Aero-Glen International, LLC is a privately-owned small business established in 1976. Located in North Fort Worth, their results-driven and customer-centric culture has earned them a reputation as a reliable supply chain partner. Their focus is hardware distribution, build-to-print parts (including machined and sheet metal parts and assemblies) along with value-added Supply Chain services (including kitting and bin management). Aero-Glen provides key components to the Department of Defense (DoD) Defense Industrial Base (DIB).
The Situation
Because of the DOD contracts, Aero-Glen is required by law to safeguard and protect Controlled Unclassified Information (CUI) against unauthorized access. DFARS 252.204-7012 and soon-to-be Cybersecurity Maturity Model Certification (CMMC) 2.0 are prerequisites for and fulfills cybersecurity requirements for DoD contracts involving CUI. Over the past two years Aero-Glen has been developing their cybersecurity system and in 2022 they volunteered to undergo the Joint Surveillance Voluntary Assessment Program. The voluntary assessments are jointly conducted by CMMC-AB accredited third-party assessment organizations and the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). A successful assessment qualifies Aero-Glen for CMMC 2.0 Level 2 certification, which allows them to sustain existing DoD contracts under current DFARS and pre-qualifies them for future ones. A major defense prime contractor approached TMAC’s Col. Darold Tippey (Ret.) and Ghassan Khatib to work with Aero-Glen on the preparation for the upcoming cybersecurity assessment. TMAC was able to conduct a pre-assessment before the third-party audit at Aero-Glen by using funds from the Advanced Manufacturing Technology Services (AMTS) grant. “When TMAC engaged with Aero-Glen, they had one of the most comprehensive cybersecurity systems that TMAC had encountered,” stated Darold. Because of the level of detail and dedication necessary for achieving CMMC 2.0 Level 2 certification, successfully passing the assessment is a huge accomplishment for any company, especially for small companies like Aero-Glen with under 100 employees.
The Solution
CMMC 2.0 is primarily based on NIST SP 800-171 guidelines. Together with Aero-Glen, TMAC covered each category of NIST SP 800-171 to determine the minimum defined expectation from NIST and DoD. TMAC used CMMC ePU Reference Documentation and tools licensed from DTC Global to provide definitive guidance. TMAC relied on these tools, its deep understanding of NIST SP 800-171, the TMAC assessment methodology and Darold Tippey’s 29 years of military experience in information security to review Aero-Glen’s business processes and control measures. During this assessment the combined Aero-Glen TMAC team identified and corrected areas of deviation in interpretation, handling of and response to required controls, identified potential gaps in compliance and refined the system. They used CMMC ePU Reference Documentation to develop “overwhelming evidence” of their compliance as they addressed gaps and non-conformities. By studying Aero-Glen’s operations and processes, IT infrastructure, and the Quality Management System, the TMAC and Aero-Glen team ensured system elements aligned and worked effectively to help Aero-Glen pass the assessment. “This transformational project assured that operations, policies and procedures were aligned and more secure, improving the way Aero-Glen operated end-to-end, from customer orders to final delivery,” stated TMAC Cybersecurity Expert, Ghassan Khatib.
The Results
In September 2022, Aero-Glen completed the Joint Surveillance Voluntary Assessment Program with only 2 minor findings. The successful assessment means that Aero-Glen met their CMMC 2.0 Level 2 compliance and will be able to continue to uphold their DoD contracts. This achievement proves successful not only for Aero-Glen, but also for TMAC, DTC Global, DoD, CMMC and NIST, demonstrating that compliance with cybersecurity requirements can be achieved effectively and practically within the CMMC scheme, even for small manufacturers. It will assure the safeguarding and security of sensitive DoD information, and enhance national security. As a result of passing the assessment Aero-Glen is now eligible to retain their DoD contracts and compete for future contracts requiring CMMC certification. As an early adopter in the DIB, Aero-Glen is the first company nationwide to successfully pass the C3PAO assessment making them a lower risk for CUI. Such an accomplishment will make Aero-Glen a preferred supplier for DoD and their primes and gives a competitive edge. This enables Aero-Glen to more easily gain new DoD contracts with great growth potential.
First company/manufacturer to be awarded CMMC certification
Successfully completed their Joint Surveillance Voluntary Assessment for CMMC 2.0 certification
The first company to successfully pass a joint DIBCAC/CMMC C3PAO assessment
Will be the first company to be awarded CMMC 2.0 certification for 3+ years once authorized
Next Steps
Cybersecurity is a critical component of how we approach our markets, service our customers, and integrate with our daily processes. The TMAC team was great in taking a pragmatic approach to a complex set of requirements, and proved we can achieve a sustainable cybersecurity program while enabling the business.
-Zbigniew Kaniewski
Vice President IT and Continuous Improvement