Despite an increasing cyber threat landscape, many small to mid-sized businesses (SMBs) in the Department of Defense (DoD) supply chain remain unprepared for compliance with NIST SP 800-171 R2 and CMMC 2.0. The Cybersecurity Maturity Model Certification (CMMC) 2.0 aims to improve cybersecurity across the defense industrial base (DIB), but many SMBs struggle to meet the standards, putting them at risk of losing crucial contracts. Surveys suggest that nearly 70% of SMBs are unready for the new requirements, and the real figure could be even higher due to some businesses inaccurately reporting compliance by inflating their assessment scores.
This is the final installment of the Cybersecurity Column penned by Joe Coleman of Bluestreak Compliance (August 6, 1968 — April 1, 2025). Joe was as kind as he was committed to helping manufacturers understand and meet cybersecurity compliance standards. This column series was born from his genuine desire to walk alongside others as they navigated the complexities of regulation and risk. We honor his memory and are grateful for the time, insight, and encouragement he shared with our readers.
Understanding CMMC 2.0
CMMC 2.0 simplifies the original five-tier framework into three levels:
Level 1: Basic cyber hygiene for contractors handling Federal Contract Information (FCI)
Level 2: Advanced practices for those working with Controlled Unclassified Information (CUI)
Level 3: Stringent requirements for contractors involved in national security projects
Compliance is mandatory for any contractor bidding on DoD contracts, including those working indirectly for federal contractors and subcontractors. SMBs should anticipate clients to inquire about their compliance as these standards will soon impact their business relationships. Achieving compliance is a lengthy process, typically taking twelve to eighteen months.
Low Readiness and Risks
The lack of readiness among SMBs threatens both business continuity and national security. Many smaller contractors lack the resources and expertise to meet CMMC 2.0’s standards. Given the defense sector’s reliance on a wide variety of contractors, this gap could create widespread repercussions.
Financial Implications of Non-Compliance
Compliance with CMMC 2.0 can be financially burdensome. Implementing measures such as multi-factor authentication, encryption, and continuous monitoring can be costly, especially for businesses with limited resources. The lack of in-house cybersecurity expertise compounds this issue, requiring companies to hire or train specialized personnel, further increasing costs.
Failing to comply with CMMC 2.0 could result in losing valuable DoD contracts, which can be a significant portion of SMB revenue. Such losses could lead to layoffs, revenue declines, or even business closures.
Challenges to Compliance
Several challenges contribute to the widespread unpreparedness among SMBs:
Challenges To Compliance Source: CanvaPro
Complexity of requirements: While CMMC 2.0 simplifies the original framework, its specific requirements remain difficult to interpret for many SMBs, particularly in identifying necessary security measures.
Resource limitations: The cost of achieving and maintaining compliance strains smaller businesses, which often lack the budgets for the required technology and expertise.
Lack of cybersecurity expertise: A shortage of qualified personnel poses a significant obstacle, as demand for cybersecurity professionals is high across industries.
Unclear timelines: Uncertainty surrounding DoD’s compliance timelines complicates planning and prioritization for SMBs.
Government Support Initiatives
To help SMBs, the DoD has introduced various programs, including training, grants, and educational resources. A phased implementation timeline also provides additional preparation time. However, industry experts suggest that further support, such as tax credits or subsidies, could help SMBs offset the costs of compliance. Clearer guidance from the DoD would also be beneficial in helping businesses navigate the certification process.
Path Forward for SMBs
To secure future contracts, SMBs must prioritize cybersecurity. This involves conducting internal risk assessments, identifying vulnerabilities, and creating compliance plans. Partnering with cybersecurity experts or managed service providers can help SMBs develop cost-effective strategies. Additionally, leveraging government resources and adopting critical security measures early will better position SMBs for CMMC 2.0 certification.
Conclusion
The widespread lack of preparedness for CMMC 2.0 poses significant risks to both SMBs and the defense supply chain. As deadlines approach, proactive measures from both businesses and the government are necessary to close the readiness gap and ensure the continued participation of SMBs in the defense sector.
About the Author:
Joe Coleman Cyber Security Officer Bluestreak Consulting Source: Bluestreak Consulting
Joe Coleman was the cybersecurity officer at Bluestreak Compliance, which is a division of Bluestreak | Bright AM™. Joe worked for over 35 years in diverse manufacturing and engineering positions. His background included extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Joe presented at the Furnaces North America (FNA 2024) convention on DFARS, NIST 800-171, and CMMC 2.0.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 compliance process is detailed and complicated, and businesses in the defense industrial base (DIB) may be tempted to delay this regulatory hurdle. In this Cybersecurity Desk column, which was first released inHeat Treat Today’sMarch 2025 Aerospace print editionJoe Coleman, cybersecurity officer at Bluestreak Compliance, a division of Bluestreak | Bright AM™, explains why companies putting off CMMC 2.0 compliance may end up scrambling to meet deadlines, incurring costly delays, and even facing potential disqualification from future DoD contracts.
Introduction
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is not only a regulatory hurdle, it represents a fundamental shift in the cybersecurity landscape for the Defense Industrial Base (DIB). Ignoring this critical initiative can have severe and potentially irreversible consequences for your company’s future.
Many companies mistakenly believe they can afford to delay their CMMC 2.0 compliance efforts, assuming they have plenty of time to prepare. This is a dangerous assumption. Achieving CMMC 2.0 compliance is a detailed and complicated process that typically takes 12–18 months. Delaying implementation can leave your company scrambling to meet deadlines and increase the risk of costly delays, missed opportunities, and even potential disqualification from future DoD contracts.
The High Cost of Inaction
The consequences of failing to prioritize CMMC 2.0 compliance are significant:
Loss of revenue and market share: Non-compliance directly impacts your ability to bid on and win DoD contracts. This translates to lost revenue, limiting growth and a significant competitive disadvantage against companies that have already achieved compliance
Erosion of trust and reputation: Failing to meet cybersecurity standards can damage your company’s reputation within the DIB. This loss of trust can impact not only your relationship with the DoD, but also with other key stakeholders, including clients, contractors, partners and investors. Some of your clients may have already asked if you are compliant.
Increased vulnerability to cyberattacks: A weak cybersecurity posture leaves your company highly susceptible to cyberattacks. These attacks can have devastating consequences, including data breaches, system disruptions, and significant financial losses. The key cybersecurity component of CMMC is NIST Special Publication 800-171.
