CyberSound
CyberSound™ is a podcast built by and for business owners and professionals. Tune in as our cybersecurity experts cover the latest news regarding IT security, the most recent and relevant threats organizations are facing today, and provide tips to keep your business safe.
CyberSound
104 - Steve Prout: Navigating CMMC Compliance with Vancord for Alpha Q's Success | 2024
In this episode of CyberSound, Vancord's Cybersecurity Podcast hosts Jason and Michael are joined by Steve Prout, President of Vancord's client, Alpha Q, to discuss the critical intersection of cybersecurity and advanced manufacturing. Steve highlights Alpha Q's impressive 60-year legacy, detailing its two business segments: complex component machining for major clients like Sikorsky and Rolls Royce, and precision gaging through Glastonbury Southern Gage.
Emphasizing the impact of the Cybersecurity Maturity Model Certification (CMMC) on small businesses, Steve shares the challenges and costs associated with compliance, such as enhanced security measures and regulatory adherence. The discussion underscores the evolving nature of cybersecurity standards and the essential role of trusted IT partners in navigating these complexities.
______________
Stay up to date on the latest cybersecurity news and industry insights by
subscribing to our channel and visiting our blog at https://www.vancord.com/💻.
Stay Connected with us 🤳
LinkedIn: https://www.linkedin.com/company/vancord
Facebook: https://www.facebook.com/VancordCS
Instagram: https://www.instagram.com/vancordsecurity/
Twitter: https://twitter.com/VancordSecurity
00:01
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:11
Welcome to CyberSound. I'm your host, Jason Pufahl, joined by our CEO, Michael Grande.
Michael Grande 00:16
Great to be here!
Jason Pufahl 00:17
And a special guest today, the President of Alpha Q, Steve Prout. Welcome, Steve.
Steve Prout 00:23
Yeah, and thank you, Jason and Michael for having me. And I also wanted to thank Vancord for all you do for Alpha Q, as our IT provider. So, I've been President of Alpha Q now, as we were just discussing before, we started this for about 30 years and Alpha Q has been in business for 60 years, it's pretty incredible. And we're made up of two business segments, one is Alpha Q, a machining operation, that machines complex components for various customers like Sikorsky, Rolls Royce, Raytheon, Honeywell and others. With Sikorsky we do flight safety critical components, we've been a sixth time awarded Flight Safety Elite Supplier, which I don't know of any other suppliers done that. At Rolls Royce, we've been awarded as the most engaged supplier. Hopefully, we're not selling the parts too cheap as a result of that, and in these parts would include things like transmission cases, gearboxes, compressor cases, fuel manifolds, etc. We have another segment of our company that's called Glastonbury Southern Gage. There, we manufacture fixed limits cylindrical gaging, which includes thread plugs and thread rings, plain cylindrical rings, and plugs and discs. And we do a lot of specials for customers, which are very exacting tolerances, we actually have some products, where we hold the tolerance of the part to 10 millionths of an inch. Now to put that in perspective, the diameter of a human hair is 3000s. So this is more than 100 times smaller than the diameter of a human hair, which is pretty unbelievable, even when I see it happening. We have a great group of people that makes all this happen. We're about 200 employees, we have a manufacturing operation in Colchester, Connecticut, and one in Aaron, Tennessee.
Michael Grande 02:19
That's, so precision is a is a key and a fundamental part of the business as I'm sure quality is.
Steve Prout 02:26
Absolutely. So we start out by living every day with a quality motto, as a matter of fact, Alpha Q came about from that very same thing. Alpha being first, the Greek word first, Q standing for quality, and our tagline is Where Quality Comes First. So every time you think is when somebody talks about Alpha Q, they're talking about quality.
Michael Grande 02:50
That's tremendous sort of segwaying into not only our relationship, but maybe the, you know, increased focus over the last several years on cybersecurity and different measures and, and compliance standards that have been rolled out by United States government, DOD, we're talking about CMMC a little bit today.
