements before the strict deadline of December 31, 2017.
With IMEC serving as project manager, the Atlas Tool and IMEC team began to decipher the NIST checklist for compliance, breaking it down into understandable steps. “The guidelines (checklist) were ambiguous as far as how it applied to us specifically,” said Zach Mottl, Chief Alignment Officer for Atlas Tool & Die Works. “It felt open-ended, so we weren’t sure where to begin.” Together with Atlas and their contracted IT provider, IMEC conducted a self-assessment according to the checklist, determining if Atlas was fully compliant, partially compliant, or completely lacking in each requirement – resulting in a 40% overall compliance rating. This assessment–or, review of processes–helped to establish an improvement plan for network setup, policies and procedures, IT system requirements, workforce rules and corresponding training, and an implementation timeline to ensure full compliance before the deadline. Key changes ranged from an investment in physical hardware including server room locks with passcode protection, to settings changes on the server and router to track who was accessing files, to creating a log in the server for forensics records.
“Going through this process was great for our organization,” said Mottl. “It’s all about developing good habits. In manufacturing there are many procedures in place like ISO for the manufacturing operations, but you forget about processes related to information systems. The cybersecurity requirements are all about protecting the data, not letting intrusions in, and notifying the appropriate people when things happen. As a small business, we often create workarounds to simplify our work and with administrative practices in particular. But with the DFARS compliance, that is unacceptable and we now understand how essential that is for our company’s security.” Atlas Tool has executed the complete implementation plan meeting checklist requirements and embracing new changes like the aforementioned hardware and software updates, stricter email encryption, and workforce training to understand the new language and security precautions. Mottl added, “Addressing the DFARS compliance requirements was important for us to become a more robust and secure organization. I know all businesses would benefit from the assessment, not just defense contractors.”
- Increased cybersecurity compliance from initial assessment of 40% to 100% compliance in 6 months
- Full compliance to NIST SP 800-171
- No reported intrusions or violations since the organization achieved compliance
- Increased awareness and participation by staff in information security programs and reporting
“I don’t know how we would have done this without IMEC. As a small company, we’re limited on financial and administrative resources for this type of compliance. Our internal people are stretched thin, so having IMEC as an extension of our team has been tremendous.”
– Zach Mottl, Chief Alignment Officer