Significant financial penalties: Non-compliance can result in substantial financial penalties, including fines and contract termination. These penalties can severely impact your company’s bottom line and long-term growth.
Operational disruption: The process of implementing and maintaining CMMC 2.0 controls can require significant amounts of time and resources. Delaying these efforts can disrupt your company’s operations, impacting productivity and potentially hindering critical projects.
The Benefits of Proactive Action
By proactively addressing CMMC 2.0 compliance, your company can gain a significant competitive advantage to win more business:
Competitive head start: Companies that prioritize CMMC 2.0 compliance gain a significant first-mover advantage. They can demonstrate their commitment to enhanced cybersecurity to the DoD, build stronger relationships with government agencies, and position themselves as preferred partners for future contracts.
Reduced stress and increased efficiency: Starting early allows for a more gradual and less stressful implementation process. This reduces the risk of last-minute scrambling and allows for a more efficient and effective integration of cybersecurity measures into your existing workflows.
Enhanced cybersecurity posture: The CMMC 2.0 framework provides a structured approach to enhancing your overall cybersecurity posture. By implementing these controls, you not only improve your compliance but also strengthen your defenses against a wide range of cyber threats.
Improved operational resilience: A robust cybersecurity program enhances your company’s operational resilience. By minimizing the risk of cyberattacks and their potential disruptions, you can ensure business continuity and maintain a competitive edge in the market.
Building a culture of security: CMMC 2.0 implementation encourages a shift towards a culture of security within your company. This includes raising awareness among employees about cybersecurity risks, fostering a sense of shared responsibility, and promoting best practices at all levels.
Conclusion
Click image to download a list of cybersecurity acronyms and definitions.
CMMC 2.0 is not an option; it is a critical requirement for any company seeking to do business with the DoD, its prime contractors, and/or downstream service providers. Procrastination is not an option. By taking proactive steps to understand and address CMMC 2.0 requirements, your company can mitigate risks, enhance its cybersecurity posture, and gain a significant competitive advantage in the evolving defense landscape.
For an up-to-date resource list of common cybersecurity acronyms, click the image to the right.
About the Author:
Joe Coleman Cyber Security Officer Bluestreak Consulting Source: Bluestreak Consulting
Joe Coleman is the cybersecurity officer at Bluestreak Compliance, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Joe presented at the Furnaces North America (FNA 2024) convention on DFARS, NIST 800-171, and CMMC 2.0.
“The Cybersecurity Maturity Model Certification (CMMC) 2.0 aims to improve cybersecurity across the defense industrial base (DIB), but many small to mid-sized businesses (SMBs) struggle to meet the standards, putting them at risk of losing crucial contracts.” In this Cybersecurity Desk column, Joe Coleman, cybersecurity officer at Bluestreak Compliance, a division of Bluestreak | Bright AM™, raises the alarm ifsmall to mid-sized heat treaters neglect compliance standards and guides companies through the minefield of cyber threats facing all SMBs.
Read more Cybersecurity Desk columns in previousHeat Treat Today’s issues here.
Despite an increasing cyber threat landscape, many small to mid-sized businesses (SMBs) in the Department of Defense (DoD) supply chain remain unprepared for compliance with NIST SP 800-171 R2 and CMMC 2.0. The Cybersecurity Maturity Model Certification (CMMC) 2.0 aims to improve cybersecurity across the defense industrial base (DIB), but many SMBs struggle to meet the standards, putting them at risk of losing crucial contracts. Surveys suggest that nearly 70% of SMBs are unready for the new requirements, and the real figure could be even higher due to some businesses inaccurately reporting compliance by inflating their assessment scores.
Understanding CMMC 2.0
Contact us with your Reader Feedback!
CMMC 2.0 simplifies the original five-tier framework into three levels:
Level 1: Basic cyber hygiene for contractors handling Federal Contract Information (FCI).
Level 2: Advanced practices for those working with Controlled Unclassified Information (CUI).
Level 3: Stringent requirements for contractors involved in national security projects.
Compliance is mandatory for any contractor bidding on DoD contracts, including those working indirectly for federal contractors and subcontractors. SMBs should anticipate customers clients inquiring to inquire about their compliance as these standards will soon impact their business relationships. Achieving compliance is a lengthy process, typically taking 12 to 18 months.
Low Readiness and Risks
The lack of readiness among SMBs threatens both business continuity and national security. Many smaller contractors lack the resources and expertise to meet CMMC 2.0’s standards. Given the defense sector’s reliance on a wide variety of contractors, this gap could create widespread repercussions.
Financial Implications of Non-Compliance
Irreversible consequences from waiting to comply
Compliance with CMMC 2.0 can be financially burdensome. Implementing measures such as multi-factor authentication, encryption and continuous monitoring can be costly, especially for businesses with limited resources. The lack of in-house cybersecurity expertise compounds this issue, requiring companies to hire or train specialized personnel, further increasing costs.
Failing to comply with CMMC 2.0 could result in losing valuable DoD contracts, which can be a significant portion of SMB revenue. Such losses could lead to layoffs, revenue declines or even business closures.
Challenges to Compliance
Several challenges contribute to the widespread unpreparedness among SMBs:
Unclear timelines: Uncertainty surrounding DoD’s compliance timelines complicates planning and prioritization for SMBs.
Complexity of requirements: While CMMC 2.0 simplifies the original framework, its specific requirements remain difficult to interpret for many SMBs, particularly in identifying necessary security measures.
Resource limitations: The cost of achieving and maintaining compliance strains smaller businesses, which often lack the budgets for the required technology and expertise.
Lack of cybersecurity expertise: A shortage of qualified personnel poses a significant obstacle, as demand for cybersecurity professionals is high across industries.
Government Support Initiatives
To help SMBs, the DoD has introduced various programs, including training, grants and educational resources. A phased implementation timeline also provides additional preparation time. However, industry experts suggest that further support, such as tax credits or subsidies, could help SMBs offset the costs of compliance. Clearer guidance from the DoD would also be beneficial in helping businesses navigate the certification process.
Path Forward for SMBs
Click image to download a list of cybersecurity acronyms and definitions.
To secure future contracts, SMBs must prioritize cybersecurity. This involves conducting internal risk assessments, identifying vulnerabilities, and creating compliance plans. Partnering with cybersecurity experts or managed service providers can help SMBs develop cost-effective strategies. Additionally, leveraging government resources and adopting critical security measures early will better position SMBs for CMMC 2.0 certification.
