A Small CNC Machine Shop’s Journey to CMMC

Is Cybersecurity Maturity Model Certification on your radar? It better be if you want to keep or win future DoD work. (Photo Credit: U.S Department of Defense)

“We’re more than halfway there,” says Jayme Rahz, CEO of Midway Swiss Turn in Wooster, Ohio.

The journey she is describing is the shop’s efforts to achieve Cybersecurity Maturity Model Certification (CMMC). Driven by the Department of Defense (DOD) and based on existing NIST standards, CMMC will soon be required to perform work for the U.S. government which involves the security of sensitive data such as federal contract information (FCI) and controlled unclassified information (CUI). In fact, third-party CMMC audits of all parties involved in creating parts and products for the government involving CUI will be required prior to being awarded contracts.

Featured Content

A Small CNC Machine Shop’s Journey to CMMC

Video: Why a Production Machine Shop Started a Baseball Bat Company

Machine Tool Search Made Easy

“We realized that if we wanted to continue to work on some of the government projects that we were already engaged with, but also possibly boost our work for the government, CMMC was going to be a really important step for us to take” Rahz explains. “We also recognized that a lot of small companies such as ours might not make the effort to achieve CMMC, so the certification would give us a competitive advantage. However, we soon found out that working to achieve CMMC is expensive and time consuming, and resembles putting an ISO program into place. It’s an overwhelming thing for a very small shop to do, but we’re doing it.”

After finding out about Midway Swiss Turn’s initial CMMC efforts, I visited late last November when the shop was still midway through achieving certification. What’s interesting is the timing of the visit, and this article is a bit atypical for me. Generally, my visits and articles come after a shop has adopted some new process, practice or technology and has worked out all the kinks so I can highlight how the shop has benefited. In this case, though, Rahz and I agreed that it made sense to create an article describing its CMMC efforts thus far, so other shops could understand what’s involved early in the accreditation process.

Let’s just say there’s been a lot to it thus far in what is looking to be a 1.5 to 2-year process for Midway Swiss Turn. However, the company believes the benefits will eventually outweigh any current accreditation challenges.

CMMC Challenge Accepted

James Rahz started the originally-named General Tool Co. in 1977 in his garage with a single Bridgeport mill. He is now co-owner of Midway Swiss Turn along with his sons Brian (Jayme’s husband) and Jim Jr. Today, the 10-person shop that specializes in Swiss-type turning has 12 machine tools, its six (soon to be seven) Swiss-types all being Marubeni Citizen-Cincom models purchased through machine tool dealer Concentric Corp.

“We purchased our first L20 Swiss-type some 20 years ago as we wanted to move away from tool and die work and get into higher volume production,” Jayme Rahz says. “Concentric’s founder, Marc Klecka, was critical early on in assisting us with this new machine tool platform.”

In fact, Rahz notes that Klecka helped find work for that machine after the customer that prompted the shop to purchase it went out of business before one part for that job was produced. “He educated us on the Swiss-type which enabled us to educate our customers on the benefits of this machine tool platform for their parts,” she says.

Because the shop was an early adopter of Swiss-type lathes, it’s not surprising that it is working to be among the first small companies endeavoring to achieve CMMC.

But what is CMMC?

CMMC is a unified standard for implementing cybersecurity across the defense industrial base. It is based on NIST SP 800-171 which addresses the protection of CUI in nonfederal organizations and is the DOD’s response to compromises of sensitive information in its contractors’ systems. According to the DOD, CMMC is “Designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.”

In November 2021, the DOD introduced CMMC 2.0, a revised version of the original standard. Previously a five-tiered program, it has been modified to contain only these three:

• Level 1 (Foundational): For companies handling FCI only in which information requires protection, but is not critical to national security. (Does not require third-party audits.)
• Level 2 (Advanced): For companies such as Midway Swiss Turn handling CUI. (Requires triennial third-party audits.)
• Level 3 (Expert): For the highest priority programs with CUI requirements that will mirror NIST SP 800-171 and its supplement NIST SP 800-172 covering enhanced security requirements for protecting CUI. (Requires triennial government-led audits.)

Interestingly enough, the overall manufacturing slowdown due to COVID-19 was one reason the shop discovered CMMC in the first place. Midway Swiss Turn hired a salesman just prior to the pandemic and modest downturn in its business. In a bit of a pivoting move, the shop started researching ways to position itself to do business with DOD primes, not just the subprimes, to win additional government work. Rahz says she became aware of CMMC during a webinar from Paperless Parts, a company that offers cloud-based job estimating and quoting software which the shop now uses to realize a reduction in quoting time of more than 50% for complex jobs and from two days to a matter of hours for simple quotes. And, being cloud-based, it enabled employees to securely access and share information remotely during the pandemic.