Jason Pufahl 03:11
Right, and certainly, you rolled off probably some of the biggest prime contractors right in that in certainly in the defense space, and you're talking about aerospace and aeronautics. I assume, right, you had to do a lot of CMMC work. I think you started your journey even slightly before us, but certainly over the last four years with us. Talk a little bit about if you could honestly, pros and cons of CMMC from your perspective, because you're in a regulated space. So I'm sure you've got a variety of perspectives here.
Steve Prout 03:41
As you might imagine, from the customer base that I mentioned to you, we do a lot of defense work defense, and our machining side of our business is you know, like 90% of our business. So we are very attuned to what you have to do to be able to the to play in that space. I will tell you that NIST-800 CMMC is got to be one of the more far reaching compliance requirements we've ever faced in 60 years. So that's how, that's the magnitude we look at it. Obviously, everybody's concerned about cybersecurity, regardless of any of this. And we all want to protect ourselves. We all have operated with closely regarded company secrets for years. I mean, like I said, we've been in business 60 years, we've had NDAs with every customer just about that we've ever done business with and we treat those seriously. Now you take this and you put it on steroids, and that's what we're dealing with. And for a small company, it's a huge situation. I mean, as you guys know that's like 110 controls, 350 items that you got to deal with. And as you mentioned, I mean we been on this journey now for probably a little over two years. And we were thinking about a little before that. Every year, our customer comes to us and says, okay, what's your score? Where are you on this journey, give us your score, and give us your plan to get to completion. And as you're well aware, things have changed even during this timeframe. So, you know, people's expectation of what those 110 controls mean, what they encompass, how far you have to go with that, it keeps evolving, as you might expect. And, you know, I will be honest with you, if it wasn't for our customers demanding that we do it, we would do some of it that relates to cybersecurity, and trolling. And making sure bad actors don't get into our business, making sure we keep all the intellectual data that we have, you know, secure. But we wouldn't go to the extent that it's required. And let me give you a couple examples of that, one is, they want you to have somebody a score, any person who's not an employee of the company, when they're in your plant, we regularly have people that come in to do various things, as simple as putting mats and rugs down in certain places in the company to stop for slippage and stop things from happening. Under this regulation, we'd have to have somebody walk around with that person where today, yeah, they just walk around and do the job, right, we have a person coming in, that does solvents that we use to clean parts, those tanks have to be exchanged, the solvent has to be exchanged, we now have to have somebody that walks around with them and stays with them while they're doing that, while previously, we never did that, we have people that come in and do equipment maintenance for us. And we've trusted these people for ever since I've been with the company. Now I have to have somebody with them. So it just goes on and on and on, from a computer standpoint, there's no way we could do it by ourselves. So we have, you know, illicit Vancord as a trusted partner, to get us through this. And they've got tools, and they've done it, you know, with other companies as well. So you know, why try to recreate everything, when there's things that are already exist that can help you. But, you know, we look at this, it's going to be somewhere between a half a million to a million dollar investment to get it started, get it all under compliance, get it to the audit. And, you know, from our recollection, they're going to audit all 350 of these object points. Can you imagine how long it's going to take an auditor to go through 350? I mean, this guy is gonna camp out here.
Jason Pufahl 08:03
You mentioned something at the beginning, which I thought was interesting is, it has been a bit of a moving target, right? I mean, when they announced it, it was pretty straightforward. And it got more complex, they brought it back out for public discussion, even recently enclosed that. So even over the handful of years that you've been dealing with it, the standard has evolved, the finish line keeps moving a little bit, it does and that that idea of the assessment, you know that future audit and assessment is still not perfectly clear. So what we have seen, and I think one of the places that you've done a great job is having started this a couple of years ago, because we absolutely get inquiries today from clients who say, other than other than going through and getting a score, I've done no work to address any of my gaps, I've done no work to actually improve the security posture. And now they're starting to see more regular contractual requirements to comply with this. So it, the time was definitely two years ago to really start it. And it's formal enough now that that anybody who hasn't is really behind the eight ball.