Conclusion
The widespread lack of preparedness for CMMC 2.0 poses significant risks to both SMBs and the defense supply chain. As deadlines approach, proactive measures from both businesses and the government are necessary to close the readiness gap and ensure the continued participation of SMBs in the defense sector.
About the Author
Joe Coleman Cyber Security Officer Bluestreak Consulting Source: Bluestreak Consulting
Joe Coleman is the cybersecurity officer at Bluestreak Compliance, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager and an early additive manufacturing (AM) pioneer. Joe presented at the Furnaces North America (FNA 2024) convention on DFARS, NIST 800-171, and CMMC 2.0.
Heat TreatToday offers News Chatter, a feature highlighting representative moves, transactions, and kudos from around the industry. Enjoy these 18 news items.
Equipment
Blue M, a global industrial and laboratory ovens manufacturer, has announced the shipment of a stacked mechanical convection oven to be used for non-hazardous curing applications between 570°F and 750°F (300°C and 400°C).
Hammerer Aluminum Industries (HAI) has implemented a Nitrex nitriding system at its facility in Romania, replacing the traditional salt bath nitriding process. The new system has a load capacity of 3,300 lbs (1,500 kg), is designed specifically for treating extrusion dies, and offers controlled nitriding and controlled ferritic nitrocarburizing.
SECO/WARWICK recently completed three transactions: a European manufacturer of modern armament equipment and armaments supplier for NATO acquired a vacuum furnace with gas cooling and a molybdenum heat chamber; a Slovenian manufacturer ordered a vacuum furnace with 15 bar high pressure gas hardening and two nitriding furnaces; and a Turkish company purchased an induction vacuum furnace for melting and obtaining castings designed for manufacturing aviation components.
Blue M’s stacked mechanical convection oven for non-hazardous curing applicationsNitrex nitriding system to replace salt bath nitriding systemVacuum furnace and two nitriding furnaces sent to Slovenian clientSECO Vector vacuum furnace delivered to NATO member
Company & Personnel
Industry veteran Mark Stein was recently added to the Nitrex team as regional sales manager for Michigan territory. In his role, Mark will lead sales initiatives across Michigan, working directly with current and prospective clients to enhance service, optimize growth strategies, and ensure market demands are met.
To mark 175 years of innovation in specialty chemicals and distribution, Hubbard-Hall recently unveiled a new logo and a completely redesigned website. The updates reflect the company’s rich history and ongoing evolution, noting its founding year of 1849.
Bluestreak Compliance, a quality management (QMS) and manufacturing execution system (MES), has hired Rory Godsell as its new Cybersecurity Compliance Specialist to assist clients and their vendors in achieving compliance of NIST 800-171, CMMC and DFARS. He brings expertise in cybersecurity, penetration testing, ethical hacking, digital forensics, cyber operations, and project management, to the company’s mission of advancing CMMC certification services.
Steelhead Technologies, which delivers ERP, MES, and CRM solutions designed to transform job shop manufacturing, recently announced the successful completion of a $12.5M Series B funding round. This brings the company’s total funding to $23 million.
Ipsen USA announced the promotion of two team members to new roles in 2025. Matt Clinite has been promoted to Ipsen USA Sales Director, and Christina Connelly has been promoted to Director of Ipsen Customer Service (ICS) – Parts.
Mark Stein Regional Sales Manager for Michigan Territory NitrexScreenshot of Hubbard-Hall’s new websiteRory Godsell Cybersecurity Compliance Specialist Bluestreak Compliance $12.5M in funding for Steelhead Technologies Matt Clinite Sales Director Ipsen USAChristina Connelly Director of Customer Service (ICS) – Parts Ipsen USA
Kudos
Kanthal, a leader in industrial heating technology, has won the prestigious industry award “E-prize” in the category Energy Optimization for its technology that helps companies and industries transform to a fossil-free production. The award is organized by Sweden’s largest business newspaper, Dagens Industri, and the newspaper, Aktuell Hållbarhet, together with the energy group E.ON.
Aalberts surface technologies honored Olga Kovalenko, Patric Keune and Metin Önal for 25 years of commitment in Solingen. Presenting the certificates were Guido Heijnen, sales director, and plant manager Miguel Rodrigues.
TAV VACUUM FURNACES was recently awarded the title of “Best Performer Enterprise 2024 in the Province of Bergamo.” This prestigious award is reserved for the top 1000 companies in the province.
StandardAero was selected by US-Bangla Airlines, a leading Bangladeshi carrier, to provide OEM-authorized PW127M Maintenance, Repair and Overhaul Services. In addition, the company has been chosen by Brazilian Air Force to support PT6A-68C engines powering its A-29 Super Tucano Fleet, it has secured Indian DGCA Approval for its OEM-authorized PW127M Maintenance, Repair and Overhaul Services, and it has received CAAC Approval for Its LEAP-1A and LEAP-1B Engine MRO Services, enabling it to support A320neo and B737 MAX operators across China.
HeatTek, a leader in manufacturing ovens and washers, recently celebrated the company’s 25th anniversary, noting its numerous achievements since 1999, including industry accolades, editorial recognition, as well as awards identifying its positive culture as an employer. “We are incredibly proud to celebrate this milestone,” says Jason Plowman, president and 2nd generation owner of HeatTek. “The success we’ve achieved over the past 25 years is a direct result of the hard work and commitment of our employees, the trust of our customers, and the support of our partners. We look forward to continuing our journey of innovation and growth in the years to come.”
Ron Waligora, chief operating officer for AFC-Holcroft, recently announced his retirement date of May 4, 2025. Throughout his 36 years with the company, he moved through the engineering disciplines and eventually into a management role as mechanical engineering manager and later senior engineer manager in 2015. In the spring of 2023, Ron Waligora and Tracy Dougherty assumed the roles of chief operating officers. Upon the announcement of Ron’s retirement, Tracy assumed the role of president and CEO on January 1, 2025.
Aalberts surface technologies is proud to announce they have received the EcoVadis Bronze Medal. The sustainability rating reviews a company’s management of economic, environmental, and social performance, covering different industries, locations, and company sizes contributing to business sustainability on a global scale, and is based on a “best-in-class” approach, assessing whether a company reaches the best possible level for their business activity.
The Divergent team was recently granted the Nadcap12-month Accreditation for the Additive Manufacturing (AM) scope.
Solar AtmospheresGreenville, SC facility announced it has been awarded Parker Aerospace approval.
