Join us as we welcome cybersecurity expert Paul LaPorte from the Advanced Institute for Manufacturing (AIM) to shed light on the pressing issue of cyber threats facing small to medium-sized manufacturers. In our latest conversation, Paul explains the allure of these businesses to cybercriminals and the critical need for robust cybersecurity measures. We tackle the complexities of the NIST 800-171 guidelines, essential for manufacturers within the Department of Defense supply chain, and the emerging Cybersecurity Maturity Model Certification (CMMC). These discussions underscore the importance of staying proactive in cybersecurity to safeguard sensitive information and maintain eligibility for DoD contracts.
Listen in as we also discuss the financial and time constraints that manufacturers face when implementing cybersecurity protocols. Our conversation lays out the support available through the New York State Cybersecurity Manufacturing Initiatives Grant, designed to offset the costs of cybersecurity assessments for small and medium-sized manufacturers.
Steve Melito: Hey everybody, welcome to New York State Manufacturing Now, the podcast that’s powered by FuzeHub. I’m your host, Steve Melito. Today we’re talking to Paul LaPorte, the cybersecurity coordinator for the Advanced Institute for Manufacturing, or AIM, in Utica, new York. AIM is the Mohawk Valley’s New York State Manufacturing Extension Partnership Center and Paul has provided cybersecurity services and education to over 300 manufacturers statewide. Paul LaPorte, welcome to New York State Manufacturing Now.
Paul LaPorte: Hi Steve, Thank you so much for having me on. you bet.
Steve Melito: You bet. So Paul, hackers can target anyone or anything with an internet connection. Why are they after manufacturers?
Paul LaPorte: Well, I think the answer to that lies somewhat in the question, in that hackers can target anyone or anything, so the targets that they’re going to choose are going to be a combination of the targets that are going to give them their greatest return for the least effort.
And when you look at possible targets for that would fit that bill, you would be looking at businesses that are probably on the smaller side, that are either short staffed or maybe they’re in an industry or a business that isn’t necessarily as technologically minded, and if you take all those things and kind of put them together, manufacturers, especially small to medium manufacturers, tend to come up very high on that list. There’s a lot of things that those types of businesses need to worry about, as a lot of your listeners I’m sure will well know that because of that, cybersecurity tends to either take a back seat or just gets ignored entirely or becomes one of those issues where it’s something that they know they need to deal with at some point. But maybe it’ll get into next quarter or next year or when we have the budget for it and they see an opportunity there for giving a lot of return for a fairly little amount of effort.
Steve Melito: That makes sense. So in the world of cybersecurity there’s something called NIST 800-171. What is it, who does it apply to and why does it matter to manufacturers?
Paul LaPorte: So the NIST 800-171, if we’re getting super specific is a set of cybersecurity guidelines that was issued by the National Institute of Standards and Technology, who offer lots of different technical guidance and guidelines for a variety of industries and a variety of subjects.
The 800-171 specifically was drafted with the idea of manufacturing businesses in mind and, going beyond that, it was drafted for manufacturing businesses who are working with Department of Defense companies specifically, and handling a subset of information called controlled unclassified information.
Now, the best way to describe CUI or controlled unclassified information if you’ve never heard the term before is it’s effectively information that the government hasn’t given any sort of formal classification to, so you don’t need any sort of government clearance to read necessarily like classified secret, top secret, nothing like that, but it’s information that they still don’t necessarily want available to the public. So some examples of this can be in regards to particular parts, particular machines being used, particular vehicles, aircraft, naval craft, things like that, particular locations. There’s a wide variety of markings and subjects that can fall under that. But when we are looking at manufacturers who are doing work for those types of projects, that is the type of information they’re potentially handling and that is who these guidelines are really specifically geared towards, but it is worth mentioning that I do use these guidelines even when we’re working with companies who are not in the Department of Defense supply chain, because it overall provides a very good cybersecurity foundation that can be beneficial to companies of all different types, not just those working in the DoD space.
Steve Melito: Got it. So, Paul, there’s also something called Cybersecurity Maturity Model Certification, or CMMC. Does CMMC make this NIST standard obsolete and, if not, what’s the relationship between the two?
Paul LaPorte: So, it certainly doesn’t make it obsolete. If anything, it really reinforces it because the CMMC, the Cybersecurity Maturity Model Certification, is really taking the NIST 800-171 guidelines and trying to move them into a realm in which there is some sort of formal certification for these small and medium manufacturers who need to meet these guidelines. Currently, the DFARS clauses in our DoD contracts, in the DoD supply chain that these manufacturers have, say that they need to meet these NIST 800-171 guidelines, but, since it’s been implemented back in 2015, these guidelines have been self-assessed and self-reported. It is up to the manufacturers themselves to kind of police themselves and meet these guidelines.