Midway Swiss Turn CEO Jayme Rahz and her team performed significant research into CMMC as the company decided if the cost and time to achieve it were in its best interests. The shop decided it was, and is more than halfway through the certification process which includes a third-party audit. (Photo Credit: PM)

However, while it’s one thing for a large corporation that has large IT staffing and funds to achieve CMMC, it’s another for a small machine shop. That’s why Midway Swiss Turn turned to other resources that could offer further help. One was Magnet, northeast Ohio’s Manufacturing Extension Partnership (MEP). Not only has Magnet provided the shop CMMC guidance it also was able to offer some government funding to assist the shop in achieving certification. “Magnet has worked hand-in-hand with us on our journey,” Rahz says. “This relationship has been a huge benefit for our shop.”

In addition, through Magnet, Midway Swiss Turn was introduced to the Cleveland area’s Vestige Digital Investigations, which specializes in information security, cybersecurity and digital forensics services. Rahz believes it is important for small- to medium-sized shops that are subprime contractors to tap the expertise of a consulting firm such as Vestige. “It might be a different story for a larger prime that already deals directly with the government and was already implementing NIST standards as mandated,” she says. “That’s generally not the case for small shops such as ours.”

CMMC is not something that can be implemented overnight. Start now.

At this point, Midway Swiss Turn is in the remediation stage of CMMC. This involves weekly virtual meetings with Vestige to review CMMC standards the shop has addressed, where it is with respect to meeting them, next standards to address and so on. Rahz says Vestige uses the web-based collaborative platform Sharepoint to collect evidence of compliance for each standard. This will be important as she envisions an eventual CMMC audit will resemble an ISO audit in which proof of compliance will be required.

The shop specializes in Swiss-type turning, which is rare in its area of northeast Ohio. Here is its newest and sixth Swiss-type from Marubeni Citizen-Cincom. A seventh is on its way. (Photo Credit: PM)

CMMC Implementation Tips

Rahz says it took Midway Swiss Turn six months to decide whether or not to pursue CMMC as it considered the potential benefits of winning new work (and keeping existing DOD work) as well as the downsides of losing that work. Rahz says in some cases it was clear that jobs involved CUI, but others could have, too, except the shop simply didn’t know it. “This could be the case for most shops, which is why it could push them to CMMC,” she says.

There’s also the cost and time involved in CMMC. Early on, Rahz heard estimates of approximately $60,000 to achieve CMMC, but feels the cost for Midway Swiss Turn will be a good bit higher once accreditation is achieved.

But, for shops that are considering embarking on the CMMC journey, she provides the following tips that can hopefully make the process less bumpy:

• Ensure upper management is the driving force. Simply tasking your IT team to implement CMMC won’t work. CMMC changes the way you operate your company and how data flows through it. Management needs to be driving it as many policies aren’t even related to IT.
• Work with strong partners. Contact your area MEP to ask for guidance and possible government funding. Also, consider hiring a cybersecurity consultant with expertise in CMMC, making sure that it is appropriate for the style and size of your company.
• Understand your customer base. How many of your customers are DOD suppliers? How much work could be affected/lost without you or them achieving CMMC? If your customer hasn’t achieved CMMC, that work will no longer trickle down to you.
• Understand your vendor base. If the outside companies you currently use for plating, heat treating and other such processes don’t have CMMC, you won’t be able to use them for DOD work. You might have to find new vendors that are accredited.
• Consider hiring an IT person. Midway Swiss Turn recently hired a part-time IT person to help implement technical procedures such as disabling flash drives, implementing multifactor authentication (MFA) for all systems and so on.
• Mind potential cloud-based bumps. The foundation of CMMC, NIST SP 800-171, was created when computer servers were the norm and prior to the development of cloud-based applications. In Midway Swiss Turn’s case, it never used a server and instead progressed to cloud-based alternatives such as Paperless Parts and JobBoss² enterprise resource planning (ERP) software from ECI. So, in that regard, having a server would have made CMMC easier to achieve, but all such software providers continue to work toward solutions to ensure CMMC compliance.
• Start now. This is Rahz’s primary suggestion. Because CMMC is not something that can be implemented overnight, begin the process right away. For Midway Swiss Turn, the total time to achieve CMMC might take a couple of years. Don’t risk possibly losing the DOD work you currently have before achieving certification.

Small Shop Changes

Jayme Rahz says CMMC requires changes that employees might initially find overly strict, but are necessary to ensure CUI security. For example, for now, Midway Swiss Turn doesn’t permit employees to use their personal cell phones in the shop. Otherwise, any such personal phone that would have access to CUI (perhaps via emails with customers) would have to be included in the shop’s CMMC environment. Plus, only approved USB flash drives can be used in the shop. Some computer USB ports are disabled to prevent the download or upload of information, too. Also, multifactor authentication (MFA) and more sophisticated passwords are required for all systems. Communicating the reasons for these practices — and the importance of CMMC — is important to help mitigate any potential employee bristling. (Photo Credit: PM)