Brad Stallsmith recently marked his retirement after 43 years of dedicated service at Peters’ Heat Treating. His journey has included starting the Blade Division, mentoring new team members and ensuring high standards in processing.
Nicolai Schaaf, Sustainability Manager at Kanthal, with E-prizeMiguel Rodrigues, Metin Önal, Olga Kovalenko, Patric Keune, and Guido Heijnen, of Aalberts surface technologiesTAV board member Gerolamo Soliveri on the company’s recognition
Jason Plowman President/Owner HeatTekRon Waligora, retiring COO, AFC-HolcroftBrad Stallsmith, retiring after 43 years, Peters’ Heat Treating
In Department of Defense (DoD) compliance, many acronyms and standards define how businesses manage processes to stay compliant. In this Cybersecurity Desk column, which was first released inHeat Treat Today’sSeptember 2024 People of Heat Treat print edition.In it, Joe Coleman, cybersecurity officer at Bluestreak Compliance, a division of Bluestreak | Bright AM™, discusses the similarities and differences between the Cybersecurity Maturity Model Certification (CMMC) 2.0 and NIST Special Publication 800-171 Rev. 2.
What Is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) evaluates the maturity of an organization’s cybersecurity program. Developed by the DoD, it aims to equip over 300,000 Defense Industrial Base (DIB) contractors with robust defenses against cyber threats. Once formally published, CMMC 2.0 will be a mandated framework for private contractors and subcontractors seeking government contracts.
CMMC’s comprehensive approach includes NIST SP 800-171, NIST SP 800-172, and the Cybersecurity Framework (CSF), incorporating industry-leading practices. It ensures the effective implementation of critical controls and safeguards the integrity of the supply chain. CMMC 2.0 compliance certification has three levels:
Level 1: Foundational: For companies handling Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI).
Level 2: Advanced: For companies that store, process, or transmit CUI.
Level 3: Expert: For companies implementing highly advanced cybersecurity practices.
It will be referred to as DFARS 242.204-7021 when integrated into government-awarded contracts.
Source: Department of Defense
What Is NIST SP 800-171?
NIST SP 800-171 is the National Institute of Standards and Technology Special Publication 800-171 Rev. 2. It outlines security standards for non-federal organizations that handle CUI, ensuring they maintain strong cybersecurity practices. Compliance is mandatory for DoD primes, contractors, and supply chain service providers.
NIST 800-171 specifies five core cybersecurity areas: identify, protect, detect, respond, and recover. These areas serve as a framework to protect CUI and mitigate cyber risks. The standard comprises 110 security controls within 14 control families, leading to 320 control or assessment objectives. Compliance is measured on a 110-point scale, with a possible range from -203 to 110. An initial negative score is not uncommon.
Even for organizations with some cyber/IT security measures, retaining a qualified DFARS/NIST 800-171 consultant or a CMMC Registered Practitioner (RP) or CMMC Registered Practitioner Advanced (RPA) is highly recommended to guide you through the process.
Similarities Between NIST SP 800-171 and CMMC
Both CMMC and NIST SP 800-171 aim to strengthen information security and protect sensitive data, ensuring the confidentiality, integrity, and availability of organizational information assets. Here are some of the key similarities:
Control Alignment: CMMC 2.0 Level 2 aligns with NIST SP 800-171 Rev. 2’s 110 controls.
Focus: Both frameworks emphasize protecting data confidentiality, integrity, and availability.
Role Definitions: They describe roles within an organization’s cybersecurity program and interactions among those roles.
Asset Identification: Both require identifying assets and vulnerabilities and creating a risk management plan.
Cybersecurity Program Development: Organizations must develop a program with policies, procedures, and standards.
Risk Management: Both require identifying, assessing, prioritizing, and responding to risks, though CMMC is more comprehensive.
Differences Between NIST SP 800-171 and CMMC
While both frameworks enhance cybersecurity, they have distinct features:
Assessment: NIST SP 800-171 compliance is self-assessed, while CMMC requires an independent third-party assessment.
Levels: CMMC has three certification levels, each more stringent than NIST SP 800-171 alone.
Scope: CMMC integrates additional NIST SP 800-172 practices and industry standards beyond NIST SP 800-171.
Conclusion
Click image to download a list of cybersecurity acronyms and definitions.
Understanding the differences between CMMC 2.0 and NIST SP 800-171 Rev. 2 is crucial for organizations enhancing their cybersecurity posture. Both frameworks are essential for assessing maturity in governance, risk management, incident response, data protection, and technology assurance. Adopting these frameworks ensures proactive adaptation to evolving threats and compliance with regulatory standards.
About the Author:
Joe Coleman Cyber Security Officer Bluestreak Consulting Source: Bluestreak Consulting
Joe Coleman is the cybersecurity officer at Bluestreak Compliance, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Joe presented at the Furnaces North America (FNA 2024) convention on DFARS, NIST 800-171, and CMMC 2.0.
Furnaces North America(FNA) 2024 begins Monday, October 14, and runs through Wednesday, October 16. If you haven’t registered yet, you can still do so onsite, and one look at the technical sessions planned over the two days of training says all you need to know about the caliber of instruction at the event.
All of the sessions will be worth your time! Presenters are highly qualified to speak on the topics, which range from processes and equipment to technology to security:
Emerging Technologies
Furnace Maintenance & Equipment
Heat Treat Business & Digital Transformation
Energy & Gases
Operational Efficiencies
Quality, Compliance & Materials
Process Advancements
If you want to do a little prereading to prepare for the sessions, Heat TreatToday is pleased to direct your attention to technical session presenters who have contributed to our radio, print, and digital resources during this year:
On Tuesday at 8:50 a.m., Bryan Stern, product development manager at Gasbarre Thermal Processing Systems, will be speaking on “The Impact of Oil Quenching – A Look at the Carbon Footprint and Cost of Vacuum vs. Atmosphere Processing.” On June 20, 2024, Bryan was our guest on Heat TreatRadio, episode #110, “Isolated Heat, the Future of Vacuum Furnaces,” which you can listen to here.
Later that morning, at 9:40, Peter Sherwin, global business development manager of Heat Treatmentat Watlow, will focus on “Smart Heat Treatment: Industry 4.0 Innovations for Environmental & Energy Efficiency.” Peter co-authored “Thermal Loop Solutions: A Path to a Sustainable Future in Heat Treatment,” a two-part series published in both the magazine and on our website. You can read the first part here and the second part here.