Steve Prout 09:04
Well thank goodness, that it's not been a hard fact, in our contractual purchase orders. Because once that happens, then all bets are off. I mean, you know, you can't ship product until you're compliant. And that's coming. So it's coming. Thank god, it's not here right now. Because I will tell you that not only does it cover us, and we're covered because of our association with these companies I mentioned okay, it's not like we're we are looking at doing some work directly with the government but to hear to for it's been with a prime contractor, they flowed it down to us. Guess who I do business with? I do business with companies that have 10 employees up to 30 employees. And when I talk to them about this, they look at me and say yeah, we've heard about it, but we're not going to do that. If you get all these critical functions that you rely on every day to be done, and they don't comply, you're in a pickle.
Michael Grande 10:13
So it leads to it leads to a sort of the natural evolution of the question, you know, at what point is progress inhibited you know, by all this development, but your, your, your supply chain? Do you see any potential, you know, long term challenges, you know, for those smaller organizations, once they have to sort of, you know, become in compliance, and sort of fall attack to make sure that you're in compliance, so that you can maintain with your primes? Is that, is that a long term concern for you?
Steve Prout 10:47
Absolutely, it's a long term concern. And as a matter of fact, we're starting to take a look at it and say, okay, which ones do we think that we'll eventually get on board, because some of these people also do directly with the prime that we do business with, we have a couple of those. And we have other ones that do enough with companies like ourselves that they're gonna go to him and say, look, we have no choice, you know, either you get this certification, or I can't do business with you anymore. Now, will someone finally get the idea that, hey, maybe that company doesn't have to comply with 110 items, 350 things? Maybe it's a scaled down version of that. And I'm hoping that at some point, that's what happens to allow us all to have some way forward with this. But otherwise, we're going to not only do the investment in CMMC compliance, we're going to have to take on those other responsibilities that quite frankly, we don't do today, right? Because that's the only way we're gonna be able to manufacture the product.
Jason Pufahl 11:53
Or provide some support to some of the smaller vendors. Because you're because you're right, it seems 110 controls does not seem that onerous. And then you say your 320 objectives on top of that, right, all of a sudden, you, you tripled it, it sort of slides it in there. But part of me wonders, you know, how, will there be a point where these four, five, ten person, machine shops or manufacturing plants, they can't actually do it. Do they, is there an acquisition opportunity? Is it simply providing some support to roll them into your systems? There's going to be some challenges ahead.
Steve Prout 12:27
We could encompass all above, I mean, they may have to find somebody like an Alpha Q, who's going to be compliant and sell to them, or merge with them, or do some other combination that allows them to use our certification to be able to do it. But then as you know, that just means that we've got to really be responsible for making sure that their systems, we put our systems into their shots. And the other side of this is, you know, you go through all this, and as good as you guys are to work with. And as good as we're trying to be, you still have to have a fallback. You still have to have all your backups, you have to have all your backup procedures. Because nobody can tell you it's a failsafe. Yeah, you know, we've had those conversations and you, you hate those conversations with me, when I tell you, I want you to guarantee me that our system is 100% safe.
Michael Grande 13:24
Yeah, your 10 millionths of an inch tolerance, you know, it sort of doesn't directly translate into the cybersecurity world. You know, at least with uptime, were able to guarantee a few things. You know, how much of a concern was it, maybe walk through the history prior to CMMC becoming part of our lexicon of, of the concerns of maybe bad actors and and people going after your intellectual property or sort of those trade secrets that you would normally deal with? Especially maybe nation states pursuing things. If you're in the aerospace and defense industrial base, you know, was that a concern for you, 10, 15, 20 years ago?
