How Exosonic became DFARS 7012 compliant using Atomus

07/2024

5 min read

About Exosonic

Exosonic is an aerospace company developing the world’s first low boom, quiet supersonic passenger airliner using shaped sonic boom technology. The company was founded with a vision to bring people together through faster travel and with a commitment to environmentally sustainable practices. Notable customers of the company include the US Air Force, specifically Air Combat Command, Air Force Research Laboratory and the Presidential and Executive Airlift Directorate.

An important part of selecting compliance technology is avoiding impact to our technical work from basic calculations to high performance computing. The Atomus product doesn’t compromise cybersecurity, compliance or performance.”

Tim Macdonald

CTO of Exosonic

Additional Factors Covered In This Case Study

ITAR Requirements - Exosonic needs to make sure internal services such as email, file sharing, etc are kept in compliant environments.
Subcontractors – Exosonic has multiple subcontractors. As a prime contractor, Exosonic must ensure that not only its internal systems are kept compliant but also the systems of its sub-contractors which it shares information with as part of its Department of Defense contracts.
Migration – As part of the compliance process Exosonic needed to shift internal services such as file storage and email to a government commercial cloud. This necessitated migration of existing services to a more compliant environment.
Remote Work – Given that the Exosonic’s employees are geographically distributed it is challenging to ship new hardware and train employees on new systems.

The Decision-Making Process

Exosonic is growing its business in the aerospace and defense market and needed to show current and future customers how they kept company data secure and compliant. As an aerospace company, Exosonic needed to comply with DFARS 7012 and ITAR requirements. The company considered 3 options:

Option 1: Build Custom Cybersecurity

The company could devote an internal team of engineers to go through the 110 controls and custom build a cybersecurity stack for the company. This team would need to not only make sure the system is compliant with DFARS 7012, but ITAR as well. Once the engineers picked, built, and configured the different cybersecurity solutions they would then need to document these decisions in a System Security Plan (SSP) which runs on average about 300+ pages per company. This SSP would need to be updated every time a new employee was added, a new software is downloaded onto a computer, etc making it a huge headache to develop and manage. Most importantly after going through the painful process there was no assurance that the company would have set up their system correctly.

Time Cost: 5-6 months

Monetary Cost: $$$ High

ITAR Compliance: Extremely Challenging. Engineers would need to do a deep dive into existing products on the market to verify DFARS 7012 and ITAR compliance. Without prior experience in compliance the company would have low confidence of ITAR and DFARS 7012 compliance.

Documentation: Extremely Challenging. Engineers would need to build a 300-to-400-page documentation package that shows how their systems comply with each requirement. More importantly the company’s engineers would need constantly update this document to ensure it is kept up to date.

Subcontractors: No solution. The company would need to pay for a third-party questionnaire service to send hundreds of pages of paperwork to its subcontractors to verify their compliance. This spending would not directly increase the cybersecurity of the company’s supply chain or get its subcontractors closer to compliance.

Migration: No solution. The company would need to find a third-party service to migrate the company’s resources to a new environment.

Remote Capability: Challenging. The company would need to coordinate sending new hardware to geographically dispersed employees and manage training them on new systems.

Option 2: Hire a Third Party Provider

The company could hire a third party provider to custom build a compliant solution for Exosonic. The custom build would add to cost, time and complexity. Moreover as time goes on, the company would need to pay by the hour for updates to the System Security Plan. Most importantly after going through the painful process there was no assurance that the company would have set up their system correctly, if the Exosonic was audited and a system was set up incorrectly Exosonic would need to pay additional costs by the hour in order to remediate the vulnerabilities.

Time Cost: 3-4 months

Monetary Cost: $$$$ Extremely High

ITAR Compliance: Solved

Documentation: Challenging. A third party provider might only help with a portion of the controls leaving the documentation burden on the business. This still means the company’s engineers would be burdened with constantly updating documentation to keep compliant.

Subcontractors: No solution. Third party providers would not be able to do anything to ensure compliance of subcontractors.

Migration: No solution. The company would need to find a third-party service to migrate the company’s resources to a new environment.

Remote Capability: Challenging. The third party provider would still need to coordinate sending new hardware to geographically dispersed employees and manage training them on new systems.

Option 3: Onboard to Atomus Aegis

The company could onboard to Atomus Aegis which is pre-built and compliant with DFARS 7012 requirements out of the box. Instead of building a custom cybersecurity stack, Atomus’ software creates a standardized enclave on a computer. Because Atomus’ software is used by dozens of different customers, Atomus is able to use its scale to negotiate a low price and pass the savings down. More importantly Atomus is able to completely automate compliance documentation for customers. This paperwork and technology has been assessed by third party cybersecurity experts selected by the Department of Defense giving the company a level of assurance that they are fully compliant.

Time Cost: < 2 weeks

Monetary Cost: $$ Moderate

ITAR Compliance: Solved. Atomus has a SKU that is both ITAR and DFARS 7012 compliant.

Documentation: Solved. Atomus auto generates the documentation requirements for DFARS 7012, and includes additional company policies and procedures to ensure full compliance.

Subcontractors: Solved. Atomus’ technology can be easily deployed to Exosonic’s subcontractors to ensure they are keeping shared data compliant and safe.

Migration: Solved. Atomus does migration of company internal services in house.

Remote Capability: Solved. Solved. Atomus requires no new hardware and gives users the same Windows experience they are used to.

Choosing Atomus

Exosonic made the decision to go with Atomus reducing the time, cost, and headache of complying with cybersecurity requirements on their own. They were able to increase trust with their customers and continue to grow their military sales.