During that same time slot, Brian Turner, sales application engineer at RoMan Manufacturing, is scheduled to speak on “Efficient Furnace Power Solutions”. Brian joined fellow RoMan employees who have contributed technical content to an ongoing series on controls. You can read that article, “Basic Definitions: Power Pathways in Vacuum Furnaces,” originally published July 16, 2024, here.
On Wednesday at 8 a.m., Sefi Grossman, founder and CEO of CombustionOS, is scheduled to present a session on “Maximizing Heat Treat Operational Efficiency: Digitize Your Data for Automation.” Sefi wrote a piece for our August Automotive print edition on “A New Era: Tracking Quality Digitally,” which was later republished at the website. You can read the digital version here.
At 8:50, Joe Coleman, cybersecurity officer at Bluestreak Compliance, will address “CMMC’s Impending Impact On The Metal Treating Industry.” Just last month, he joined Heat TreatRadio in an interview about “NIST and CMMC: What Heat Treaters Need To Know,” which you can listen to here.
Chad Beamer, senior applications engineer at Quintus Technologies, will speak on “Quintus Purus: Development of Clean HIP Processing” at 9:40 on Wednesday morning. Earlier this year, he collaborated with fellow Quintus employees on an article, “HIP Innovation Maximizes AM Medical Potential,” which you can read here.
Bryan Stern Product Development Manager Gasbarre Thermal Processing SystemsPeter Sherwin Global Business Development Manager Heat TreatmentBrian Turner Sales Applications Engineer RoMan Manufacturing, Inc. Source: RoManSefi Grossman Founder & CEO CombustionOS Source: AuthorJoe Coleman Cyber Security Officer Bluestreak ConsultingChad Beamer Senior Applications Engineer Quintus TechnologiesHeat Treat Today contributors leading technical sessions at FNA 2024
Stop by Heat TreatToday‘s booth (424/426) to let us know how the sessions went and if you did your homework beforehand!
Joe Coleman, cybersecurity officer at Bluestreak Compliance, discusses critical aspects of NIST 800-171 and CMMC with host Doug Glenn. Joe touches on how to become compliant, how long compliance takes, compliance pricing, and the limitations companies may face if not compliant. Learn more in this episode of Heat TreatRadio.
Below, you can watch the video, listen to the podcast by clicking on the audio play button, or read an edited transcript.
The following transcript has been edited for your reading enjoyment.
What Is CMMC? (03:34)
Doug Glenn: Let’s jump in. Cybersecurity, while it’s not unique to heat treaters, is across all manufacturing sectors. But there are some unique elements of it that tie into the metal treating industry.
Let’s start with some basic definitions for those who don’t know: What is CMMC and what’s the purpose of it?
Joe Coleman: CMMC stands for Cybersecurity Maturity Model Certification. And we’re currently on version 2.0. It’s a verification program to ensure that defense contractors and subcontractors are able to protect sensitive information from the DoD (Department of Defense). That includes FCI, which is federal contract information, and CUI — or some people call it “coui” — which is Controlled Unclassified Information.
Cybersecurity acronyms “cheat sheet” available as a free download. Click on the image for a link.
It’s going to affect about 300,000 companies in the U.S. Also, it’s going to start impacting companies later this year or early next year. That’s when it’s said to be fully released, and they’ll start adding it to contracts and RFQs and things like that.
Doug Glenn: So, in CMMC 2.0 version, the DoD is asking companies, “Do you comply with CMMC 2.0?”
Joe Coleman: Rather, it is saying you must comply by 2025 and at a certain level; there are three levels.
Doug Glenn: What are these requirements based on?
Joe Coleman: DFARS 252.204-7012 was implemented in 2016. In it, they were saying that people must be NIST 800-171 compliant by December 2017. If you’re not, you’re way behind the ball. They just haven’t pushed it until recently. Now they’re really pushing it. It’s based on NIST 800-171 recommendations — that’s Rev 2, and a subset of NIST 800-172.
Doug Glenn: You mentioned DFARS. Can you just briefly explain that?
Joe Coleman: DFARS is Defense Federal Acquisition Regulation Supplement.
Doug Glenn: Also, I’m kind of curious about this: Who’s actually pushing it? Is it the Department of Defense, or is it government in general, or is it controlled by (kind of like Nadcap and things of that sort) an independent organization outside of the federal government?
Joe Coleman: No, CMMC does cover other things, but it’s mostly by the DoD. They are the ones pushing itbecause of foreign adversaries stealing our information and ransomware attacks and things like that.
Doug Glenn: Right, okay. So that’s CMMC 2.0. Is NIST 800-171 is a sub part of that, or is NIST 800-171 something different?
Joe Coleman: That’s something different. NIST 800-171 is published by the National Institute of Standards and Technologies. DoD doesn’t have a lot to do with NIST. They are two different standards; the DoD is just borrowing NIST 800-171 for CMMC’s requirements.
Doug Glenn: I see. They’re using NIST’s package that’s already there as part of their requirement.
I think you’ve already kind of hit on it, but let’s just be explicit about it. What started the push by the DoD to require CMMC or require any type of enhanced security?
Joe Coleman: The DoD finally realized just how vulnerable defense contractors are and how vulnerable their computer systems and networks are to cyberattacks and to sensitive information being leaked by the DoD or contractors, that kind of thing. They’re trying to pull everything together to improve national security and to help secure this important data.
Doug Glenn: So, in a sense, it’s really the DoD just trying to cover their rear end, so to speak, and protect sensitive, national defense type information.
What Is DFARS? (08:45)
We talked about DFARs briefly. I’ve heard a DFARS interim rule mentioned. What is that?
Defining DFARS
Joe Coleman: That came about in November of 2020. It plays along with the DFARS 7012 — 252.204-7012. They came up with three new clauses to improve how cybersecurity is handled and enforced.
The first one is clause 252.204-7019. It mandates that you when you do your assessment: you come up with an assessment score based on 110 controls, and your score can be from a positive 110 (the perfect score) to a negative 203. That score needs to be turned into the SPRS, the Supplier Performance Risk System, so other companies can see what your score is.
So, 7019 mandates that you do turn in your score and that it can be no older than three years old. They are requesting that if they say you’re DFARS-required on a contract, things like that, you need to be NIST 800-171 compliant.
The next one is 252.204-7020. And that one states that you have to give full access to your company — your internet system, your IT, all of your information, and your employees, if they decide to come in and do a medium or high assessment or just an audit. You will have to turn over that control to them.
