Aerospace & Defense
Aerospace & Defense
Aerospace & Defense
How Electronic Components Proved Cybersecurity Compliance to General Dynamics
07/2024
5 min read
About Electronic Components
Electronic Components is a specialty distributor and authenticator of electronic components based in Framingham, Massachusetts. The company is AS9120 certified and provides value added services for legacy components, engineering assistance, and custom replacement solutions for obsolete products and systems. Electronic Components' customers include General Dynamics, the DoD, Lockheed Martin, and Raytheon.
Steve Holmes, Operations Manager at Electronic Components, and Eric Powers, IT Manager at Electronic Components, are both responsible for ensuring that the company complies with NIST 800-171 and CMMC requirements. The team faced pressure from General Dynamics to meet a minimum SPRS score immediately and 110 in short order. Addressing the NIST 800-171 and CMMC compliance requirements was crucial for Electronic Components to continue doing business with General Dynamics.
General Dynamics gave us a real hard push, get yourself to this minimum SPRS Score, or we might not be able to do business with you anyone."
Steve Holmes
Operations Manager at Electronic Components
Story Highlights
- Facing Compliance Pressure from General Dynamics: Under pressure from General Dynamics to comply with the NIST 800-171 and CMMC requirements, Atomus played a key role in helping Electronic Components meet these requirements, ultimately building better trust between the two companies.
- Struggling to Handle Compliance In-House: Electronic Components struggled to meet compliance requirements in-house for 18 months due to lack of expertise and pressure from their prime. Switching to Atomus, allowed them to achieve more progress in just two weeks than in the entire 18 months of attempting it in-house.
- Attracting New Business with Cybersecurity: By Electronic Components proactively meeting these cybersecurity requirements, they have built trust with General Dynamics and can leverage their compliance status to attract new customers.
Experiencing pressure from General Dynamics to be compliant
General Dynamics put a lot of pressure on Electronic Components over the course of 18-24 months to achieve a 110 Supplier Portal Risk Score (SPRS). The SPRS score Electronic Components was required to improve, is a universal score that is submitted by companies handling defense data to the department of defense. Recognizing this was a difficult challenge, General Dynamics told Electronic Components they needed a minimum SPRS to be on contract. While not the ultimate goal, this minimum score would still represent a significant improvement. Using the DoD assessment framework, General Dynamics conducted a medium assessment of Electronic Components IT systems. This entailed General Dynamics requesting to review Electronic Components System Security Plan over email and scheduled countless phone calls to address additional questions and to ask about progress.
All major primes in the Department of Defense (DoD) follow the same system for risk scoring subcontractors' ability to handle data securely based on the SPRS score. Risk scoring is divided into three categories: red, amber, and green. Electronic Components was in the red category for General Dynamics, indicating the highest risk level due to not being compliant with NIST 800-171 and CMMC. As a result, General Dynamics had to send data to Electronic Components as hard copies via trusted carriers like FedEx or UPS. Once they received the data, they could not transfer, upload, scan, or store it because their systems were insecure. Electronic Components was okay with this setup, however their specific customer at General Dynamics wanted to share CUI digitally.
General Dynamics wanted Electronic Components to get to amber status as a step towards green, which would indicate some progress in system compliance. For long-term customers, Amber is still not an ideal place to be. General Dynamics could use digital encryption to share CUI, but as Electronic Components experienced, they continued to be extremely persistent about the remaining requirements. General Dynamics was Electronic Components single biggest customer and getting to the green status, or fully compliant, was crucial if they wanted to continue doing business with them.
Not prioritizing CMMC compliance will hit companies hard when primes can't do business with them anymore.”
Steve Holmes
Operations Manager at Electronic Components
The main advantage Electronic Components gained from using Atomus was building a higher level of trust with General Dynamics regarding compliance. Atomus provided Electronic Components with a solution that effectively addressed NIST 800-171 and CMMC requirements and provided guidance to full compliance. The solution automated the implementation and documentation of technical controls. Also, it offered access to industry experts for assistance with questionnaires, assessments, and any other compliance questions. This gave General Dynamics more confidence in Electronic Components' ability to become fully compliant and to be their long-term vendor for specialized components.
I can't tell you how complimentary General Dynamics was towards us. You want to see smiles and laughter from your customer, and that’s what we got from General Dynamics”
Steve Holmes
Operations Manager at Electronic Components
The struggle of solving compliance in-house
Electronic Components began their compliance journey by attempting to address NIST 800-171 and CMMC requirements in-house. Over 18 months, Steve and Eric worked with an IT contractor to meet these requirements but made very slow progress. Despite Steve's deep technical background as a lawyer and electrical engineer, Eric's IT experience, and the assistance of an IT contractor, the compliance process was complicated, time-consuming, and expensive. A huge challenge they faced was the lack of expertise and not knowing what the government was looking for.
We were struggling on our own and making incremental progress painfully and slowly and at a high cost”
Steve Holmes
Operations Manager at Electronic Components
As a small company, it was clear that custom building this internally wasn’t feasible or a good use of resources. Therefore, Steve explored third-party solutions to help Electronic Components meet NIST 800-171 and CMMC compliance requirements. After speaking with eight different vendors, Steve decided to choose Atomus. Atomus provided a solution with a secure organizational enclave that allowed Electronic Components to start small. This would allow Electronic Components to segment the individuals in their company who handle CUI effectively. Furthermore, from a compliance perspective, having an automated solution, expert guidance, and support would significantly alleviate the team's workload. As a result, in just two weeks of using Atomus, Electronic Components achieved more progress towards full compliance than during the entire 18 months of attempting it in-house.
Cybersecurity compliance will be the future standard
After Electronic Components' experience with Atomus, they now have a clear understanding of what to expect from the DoD and other prime contractors in preparation for the upcoming CMMC requirements. Once these requirements are finalized, they will significantly impact DoD contractors and the entire ecosystem. By proactively meeting these compliance requirements early, Electronic Components now has a competitive advantage over its competitors. Not only have they built up trust with current customers, but they are using their compliance status as a marketing strategy to attract new customers.