Military contractors nationwide, including about 700 on Long Island, will be required to spend thousands of dollars, and in some cases much more, to comply with new Department of Defense requirements to significantly upgrade their computer security systems.
The Pentagon’s requirements, which have been in the formulation stage since 2019, are being explained to defense contractors in meetings at the State University at Stony Brook and elsewhere in New York and other states. Many contractors agree the security upgrades are necessary, but say they will be an additional expense and require time and extra expertise to implement.
“It’s something they will have to comply with or be locked out of future government contracts,” Paul Trappini, a co-founder of LISTnet, which promotes technology, in Plainview, told the Press.
Jamie Moore, president of Ignite Long Island, a manufacturers organization, said he believed the Pentagon’s decision to force contractors to upgrade has to do with what are perceived to be rising threats from China, Russia and Iran.
Read also: DOGE-led NIH cuts may threaten life-saving health research at LI facilities
Late last year, the Pentagon published a final rule to establish what it calls the Cybersecurity Maturity Model Certification Program. The program is to be rolled out in stages, but contractors, including large primes such as Northrop Grumman and Lockheed Martin on Long Island, and small parts suppliers, must all be in compliance by 2027.
The CMMC rule outlines three levels of compliance. Each requires contractors to meet different and increasing cyber security standards, depending on the military sensitivity of the data and information involved.
Many of the larger or mid-sized contractors will have to meet as many as 320 security objectives, ranging from how they protect passwords, to how information is stored and passed along to others, to how top-secret data is preserved.
Amy Erickson, an engineer and executive director of the Long Island Manufacturing Extension Partnership, located at the State University at Stony Brook, addressed the upgrade issue before about 80 defense contractors at the University recently.
“We have been making companies aware” of the need to upgrade, Erickson told the Press. “It’s hard for them,” she said of the smaller contractors. “It’s an expense. Some of them will be resistant.”
Contractors are not liking it any one bit.
Anne Shybunko-Moore, president of GSE Dynamics in Hauppauge, which supplies aircraft and ship parts, said the upgrades “are a concern, absolutely. It’s going to be an additional investment.”
Teresa Ferraro, president and chief executive of East/West Industries Inc, which makes crew seats and has a major new contract to build such equipment for Bell Helicopter’s replacement for the Blackhawk helicopter, said she had to agree to upgrade her systems to a higher level to comply with the new regulations. She said she must find suppliers that are also complying. She is hoping she can find some on Long Island.
“I don’t want to go out of state, but I will if I have to,” Ferraro said.
Costs for the upgrades vary, depending on the size of the contractor and how much must be done to comply. Some experts say contractors will have to pay a few thousand; others say the amount could be $50,000 to $90,000.
The requirement to upgrade is primarily for new DOD contracts going forward, experts say.
Cory Albrecht, director of the Advanced Institute of Manufacturing at Mohawk Valley Community College, said the Pentagon has been talking about security upgrades for years now, but that does not necessarily make things easier for contractors.
“We’ve been going all across the state talking about the program,” Albrecht told the Press. “We’ve had events on Long Island, in the Mohawk Valley region.”
Prior to 2019, when Pentagon planners began drawing up ideas for upgrading security, the Defense Department relied on contractors themselves to develop and adhere to such standards.
Pentagon officials declined to discuss the regulations, but pointed to a DOD document stating that “the implementation of the CMMC final rule marks a significant shift” in how security regulations are handled.
The Pentagon also declined to discuss why the regulations have been changed.
Tom Nohs, president of DataSoftnow Inc., a cyber security company in Deer Park, told the Press that, at the Stony Brook meeting, a photo of the U.S. F-35, America’s most advanced fighter jet built by Lockheed Martin, was shown on a screen. That photo was followed by a Chinese version, the Shenyang F35. The belief, at least in the defense industry, is that the Chinese were able to duplicate the U.S. F-35, perhaps through hacking of websites at U.S. companies.
The Chinese copy of the F-35 alarmed some at the Pentagon, defense industry officials said.
Lochheed Martin’s stock nose-dived after the photos were released, and shares of the company were downgraded on Wall Street.
Nohs, however, expects his company to do significant business advising defense contractors on how to upgrade their systems. He said his company is the only one in the tri-state area with such know-how.
“We’re going to be a little over the top busy,” Nohs told the Press.