CMMC is the latest effort to try and make that an actual structured process. Now, if you’re in manufacturing, you’re probably similar with other certifications like the ISO certifications, AS9100, ITAR, those are just a few different ones that come to mind. This is trying to do a similar thing where, instead of just self-reporting your compliance to these guidelines, it is trying to make sure that you’re actually firmly certified. You will have an auditor that will come in, just like for the other certifications, like your ISO, your AS9100. They will do an audit of your organization and if they feel that you’re meeting all of the guidelines, then they will issue you that certification and now you are approved to work on that level of projects with the Department of Defense.
And there are currently, in the existing model that is being presented, three levels to CMMC certification. The first is if you are really handling any sort of information at all within the Department of Defense supply chain. The second level is if you are handling that control on classified information we talked about before. And then the third level is if you are doing extremely advanced work. That level is usually reserved for more of the prime contractors, the extremely large manufacturers, things like that. So if you’re a small and medium manufacturer and you’re working in that DOD supply chain, you’re probably concerned more about whether you’re going to be level one or level two and then, based on that requirement, you will have a different set of standards to meet and a different auditing process to go through.
Steve Melito: Got it. So the DOD, or the Department of Defense, recently published a proposed final rule for CMMC. If it’s just a proposal and if the standard isn’t final, why worry about CMMC now? In other words, why not just wait?
Paul LaPorte: Well, for the first part of the question regarding worrying about it currently, technically, all of the things that the CMMC certification are asking of you are being asked currently. So again, if you’re somebody who is going to need to be concerned with a CMMC certification, you are probably somebody who needs to be meeting NIST 800-171 guidelines right now and just self-assessing, like we discussed previously. So really this is already a concern of yours. It should definitely still be on your mind.
The other reason to give a consideration now is that, in the event that the rule does get approved and things do start to go into place where we actually see this on contracts you don’t want to be left behind the starting line and have everybody else around you get a big jump on those potential bids and that potential business.
You really want to try and get as much that you can done now, as opposed to waiting until it’s through and then trying to catch up to everybody else. Also, that is going to help you kind of spread out any potential costs or investments you’ll need to make in order to meet those guidelines If you are working on it now and you have a few years to work on that, as opposed to not starting until the final rule making is gone through and now maybe you only have three to six months it’s going to be a lot easier to kind of spread out those costs and plan for the rollout of those changes, as opposed to just scrambling and trying to fit everything in before the deadline when this actually becomes written into these contracts.
Steve Melito: Sure makes a lot of sense. Now, CMMC’s goal, as I understand it, is to ensure that defense contractors don’t get hacked. If you’re not a defense contractor and you have no intention of being one for whatever reason, can you just ignore CMMC?
Paul LaPorte: So you do not need to be concerned with getting a CMMC certification if you really have no aspirations or plans to work in the Department of Defense Supply Chain. This is specifically a certification for DOD manufacturers. Now, with that being said, and going back to the NIST 800-171 standard, which is just a set of guidelines for organizations to follow, it is still a good idea to go through some sort of review, overview, audit of your current cybersecurity profile and just see where you’re at. Like I said, when we do our assessments, I do compare to the NIST 800-171 guidelines because it is a very comprehensive and holistic approach to just protecting your information in general, not just from a technical level. The 800-171 has elements for physical security, personnel security policies, training. It’s very, very good as far as that goes.
So I think, even if this is not something you’re being explicitly asked to do by any sort of contractor or is not part of any sort of requirements that you need to meet, it is still a good idea to consider it just for the safety of your own business.
So if you’re the victim of some sort of attack or you’re compromised in some sort of way and you don’t have these clauses in your contracts, then maybe you won’t get in contractual trouble with the people you’re working with, but you’re still going to lose business, you’re still going to be damaged, you may lose customers as a result of the impact to your reputation that is a result of being the victim of an attack. So this is something that, again, we are worried about. People meeting contractual obligations, certainly, but my number one focus for cybersecurity is just making sure that you, as an organization, are doing what you can to protect yourself and maintain your business and stay alive in this very competitive marketplace for years and decades to come. And, from a cybersecurity perspective, you’re really going to get a lot of benefit out of giving those topics some consideration, whether or not you’re explicitly being asked to.
Steve Melito: Got it. So, Paul, time is one of the reasons that manufacturers delay cybersecurity. They just don’t have it. Another reason is money. They feel they don’t have it, but there is a grant that’s available for New York State manufacturers that it pays for a cybersecurity assessment. What’s in the grant and why do you need an assessment if that’s not what’s going to fix your problems?