Joe Coleman: There are three different levels of assessments that can be done under NIST 800-171. There is a basic level which you attest yourself. It’s all self-attestation for NIST 800-171. There’s a medium level which means you have to have a DoD official come in and do your final assessment. And then there’s a high, which you also need a DoD official to come in and do that. The majority of them are basics, which you can self-attest to.
Doug Glenn: How does a company know if they need to even have the CMMC?
Joe Coleman: If your company is a defense contractor, subcontractor, vendor/supplier, or if you’re in the DIB (the defense industrial base), you will need to be compliant if you process, store, transmit, or handle FCI or CUI in any way. If you handle CUI or FCI, you must become CMMC certified at one level or another.
Doug Glenn: Let’s just take an example. Say I’m almost third tier down in a supply chain, and the guy I’m doing business for is obviously doing defense work. Do I need to be CMMC certified at that point, even on the basic level?
Joe Coleman: Well, it depends on what type of data you’re handling. There is a flow down process. It starts with the prime contractor. Then it goes to the contractor and then on down the line. And if you are dealing with CUI or FCI, you need to have that same certification level as your client or as your contractor.
Doug Glenn: Would my client in that case, the person I’m doing business with, would it be incumbent upon them to tell me that I am dealing with FCI or CUI?
Joe Coleman: Yes. It would be in your contract.
Doug Glenn: If someone listening has a specific question about whether they’re required, I’m sure they could contact you and you could probably help them on that just to make sure.
Joe Coleman: Anytime. I also have an ebook that I made that is ready to be sent out, so I can always send them a free copy of that.
Doug Glenn: Now, I think you’ve already answered this question, but how many maturity levels are in CMMC and what are they?
Joe Coleman: A little, there are three levels. There is level one, which is the foundational level, and that is for contractors or vendors or suppliers that deal with only FCI. They do not deal with CUI. So, there’s a much smaller set of requirements for level one. And about 60% of the 300,000 companies will be going for level one.
Then there’s level two, which is advanced, and that is for contractors and vendors and suppliers that deal with CUI in any way. It can come in an email and leave. But as long as they have access to CUI, they need to be at least a level two certification. And there are about 80,000 companies that are going to be impacted by that of the 300,000.
Level three is expert, and level three is based on the 110 controls in NIST 800-171 plus a subset of controls that are in 800-172. Level two mirrors NIST 800-171. It’s borrowing all the requirements from NIST 800-171, enhancing them a little bit, and putting them into CMMC. So, there are a few more hoops you have to jump through to be CMMC certified.
Doug Glenn: We’ve talked about two different sets of levels. We talked about a basic, medium, and high. And then we talked about level one, two, and three. Are these things the same or are they different? Can you help me understand the difference between those?
Joe Coleman: The basic, medium, and high is an assessment level that assesses your whole system and facility, and that’s based on NIST 800-171. CMMC, you have three different maturity levels, and that’s level one, level two, and level three.
Doug Glenn: When you say maturity levels, that shows the degree to which your company has gone to implement these things.
Joe Coleman: Yes. It is a certification.
On CMMC level one, you can self-attest your own certification. Level two and level three, you will have to have it’s called C3PAO (or a CMMC third-party assessment organization). They will have to come in and do your final assessment. Bluestreak Compliance can take you all the way to that assessment audit ready. But then you’ll have to have a C3PAO come in and do the final audit and the certification level.
Doug Glenn: That was going to be one of my questions because you guys mentioned that you’re a registered practitioner organization. You don’t actually do the assessments, but you can get everybody up to the door, right? You prepare them for it?
Joe Coleman: Yes. You would need a CMMC certified assessor to do that.
Doug Glenn: All right. And when is all this going to be required? Right now, it’s not required but it will be required?
CMMC: Mark Your Calendars! Companies will need to prepare for the eventual implementation of CMMC level two certification. A phased rollout is planned to simplify the process; however, a shortage of registered practitioner organizations (RPO) may lead to a backlog.
Joe Coleman: CMMC is not required currently. It’s in the last phase of being released for approval. Either late this year or early next year, it’s going to be a phased rollout. Later this year or early next year, you’re going to have phase one, which is that if you need to be level one certified, you will need to become certified right away. That’s the one you can self-attest.
Six months after that, they’re going to start requiring that CMMC level two is implemented. This means you’ll have to go through the process of getting a C3PAO. And that’s when it comes time to hire an RPO (registered practitioner organization), because they’ve got the training and the certification to get you there.
Now, one thing on the C3PAO: there are currently only 54 C3PAOs in the entire country. So, there’s going to be a huge backlog. You could be talking a year backlog, so plan accordingly.
Finally, at level three, an enhanced version of level two because it has more requirements, you’re also requiring a C3PAO for certification.
What’s Involved in Becoming NIST Compliant? (21:14)
Doug Glenn: Joe, let’s talk for a second about the process, if you will. What’s involved in becoming CMMC certified?
Joe Coleman: That all depends on if you are NIST 800-171 compliant already. If you are not NIST compliant already, you need to get NIST compliant as soon as possible. That has a big impact on your CMMC implementation.
Doug Glenn: Can you address that then: What do you have to do to become NIST compliant?
Joe Coleman: To become compliant, you have to do an assessment on your network and your facilities to come up with an assessment score. So, it’s the same as CMMC.
Then, you will have to do a gap analysis. You will come up with a POAM list (a plan of action and milestones); that is your to-do list based on your assessment, your shortcomings, or what you’re not compliant to. And you’ll need to come up with a system security plan (an SSP). That’s mandatory; you cannot be compliant without an SSP.
Once you get your SSP and your POAM list, then you need to take your score, your beginning score/baseline score, and submit that to the SPRS. And that is the library that holds all of the scores and shows your level.
From there, you start remediating and implementing your POAM list. But that also includes coming up with policies and procedures, plans, and a lot of documentation — everything gets documented based on where you stand and where you’re going, until the end when you do your final score.
Now, the SSP is a living document. It’s going to constantly change. If you have a change in your network, a major change, you’ll need to go in and update that right away.
How To Become CMMC Compliant? (23:46)
Doug Glenn: So that’s how you get to be NIST compliant. For CMMC, is there more to it?
Joe Coleman: There’s a few more requirements in CMMC, but the major difference is that with NIST 800-171 it’s all self-attestation. CMMC you will need to have a C3PAO.
Doug Glenn: That is, somebody’s going to need an outside validator, so to speak.
