Companies that fail to comply risk being cut out of the supply chain, Boeing Co. executive
Camille Geiger told industry representatives last week at a conference at LIU Post.
Prime contractors like Boeing will be barred from dealing with suppliers that don’t
meet the standards, she said. “Be sure you have everything in place and are ready
to go January 1,” she said at the conference, which was organized by Rep. Thomas Suozzi
Although Long Island’s heyday as a center of defense and aerospace manufacturing has
passed, hundreds of such companies remain in the region. Suozzi said his 3rd Congressional
District on the North Shore ranks No. 1 in the state, drawing $1.7 billion a year
in defense contracts directly from the federal government. Hundreds of millions more
come to Long Island through subcontracts with prime contractors.
Robert Botticelli, chairman of ADDAPT, a trade group that advocates for LI aerospace
and defense contractors, said the regulations “will be a financial strain” for some
companies but can’t be avoided. “Virtually every aerospace and defense company on
Long Island has to deal with it,” he said.
Some companies may be able to get help through the Center for Corporate Education
at Stony Brook University, which can provide government funding. We “can offset the
cost for some of these companies,” said Patricia Malone, executive director of the
CCE. She has set a cybersecurity breakfast for manufacturers on Thursday that will
also cover the requirements.
One of the companies grappling with the new regulations is CPI Aerostructures Inc.,
an Edgewood aerospace manufacturer with about 250 employees. Chief executive Douglas
McCrosson said the company has spent about $150,000 to meet the new standards.
Many steps to take
“It wasn’t inconsequential,” he said. “There was equipment we had to buy. There was
more protective software we had to utilize. We had to change almost every aspect of
how we access work on the internet. It was really extensive.”
The new security standards require the safeguarding of contractor information systems
that process, store and transmit federal contract information.
As a Tier 1 supplier, CPI sells directly to prime contractors like Boeing and Northrop
Gumman Corp. But the firm also has suppliers who themselves have suppliers. “There
are three or four tiers in the supply chain,” McCrosson said, and every level has
to be in compliance.
Among the practices CPI has adopted: Users are barred from accessing online data storage
sites like Dropbox and iCloud; laptop hard drives are encrypted; and computers require
two-factor authentication such as a password and a code transmitted to the user’s
mobile phone. The company is also seeking to improve employee awareness by sending
out fake emails like the ones used to trick users into revealing personal information.
Steven Kuperschmid, co-chair of the cybersecurity/data privacy group of Ruskin Moscou
Faltischek in Uniondale, said lawyers can have a role in establishing cybersecurity
policies. “I don’t think you can do cybersecurity effectively with just a technologist,”
he said. “Determining regulatory compliance is a lawyer’s job.”
Despite the resources required, McCrosson said the standards are needed.
“Some regulations we feel are onerous,” he said, “but cybersecurity is a real threat,
not only to the defense industrial base, but to the national interest . . . It’s scary
He said expert hackers are targeting defense contractors.
“These are not kids in their basements goofing around,” he said. “These are largely
state actors trying to get designs. They figured out long ago that prime contractors
have better defenses” and target companies farther down the supply chain.
“You’re only as strong as the weakest link,” he said.