Paul LaPorte: Yes, so there is currently a grant available called the New York State Cybersecurity Manufacturing Initiatives Grant and it is right now in the phase where we are providing assessments and we are facilitating that grant at AIM, providing assessments for small and medium manufacturers, again, both in the DOD supply chain and outside of the DOD supply chain. This grant covers about, I believe, 80% or so of the cost of an assessment, so the assessment would be normally in the $7,500 range. The grants provide $6,000 in funding, leaving $1,500 due to the manufacturer, which is quite a bargain for a process like that. And regarding why assessment is a worthwhile step when it’s not necessarily going to fix the problems, as you mentioned, is that it is difficult to fix the problems within an organization if you don’t know what the problems are. And what the cybersecurity assessment does is provides you with a very complete and detailed listing of what you’re doing as a whole, and then we highlight the things that you are doing well, the things that need to be worked on and maybe the things that lie somewhere in between, and then, for anything that isn’t being done well or isn’t really up to par with the 800-171 guidelines, we make recommendations for how you can meet those specific requirements and when we go through and do our assessments, the recommendations that we make sometimes will make multiple ones for each particular item, because the nice thing about the 800-171 is that it is meant to be very flexible in terms of how you meet these guidelines.
So if we go in and do an assessment with an organization and we find that there are certain issues that they’re having or certain gaps in their overall cybersecurity, we can suggest methods to resolve those. That maybe some will include an investment of money, maybe some won’t, but maybe they’ll just be more of an investment of time and we can really try and figure out the balance for each of those organizations and we can do that on a personal level, really to kind of customize that and fit it specifically and exactly towards your organization. And this way it gives you a clearer picture of what needs to be done, because in terms of these assessments, as you mentioned at the beginning, I’ve done hundreds of these for organizations. I generally know the lay of the land. It’s what I do for a living.
So, this tends to be a more of a enlightening and clear-cut process than handing this over to your IT contractors or to your IT administrator, if you have one that works within your organization, and then having them try to decipher this on top of all the other things that they do for their day-to-day work. Sometimes it really is beneficial to have somebody who completely understands the standards with an outside set of eyes, come in, take a look and then, instead of your IT professionals that you work with having to decipher and come up with their own solutions, we can provide you with, effectively, a list of these things that need to be resolved, and then you can pass that off to your IT professionals, and then that ends up being a much more efficient use of time, and if you’re working with an IT contractor, billable hours, then it would be if you’re trying to get them to do all this work on their own.
Steve Melito: Got it. So, Paul, one last question AIM and FuzeHub are having a cybersecurity workshop and you took a New York on February 13th. Why should someone who’s listening to this podcast go?
Paul LaPorte: Well, the food services team and MVCC make some very good pastries, so I guess that can be a reason number one.
And, seriously speaking, if you are a manufacturer and you have any questions about this even things that maybe were brought up during this discussion that we’re having right now or you just want to get more information on the grants or what other programs might be available, if you’re looking to get just general cybersecurity information, we are going to have two presenters.
I’m going to be one of them.
Our Dean of STEM at MVCC, Jake Mihevc, is going to be another, and we’re going to start off the morning by giving presentations on really general cybersecurity subjects in terms of the kind of high level government intervention, military intervention, things like that from Jake’s perspective, and then from my perspective, we’ll focus in a little bit more closely on manufacturing and how these topics affect small and medium manufacturers, as well as discussing the grant, and then we’re also going to have a panel at the end of that that is going to include both myself and Jake, but we’re also going to have Jamie Sweet, who is the president of Hartman Enterprises, who is a manufacturer, who is going to give some insight on what this process looks like from a manufacturer’s eyes, and we’re going to have some other guests on there as well, and it’s going to be moderated by Dana Citron, who works with OrbitalFire, who is an IT services provider, who works specifically with small businesses in general, where we’re going to be discussing these topics in a little more detail and, more specifically and more importantly, answering questions that the audience have.
So, really, if this is something that you know is either on your mind or being asked of you by your contractors and you want more information, I would definitely recommend you come on down on the 13th. It’s also a great networking opportunity. There’s going to be a lot of other manufacturers from the central New York region there, so you can use this as an opportunity to meet some new faces and potentially jump up some new business. There’s a lot of different benefits for going to the workshop, so I would encourage you to head on over to the FuzeHub website, sign up, and I hope to see you there.
Steve Melito: Excellent, Paul LaPorte, thanks so much for being on New York State Manufacturing now. Thank you very much for having me. So we’ve been talking to Paul LaPorte. He’s the Cyber Security Coordinator for the Advanced Institute for Manufacturing, or AIM, in Utica, new York, and AIM and FuzeHub want you to attend the event that Paul and I just discussed. It’s called the Mohawk Valley Cyber Security Workshop and it’s scheduled for February 13th 2024, from 8:30am to 11:45am at the MVCC thINCubator in Utica. How do you register? There’s a link. It’s b-i-t dot l-y, slash three, N as a Nancy, V as in Victor, R as in red S as in Sam, two in the lowercase letter G. Or, if you’re not great at memorizing things that sound like license plates, just email me and I’ll take care of you. My email address is SteveMelito at FuzeHub dot com. That’s S-T-E-V-E-M-E-L-I-T-O at FuzeHub dot com. If all else fails, just go to the website and contact us there On behalf of New York State Manufacturing Now, this is Steve Melito signing off.