Joe Coleman: And they’re very expensive.
Now, another reason they came up with CMMC is because people were saying that they were compliant to NIST 800-171, and they really weren’t. That gets into the False Claims Act and things like that. They really go after people that do that.
Doug Glenn: Yeah. Any sense of the time frame for either becoming NIST compliant and/or CMMC compliant?
Joe Coleman: If you are not NIST compliant yet, that can take up to 6 to 12 months. I’ve seen it take more. You can do CMMC and NIST together if you need to because you’re using the same documents. If you’re not NIST compliant, that can take up to 18 months or more. If you are NIST compliant already, you’re talking 6 to 12 months to be CMMC certified.
Joe discusses the limitations of not being NIST compliant.
Doug Glenn: Okay. You just alluded to it, but I just want to make it clear. Can you do them both at the same time in parallel tracks?
Joe Coleman: Yeah, I’m working with clients that are not currently NIST compliant. So, we’re just rolling it into one using the same documents. It’s just that we’ll have to have a different assessor at the end.
Doug Glenn: Let’s say a company just decides they’re not going to be either NIST or CMMC compliant. You can still be a company, right?
Joe Coleman: Oh yeah, you can still do business; you just can’t do business with the DoD. A lot of companies base it on how much of their workload or how much of their business percentage is based on DoD work or from a contractor or subcontractor. If it’s 1%, 2%, 3%, 5%, you need to take a good hard look and say, is it worth putting a lot of money into?
Cost of Certification (26:52)
Doug Glenn: So, they can still be in business and doing well, but they just can’t do any DoD work. So, any ballpark figures? And I realize this probably varies widely depending on the size of the company and everything, but any ballpark sense of how much change we’re talking about here?
Joe Coleman: There’s no official word from the DoD on this, but there are some guesses out there. For NIST 800-171 compliance, depending on your current cybersecurity program that you currently have and how involved it is, I’ve seen it from $15,000 to $60,000.
Doug Glenn: Okay. That’s just for NIST?
Joe Coleman: Just for NIST. For CMMC, and again depending on if you’re NIST compliant, if you are not NIST compliant you’re going to do them together, it could be over $200K (probably easily) to become CMMC certified because you’re also becoming NIST compliant.
Doug Glenn: I’m curious. How come it’s going to cost you maybe 3x as much?
Joe Coleman: One of the main reasons is that with CMMC, you’ll want to hire a registered practitioner organization to guide you through the process and to do the documentation for you. The other is the C3PAO. There are only 54, and they can name their own price.
I can imagine it’s going to be over $100K just for the final assessment.
Doug Glenn: Right, that’s helpful. I think that gives everybody a pretty good sense of what we’re talking about here with CMMC 2.0 and NIST 800-171.
What Can a Registered Practitioner Do for You? (29:02)
Your division of your company, which is Bluestreak Compliance (you’ve already mentioned you’re a registered practitioner), can you give a brief summary of what it is? What do you guys bring to the table?
Joe Coleman: A registered practitioner organization has been certified by the Cyber Accreditation Board (Cyber AB), or CMMC accreditation body. A registered practitioner organization (RPO) works with and hires RPs (registered practitioners) or RPAs (registered practitioner advanced). I happen to be an RPA. And we’ve gone through all the training that we need to have so that the Cyber AB says, okay, you are qualified to do this.
So, when I quote a job, I usually quote it two different ways. One way is just guiding you through the process, so you’re going to do all the heavy lifting. I can supply you with templates and things like that for your documentation and guide you through each step. Or I can quote it where we manage the whole process. We will do all your documentation for you.
Joe Coleman: “You’re going to have at least 1 or 2 full-time employees doing nothing but this.”
Your team will have to be involved in the implementation process. And that’s true both ways. But we normally quote it two different ways, and they choose which one they want based on their budget and things like that.
Doug Glenn: It sounds like what you’re bringing to the table is the ability to get that company from where they are now, wherever they self-assess to start with, up to the point where they can bring in one of the third-party auditors and actually have a reasonable shot at passing the CMMC 2.0 assessment.
Joe Coleman: Correct. And it’s going to take a lot of input from the client or from the companies, too, because you’re going to have at least 1 or 2 full-time employees doing nothing but this. You’ve got to build that cost into it.
That’s what I tell people when we say we can quote it either guiding you or leading the project. It’s not as much work if I am leading the project. But if I’m not leading the project, you’re going to need a team of people to do this. It’s a lot of work.
Cybersecurity Areas To Be Aware Of (31:48)
Doug Glenn: I’m not sure there is an easy answer to this question, but can you give a list of top 3 to 4, or 4 to 5, areas that a company needs to look at when they start doing the NIST and CMMC checklists? Where do you see most companies falling down, or what are the areas they need to be aware of?
Joe Coleman: A lot of the smaller companies do not have a robust cybersecurity program. That is going to be a big pitfall. That’s going to be a big jump for them, not just the work that they have to put into it, but the expense; a lot of small companies just can’t afford that.
Joe Coleman: Some of the things are making sure that your network is totally secure and locked down, firewalls. Along with that, you’re going to need endpoint protection on all your devices, mobile device manager. You’re going to have to track every device that has access or could have access to CUI. You have to have a full inventory of that. Your IT system has to be locked down.
Now, this also includes your facility; it includes physical security. That’s talking about your door locks, your alarm systems, things that are going to protect CUI. Camera systems, your server rooms have to be locked down. It’s a lot of physical security, too.
Doug Glenn: Interesting. As well as the protocols for how you handle emails, how data is transferred, where it’s stored, and backups, stuff like that?
Joe Coleman:Yes. And you need to have a policy and a procedure for each one of those. They have to be fully documented every step of the way.
Doug Glenn: Wow. Okay. Sounds like fun, Joe.
Joe Coleman: It is. I enjoy it, but it’s a lot of work.
Doug Glenn: Well, that’s good, I appreciate it. The columns and things that you’ve written for our publication have been helpful to people, I know. And I think this podcast will also be helpful to them. But do you know, for those who are listening and might be attending Furnaces North America, do you know when your talk is?
Joe Coleman: It’s going to be on the 16th at 8:50 a.m., and it’s in room 222.
Doug Glenn: All right.
All right, Joe. Thank you very much. I appreciate your time. We’ll look forward to more of your input.
Thanks everyone for listening.