Steve Prout 14:08
Well, maybe not 20 years ago, but certainly since then, our biggest concern was a constructing a firewall that we thought was adequate to make sure that just anything or anybody couldn't get into our system. And their second biggest thing was is the educating our population to not open certain documents that would get through that look like they were coming from people that you shouldn't be able to rely on either somebody you knew, or, you know, it looked like it came from Microsoft, it looked like it came from somebody else. So we've done we started doing, you know, probably six, seven years ago, some education with people by sending out some things. And we told people we're going to do this sending out some things so they could see if they could recognize the fact that hey, you know, this is not something I'm supposed to open or not something I'm supposed to be looking at, and then letting our IT department know about it. So that was basically our concern from that standpoint, and from a, you know, keeping things secure. I mean, we always looked at doing that, when we, like I said, we had NDAs what all these customers were talking about, we pass back and, you know, pass shortly from them to us all their drawings and, and technology related to that particular thing that we were building for them, because we're building it to their requirement. And we have auditors in here all the time, that audit what we do. And so we were always conscious of that. But, you know, this is ratcheted it up on on another big scale. And you look at what we got to do, you know, like, you're saying, This thing keeps evolving and getting bigger and bigger and bigger. And now, I just read an article over the weekend about AI, and it's an impact on cybersecurity, and it's going to be a whole nother gambit. So, and in our world, and in manufacturing's, we're trying to go all digital, you know, when you look at the factory, and you look at how data flows from one place to another, and how we control our machine tools, and all those types of things. We're, we're going more digital all the time. And what happens when you go to more digitation? You have, you introduce the risk, more data, because there's a network to this. I mean, you know, yeah, we hire war, hard, hard wire, a lot of stuff. But at the end of the day, it goes back to something.
Michael Grande 16:39
And so I was gonna, I was going to just touch on sort of the challenges, the unique challenges that your industry has been facing advanced manufacturing over the last, you know, decade plus, you know, you've got, you've got labor, obviously, challenges that are ahead, I would assume over the next 10 or 20 years, with a lot of sort of knowledge and knowledge transfer. Now we're introducing right, these these sort of new regulations and new compliance standards. Does that shape the way that you look for additional talent, people who are aware of some of these things that are going to be able to to work with these programs and systems? When they come in, is it sort of start start young? Do you have a sort of a talent pool that you normally draw from?
Steve Prout 17:25
Oh, to answer those questions, we are already looking at a a talent that we're asking for the person walking in the door that's higher than it was before. And it's higher and respect to the fact that they need to work with in many cases, computerized controlled equipment. And in some cases, we still use some manual equipment that's important to us. And we like the people that still like to do that. But a lot of it has computer controls to it. So they got to be willing to accept that environment and work within our environment. And we have relied in the last 10 years on tech schools, the high school tech program, that's bringing out machinist, we've had people and we're allowed to have people coming through that program that can work starting when they're a junior in high school, they get credit for working so many hours, as a senior, that number of hours can increase. And then we can hire them after that. So we've done that a number of times. And some of our best young people have come through that mechanism. And so we work with all the local, you know, tech schools, we love working with Goodwin, one of our top people in our company is on the manufacturing council at Goodwin, trying to assist with that where the direction of that program is going. But you know, labor in Connecticut's a huge issue. I mean, you know it from your business, from our business it is, you know, we're not that far from Electric Boat, they're in a massive hiring, you know, uptick. We're in a growth pattern. So we've got everybody kind of hitting on all cylinders, and you're all looking for people. And one of the things we also have to do, though, is get more productive. So how do you be more productive, you know, you, you look at ways where you can automate things. And this is not necessarily taking all the computer, I mean, human involvement out, but it's assisting the human involved. So you know, what kind of software programs can I Institute what kind of, you know, things can I look at that automatically tell me what the process is going to look like before I actually do the process? Okay. And can I use robotics? Can I use something that's not totally robotic, but its assistant or robotic assist? So, you know, we're looking at all of that, and you have to I mean, you know, to be in business today, I think that's what's gonna tact.
Jason Pufahl 19:56
And that is one of the difficult things about manufacturing is you have so many of these purpose spelt devices as well. So we're, we're working on CMMC, we have all of these controls, a lot of them are, are perfectly designed for your traditional computer equipment, but then your operational tech is a little bit more challenging, often to secure. And yet, that's what we're being faced with doing. So it's a really complex topic. It has a lot of elements and a lot of decision making. And I think one of the roles hopefully, that we play is trying to say, well, are there places that we can make decisions that actually help sort of constrict the scope of this a little bit and make it a little bit less onerous to deal with is not easy to do. But it's got to be the questions that people are asking when they're going through this.
