Aftermarket supply the best way, not just better. Their secret is hard work, exemplary customer service and getting it right the first time for their customers. You’ll hear their founders say, “We aren’t here to sell aircraft parts. Rather, we are here to provide a value-added service to customers, meeting their long-term needs in the most efficient way possible.” Broadwing is an aftermarket supplier of aviation products serving commercial airlines, U.S. government through DLA and Prime Contractors.
The Situation
As a multi-million dollar supplier to the Defense Logistics Agency (DLA) and Prime Contractors, Broadwing Aviation knew a Cyber Security certification in accordance with DFARS 252.204-7012 measured by NIST 800-171 would be a daunting task to accomplish. In order for companies to even be considered for government contracts, they need to be certified based on Cyber Security Maturity Model Certification (CMMC – a third-party certification) which requires complete adherence to NIST 800-171. Broadwing knew that if they were not on a path to certification, they would risk losing all (over 30% of their current business) of their current Department of Defense (DoD) business with the potential of losing all future DoD contracts which would result in millions of dollars of lost revenue. They also believe that this certification would be a huge competitive advantage over their competition due to the fact that over 90% of the DoD supply chain currently fails to meet these standards and does not have a clear path forward to become certified. Since Broadwing is a small business and did not have the resources to begin their certification, they engaged TMAC in early 2019.
The Solution
TMAC began their work with Broadwing’s management team and their IT outsource group to lay out a plan and timeline to get compliant. This effort was initially funded by a DoD OEA (Office of Economic Adjustment) grant given to The University of Texas at Arlington but continues as a TMAC project. TMAC provided critical leadership for Broadwing’s management team by assisting them in completing a gap assessment. This assessment gave Broadwing Aviation a current state versus future state view of their business in relation to the DFARS and CMMC requirements. Next was a roadmap for compliance which is a process to develop all key requirements, step-by-step instructions and guidance on how to successfully reach the desired future state. For the first step in the roadmap journey, TMAC developed a map on how DoD Controlled Unclassified Information (CUI) flows through Broadwing’s organization. TMAC then created transit, manipulation, and storage processes to ensure proper security protocols (PSP) are followed to protect this critical information. By utilizing this map TMAC and Broadwing were able to set up PSPs to ensure that this information was protected, thus reducing the risk of this information falling into the hands of DoD adversaries. TMAC and Broadwing are now developing the System and Site Security plan which is a very detailed plan of the site and network to optimize protection of CUI for DoD.
The Results
TMAC is working with Broadwing to successfully complete the following key deliverables in order for Broadwing to meet compliance: Gap Assessment; Roadmap; System and Site Security Manual; Risk Analysis; Incident Response Plan; Training and Communications Plan. These deliverables will ultimately result in a continuous improvement program to ensure that not only is Broadwing Aviation in compliance today but remains in compliance in the future. Cyber Security certification in accordance with DFARS 252.204-7012 measured by NIST 800-171 will most importantly result in enhanced national security due to the sensitivity of the information that Broadwing Aviation handles for the DoD on a daily basis. Compliance also secures Broadwing’s current and future contracts with DoD and DLA as well as Broadwing’s growth as a result of competitors failing to meet security requirements, thus making them a preferred government supplier. DoD’s position not only requires cost and quality but those in the DoD Supply Chain must meet current and future security requirements to even be considered for work on DoD programs. This certification does not only apply to the Prime Contractors but also applies to all tiers of the subcontractors in the Supply Chain. This effort by Broadwing Aviation and TMAC directly addresses the flow-down issue for DoD, DLA, and Prime Contractors. The Primes make up approximately 10% of the total DoD Supply Chain whereas the sub-contractors Tier 1 through Tier X make up approximately 90% of the Supply Chain and over 65% of the risk of CUI compromise. Broadwing’s compliance will help them retain 25 million dollars of current sales with unlimited potential for future sales of 50 million dollars. Because they will be able to keep these government contracts, Broadwing will retain 10 jobs with the potential of adding 30 jobs in the future as part of their business growth through government contracts. By decreasing the prospect of being hacked, Broadwing positioned themselves to realize a significant cost savings of millions of dollars for not having to pay out for ransomware. Fifty percent of all companies of similar size are out of business within 6 months after being hacked. By implementing these proper security protocols, the risk to the company is vastly reduced.
• Enhanced National Security • 10 jobs retained / 30 new jobs created • $25M retained current sales / $50M new sales • Millions of dollars in cost savings
Next Steps
Deciding to work with TMAC was one of the best decisions we made in 2019. Their team, including Darold Tippey, were knowledgeable, responsible, accountable and instrumental in us achieving our goals of moving toward compliance for the DOD.
-Michael Mills
Co-founder and CFO Broadwing Aviation