Case Study – Streamlining IT Operations & Enhancing Compliance

To showcase PCG’s managed IT services in action, this case study looks at the work PCG did for a machine shop in New Hampshire. Because of the private nature of these details, the company’s name is not included.

The client: A machine shop with 35 employees and 16 PC users in two different buildings.

The challenge: The client had landed a major contract with the Department of Defense (DOD), and it needed to improve its IT network and security.

The solution: PCG improved the client’s tech environment so it was compliant with DOD requirements and poised to land more government contracts.

Background

The client was using an internal office manager with some basic knowledge to handle its IT needs, and for the last decade, they had been calling PCG when they needed to fix specific high-tech problems. The client was also ignoring an aging network because business had been down for the last three years.

However, the machine had recently landed a major contract from the Department of Defense (DOD), and this required a significant update of IT hardware, software, and security to meet the government’s compliance and documentation requirements. At this point, the company reached out to our team for additional help.

Strategy Development

To ensure the machine shop was ready to meet the requirements of working the DOD, we started with a risk assessment and a network assessment to look at security vulnerabilities and gaps between current and future IT needs. Then, we came up with an IT and security plan as well as a time frame and a budget for implementing the plan.

Risk Assessment

We performed a risk assessment based on CMMC level 2 and NIST 800-171 standards. Here’s a look at what that means

CMMC Level 2

All companies that work with the DOD must have Level 2 Cybersecurity Maturity Model Certification (CMMC). This framework ensures that the DOD’s sensitive information is as safe as possible with all 300,000 of its subcontractors.

CMMC standards require organizations to have a certain level of maturity and reliability in their cybersecurity infrastructure, and to guide implementation efforts, DOD subcontractors also need to establish and document practices and policies that enable employees to perform actions in repeatable, standardized ways.

When they contacted us, the client was not in line with these standards, but we assessed the situation to see where they needed to make changes.

NIST 800-171

The National Institute of Standards and Technology (NIST) 800-171 dictates how contractors and subcontractors of federal agencies manage controlled unclassified information (CUI). The NIST standards are designed specifically for non-federal information systems and organizations, and they’re shaped by these five key principles: identify, protect, detect, respond, and recover.

Again, we looked at the client’s network and cybersecurity practices to see what was working and what needed to be changed.

Steps in the Risk Assessment

During the risk assessment, our security team performed tests using security assessment tools from multiple security vendors. We also ran 3rd party external and internal vulnerability scans. Then, we sat down with the shop’s leadership team and went over 75+ questions about how they handled data internally and with their clients and vendors.

Using that information, we created a risk assessment report and scores, and once again, we met with the machine company’s leadership team to share our findings and recommendations. Then, we created a cybersecurity plan which included a clearly defined roadmap of objectives, timelines, and budgets.

Network Assessment

One of our engineers did an onsite audit of the machine shop’s network, and they identified the following areas for improvement:

  • Aging servers running Microsoft Server 2003
  • Windows 7 PCs with no support
  • Old switches and firewalls
  • Wireless infrastructure that needed to be replaced

Tactics

After we performed the network and security assessment, we developed a plan and a budget, and we prepared to implement our Managed Services Platform. To ensure the machine shop knew what to expect, we wrote out a statement of work, detailing the server setup and the migration of existing data and applications.

To improve the machine shop’s cybersecurity, we instantly started working on security policies for the following:

  • Password complexity and timeframes to change
  • File access and permissions
  • Remote network access
  • Backups and retention

Then, we implemented the following changes:

  • Creating a recovery time objective (RTO) with an image-based backup system that takes snapshots every 15 minutes and saves them to the cloud
  • Replacing all Windows 7 PCs that were running old versions of MS Office
  • Moving to the M365 platform to meet risk assessment requirements including multi-factor authentication, email encryptions, backups, and archiving
  • Replacing the firewall and adding additional security services
  • Providing a virtual private network (VPN) for users who needed secure remote access
  • Performing a wireless assessment and adding access points to improve coverage
  • Implementing service tools to get PC/server updates, antivirus, and other needed security services in place
  • Adding Endpoint Detection and Response (EDR), Security Incident and Event Management (SIEM) and Multi-Factor Authentication (MFA) to the new equipment
  • Taking steps to protect data from dark web/email compromises

We also implemented a Managed Detection and Response (MDR) system to provide cybersecurity operations for endpoints 24/7/365 as well as network and security analytics with the threat-hunting expertise of a Security Operations Center (SOC) fully staffed by global intelligence agencies.

Outcomes

Investing and committing to these changes allowed this machine shop to exceed the standards required to do business with the DOD and other government agencies. We also created the documentation process they needed to validate their compliance efforts. Beyond that, our efforts improved the user experience, which increased productivity and efficiency.

Now, the company has an up-to-date network, and our team provides the IT services they need to be productive, secure, and confident about competing with other manufacturing firms.

The client knows their network is secure, and they have our consistent support for tech issues and questions. In the past, they were limping along and only fixing things as they broke. Now, they have a proactive approach to IT network and security management, and this has paved the way for the shop to obtain additional government contracts and more business across the board.

To learn more, contact us at PCG today. We can provide a complimentary risk assessment and help you see how our services can improve your manufacturing business.