Today’s guest on the podcast is Jayme Rahz, CEO of Midway Swiss Turn, a small precision machining job shop in Wooster, Ohio.
Around a quarter of Midway Swiss Turn’s business is supplying the U.S. Department of Defense. While supplying the DoD can be a lucrative opportunity for a manufacturer, the work comes with some hurdles to overcome, including acquiring a Cyber Security Maturity Model Certification, commonly referred to as CMMC. On today’s show, Jayme discusses how a small manufacturing company gets CMMC certified, how that has affected her company, and what it’s like to be a small machining business supplying the DoD.
Listen with the player at the bottom of the page or at your favorite podcast app.
Follow us on Social and never miss an update!
Noah Graff: Is China one of the larger threats to cybersecurity for American manufacturers?
Jayme Rahz: Yes. The F-35 (fighter jet). It came to light in 2015, with the release of some of the Edward Snowden type documents that China had stolen a lot of that information from us. It’s estimated they were stealing it as far back as 2006. Primarily using the spear phishing technique through emails. It wasn’t the big companies like Raytheon or Boeing. It was small to mid-size companies that were very naive, and it was very easy to get that information from them.
Graff: Getting CMMC Certification seems like quite a process.
Rahz: It is a lengthy and detailed journey, and it never is going to end.
We probably did six to nine months of research before we decided to bite the bullet and implement this program. We’re real small. We have six full-time employees. We have 11 on staff total. We had at the time, zero IT people.
Early on, we connected with our local Manufacturing Extension Partnership (MEP) in Ohio. Their job is to help us become a stronger manufacturing base. The local one that we hooked up with is called Magnet. They were able to secure grants for us to work on this program because we were early adopters. They helped us walk through the steps choosing a vendor. We opted to get a consultant to help us. Magnet was able to help us find one that suited our (small-sized) business, called Vestige.
Graff: Explain how the consultant helps you.
Rahz: When we’re implementing (the CMMC), Vestige comes in and asks us, how are you meeting this specific requirement? Are you protecting your firewall settings and your proxy servers? How are you protecting your databases?
It’s much more geared towards how you’re actually protecting that information with technology. And if we’re not, they’re the ones that say, okay, here’s the technology you can implement to help meet that requirement. Things like password protection and multi-factor authentication.
Graff: Can you give us an estimate of what it might cost for your company to become CMMC Certified and the maintenance it requires?
Rahz: When we first started down this path, the government was estimating it was going to be about $60,000 for the average mid-size company to implement.
Smaller sometimes can mean less to protect and maybe less money. But really what it means is we have less resources readily available to us. So we usually end up spending more and a larger percentage of our sales compared to a mid-size, or even a large company. They already have IT staff, and they already have some of these practices in place.
We were able to secure a couple of grants, but I do think that it’s probably going to exceed the $60,000 for implementation.
Graff: Do you predict most manufacturing companies in all sectors will be implementing CMMC in the future?
Rahz: There are a lot of ways to implement cybersecurity. CMMC is being told to us by the government. That’s going be the gold standard. The reality is that not everybody has to do (CMMC) this year, but you look 2, 3, 5, 10 years from now, and we’re all going to have to have some kind of a comprehensive program just to stay in business.
Whether it’s sensitive stuff for our military or a product for other customers, we have a responsibility to protect that data. If you get a ransomware attack, it can shut down an entire business.
Has your company ever been a victim of a cyber attack?
What measures are you taking to have better cybersecurity?