Steve Prout 20:39
It's critical, it's critical to make practical sense out of what we have, and what we're facing. You know, the thing I mentioned before about the people coming into your plant and what they do, I mean, you know, really is the guy who's changing our solvent going to be your problem, no he's not going to be the problem, okay? So there's got to be some common sense, if you will put to you know, what you have to do, but our costs each year are going to increase because of this, it's not just a one time cost. You got to keep it all up. You know, as you know, you gotta document every program, it's on every computer,
Jason Pufahl 21:18
Well, this is a document heavy regulation, right? That standard.
Steve Prout 21:23
Microsoft 365 is double the costs from a what I would call secure Microsoft 365 to being ITAR, CMMC compliant, you gotta go to their maximum level, and that's doubled, right. And you pay that every year,
Jason Pufahl 21:38
And that's simply a cost, right, and basically, an unavoidable cost. So it, this is a complex topic, and you've started your journey, you're, you're certainly making progress, the finish line is moving less far away, right, which I suppose is a positive. Now we have a sense of exactly really where the standards hit today and in ideas about when the assessments will really begin, and they're starting to they're starting to boost that that part of the business up. I'm proud to be able to say that we that we're working with you on this, it's great to have a company three times older than us. Right, so we'll have our 20th there this year,
Michael Grande 22:23
60 years for Alpha Q and GSG. That's fantastic.
Steve Prout 22:27
Yeah, 60 years this year. That's why I look as young as I do.
Jason Pufahl 22:32
Yes, yeah, you don't look a day over 50.
Michael Grande 22:36
Well it's not due to all the new standards that are being passed down for you to comply with.
Steve Prout 22:40
No, it really is a testament to all the people that work here, as you know, a company is made up the people that work there. And luckily, you know, we have a good group of people. You know, we just celebrated last this week, we will celebrate an employee in our Tennessee facility with 60 years with a company.
Jason Pufahl 23:01
That's fantastic. Basically, day one. Yeah, guy, that's great.
Steve Prout 23:04
And he took a picture with he and three other people that are still working at the company that more than 50. So you can imagine you got those four people together, they have over 200 years of experience.
Jason Pufahl 23:18
And you see that you don't see that kind of longevity in most places, now.
Michael Grande 23:23
That's a testament to the quality. And that's a great, that's a great reputation to have, as well as being proactive about all these new measures that you've got to comply with on the cybersecurity side. So you know, kudos to you and the organization.
Steve Prout 23:36
Thank you. And like I said at the beginning, we thank you Vancord, for what you're doing. And you know, quite frankly, I mean, we would not be able to get through this by ourselves. And, you know, it's important to get somebody that you can trust that, you know, that knows the space and knows what you gotta do and has somebody that that can help you through that. And, you know, this is kind of one of the interesting days when I keep asking my IT department at every year. Okay, how much longer is this going to be two years? A year goes by, how much longer is this going to be? Two years. That's what he told me. It's like a sliding. Yeah, but you know, it keeps, as we've been discussing, so, you know, hopefully one day we can open a bottle of champagne and toast the fact that hey, that we're there. We're there. I'll buy the champagne. How's that?
Jason Pufahl 24:29
Steve, thanks for joining us today. It's a pleasure working with you. I appreciate the opportunity to continue working with you. I certainly appreciate you joining the podcast, has been great to get your perspective on this.
Michael Grande 24:38
Thank you for your partnership. We do appreciate it.
Steve Prout 24:40
Thank you for having me. Have a great day.
Jason Pufahl 24:44
And of course, right as always, if everybody has questions about CMMC or certainly how it might relate to your specific business. We're happy to talk more in depth about it. We I feel like we discuss it every day. So we've got a lot to say about it. Alright, thanks everybody for listening.
24:59
We'd love to hear your feedback feel free to get in touch at Vancord on LinkedIn, and remember stay vigilant, stay resilient, this has been CyberSound.