Program helps SC companies meet DOD cyber requirements

Listen to this article

Adam Haldeman was getting frustrated.

The vice president of research and development for Pendleton’s Tetramer Technologies felt mired in a web of expectations from the Department of Defense. A requirement to meet cyber security compliance has been part of DOD contracts since 2015, Haldeman said, but few in the department’s supply chain were already compliant when the requirements were enacted.

In time, however, DOD pressure has increased, and those companies wanting to continue or become part of the Defense Department’s supply chain are expected to meet Level 2 compliance requirements when controlled unclassified information is part of the mix.

For companies such as Tetramer, Level 2, or advanced level compliance, means meeting 110 practices to ensure that controlled unclassified information is safe.

Haldeman said he understands the need for cyber security, but the process of reaching compliance was daunting for the businesses trying to get there. Besides, in a small business, people like him have other work to do.

Tetramer is an advanced materials company with a lot of projects underway, including a special glue that could reduce the cost of certain fighter jet repairs from hundreds of thousands of dollars to hundreds of dollars by making field repairs possible. The customer for that one is the Defense Department.

“Many of the (cyber security) requirements are interconnected,” Haldeman said. “It’s a whole web. It’s a mess. For any company that is not an IT company, it’s difficult and it’s expensive. … I was trying to do it, and the solutions weren’t even working that well. We still weren’t compliant. And if we continued on that track it was going to be years and a lot of money. And in the end, I’m not confident it would have worked out in actually being secure and compliant.”

Help came from the S.C. Commerce Department and the S.C. Manufacturing Extension Partnership, along with the S.C. Department of Employment and Workforce, through a program that last year connected Tetramer and 26 other S.C. companies to firms such as Beryllium Information Security that specialize in leading companies through the compliance process. The S.C. Cybersecurity Assistance Program also pays most of the cost, though it does not cover the cost hardware or software.

SCMEP and the Commerce Department are urging companies in — or on the cusp of being in — the DOD supply chain to apply for one of 31 grants offered this year to help meet those cyber security guidelines. Companies are required to put up about $3,000 and the grant pays $22,000, which covers the program cost, according to Andy Carr, interim president and senior vice president of operations for SCMEP.

“It takes a fair amount of time and a fair amount of resources to get there to these levels and our program is designed to provide qualified resources for it, and also to provide considerable financial support so it (the cost) is not a deterrent for companies, financially,” Carr said.

He said it takes about six months to complete the process with the help on one of seven vendors that work with S.C. companies to help them meet the requirements that are part of the Cybersecurity Maturity Model Certification. CMMC is a framework of various cyber security standards and best practices.

Details and an application can be found at scbizdev.sccommerce.com.

According to Cynthia Davis, business and industry manager with the Commerce Department, to get started, a company has to have a brick-and-mortar presence, must have been in business for a year, must have at least four employees and must be in the DOD supply chain.

“Working with SCMEP and their program was big for us because the bill for doing it internally was accumulating,” Haldeman said. Costs for Tetramer had exceeded $100,000 before they secured a spot in the program's first year.  “It was big to have that cost mitigated a bit and to connect with Beryllium Information Security and chart a course that actually got us there.”

As daunting as the challenge was for Tetramer, which has been in business for more than 20 years and in the DOD supply chain for much of that time, Haldeman said the process would probably keep younger companies away.

“If we were 5 years old or less we probably would not start working with the DOD,” he said. “We probably would have just avoided it all together. They want small businesses and they want innovation and new ventures considering DOD applications, but this (cyber security compliance) is a big hurdle.”

"The good news is the programs like S.C. CAP help support implementation costs and the DOD is beginning to recognize this burden and support the continued maintenance costs of cyber security."