About The Guest
Joe Coleman Cyber Security Officer Bluestreak Consulting
Joe Coleman is the cybersecurity officer at Bluestreak Compliance, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Joe will be speaking at the Furnaces North America (FNA 2024) convention, presenting on DFARS, NIST 800-171, and CMMC 2.0.
Heat TreatToday offers News Chatter, a feature highlighting representative moves, transactions, and kudos from around the industry. Enjoy these 21 news items.
Equipment
Tata Steel Meramandali, based in Odisha, India, placed an order with SMS group for the implementation of Paul Wurth coke oven gas injection technology at their Blast Furnace (BF) #1. This order is the first of its kind in India, setting a precedent for the industry’s move towards sustainable steel production. The project is expected to be commissioned by Q1 2026 and will be completed within 25 months.
Sousa Corp., based in Newington, CT, installed its second Ipsen Turbo²Treater vacuum furnace to its production line, expanding its capacity to meet demand for heat treating services to the aerospace, automotive, medical, and general manufacturing industries.
A Chinese partner has purchased a two-chamber VIM 50 kg induction furnace from SECO/WARWICK for casting gas turbine blades. The furnace will produce gas turbine blade castings in an equiaxed structure and has already obtained an export license.
The modernization of a blast furnace at Salzgitter Flachstahl AG has been completed by SMS group. The new Paul Wurth parallel hopper Bell Less Top® (BLT) installed offers enhanced efficiency with less maintenance.
Edwards AFB in California received delivery of a composition oven from DELTA H®/Phillips Federal. The equipment will be used for advanced materials applications R&D. The heat treat furnace supplier initially designed and engineered the walk-in oven using SolidWorks 3D modeling and developed the project as a “kit oven” for easy field assembly. After preassembly of key subsystems at their Carroll, OH facility, the system was shipped to Edwards AFB. The entire field assembly project required two weeks including commissioning and extensive training of USAF personnel.
Tata Steel Nederland selected Tenova to develop a new state-of-the-art steel production line in IJmuiden, the Netherlands. The overall contract will include engineering, supply, and advisory services for a three million tons electric arc furnace to meet current operational specifications (high-quality steel for the automotive sector).
Cavendish Hydrogen ASA, a subsidiary of Nel ASA,has received a purchase order from Alperia Greenpower SRL for hydrogen fueling equipment to be used for light- and heavy-duty fuel cell electric vehicles in Bruneck, South Tyrol, Italy. This will be Nel’s first H2Station™ installation in Italy, built for the 2026 Winter Olympics to fuel vehicles for the transfer between the Olympic sports facilities.
Newly installed material hoppers at Salzgitter Flachstahl AGCoke oven gas compressing station previously installed at HKM, GermanyDELTA H®/Phillips Federal providing composite oven for Edwards AFBLeft to right: Paolo Stagnoli (Tenova), Hans van den Berg (CEO Tata Steel Nederland), Jeroen Klumper (Tata Steel Nederland), and Nico Bleijendaal (Danieli)
Company & Personnel
StandardAero has appointed Kim Ernzen to serve as chief operating officer. In this role, Ernzen reports directly to Russell Ford, StandardAero chairman and CEO, and is responsible for global operational performance, efficiency, and excellence, as well as engineering and supply chain management for StandardAero. Additionally, StandardAero’s Engine Services and Component Repair Services division presidents will report directly to Ernzen, who will maintain close oversight of the company’s overall business performance. She replaces Kerry O’Sullivan, who is retiring from StandardAero, and will be located at the company’s Scottsdale, Arizona, headquarters office.
Steelhead Technologies launched Steelhead University, an online learning platform designed to expedite user training and streamline software implementation. The comprehensive curriculum of eight core administrative courses equips users with fundamental knowledge essential for navigating the intricacies of the company’s software.
Solar Atmospheres’ newest acquisition, Solar Atmospheres of San Diego, has announced the addition of Chris Constable as their new vice president of operations. Chris has nearly 25 years of heat treating experience that includes quality, operations, management, plant safety, business development, and sales.
Ipsen USA welcomes Max Stormo as the new Ipsen customer service (ICS) operations manager as the company streamlines its aftermarket services in Souderton, PA. Stormo comes to Ipsen after an extensive career working as a manufacturing operations leader in Texas, and a recent role as vice president of operations at a manufacturer in the Philadelphia region.
Solar Manufacturing, Inc., announced the hiring of Nicholas Max, BSME Drexel University, as its chief mechanical engineer to head up its vacuum furnace mechanical design group. Nick is also pursuing an MBA at Lehigh University in Bethlehem, PA. He will be tasked to lead the further development of energy efficient hot zones, vacuum vessels, high pressure gas quenching systems, and vacuum pumping systems.
Ipsen USA has confirmed its commitment to the growth of the Ipsen Customer Service (ICS) Parts Department by expanding staff and implementing strategic initiatives. Christina Connelly, parts manager for Ipsen in Cherry Valley, joined the team in 2022, and has since hired six additional employees. Connelly and her veteran team members and new hires are focused on reducing turnaround time and increasing customer responsiveness.
Swiss Steel Group announced its participation in a renewable energy consortium, the “Initiative EE-Industrie.” This initiative, consisting of 19 small and medium-sized enterprises (SMEs) in Germany, aims to build, operate and utilize wind and photovoltaic plants for self-supply with green electricity.
Kanthal and Danieli have announced a partnership to jointly scale up Kanthal’s demonstrated electric process gas direct-heating solution, Prothal® DH, to full industrial scale. With the installation in Energiron hydrogen-ready DRI plants, fully green DRI production will be achieved. Additionally, the introduction of Prothal® DH technology in blast furnace operation will reduce CO2 emissions in ironmaking.
Kim Ernzen, Chief Operating Officer at StandardAero Screenshot of Steelhead University knowledge check on adjusting powder coat recipesChris Constable, Vice President of Operations, Solar Atmospheres of San DiegoMax Stormo, Customer Service Operations Manager, Ipsen USANicholas Max, Chief Mechanical Engineer, Solar Manufacturing, Inc.Dilip Chandrasekaran, Global Business Development Manager at Kanthal (L) and Marco Lapasin, Vice President Danieli Engineering Centro Metallics
Kudos
Ipsen Global has received the German Innovation Award for the Atlas Green furnace platform, presented by The German Design Council. The award ceremony was held in Frankfurt, Germany, on May 14, celebrating the innovators that emerged from a field of 520 submissions from across 23 countries.
Industrial Steel Treating Co. was named the Manufacturer of the Year by the Jackson Area (MI) Manufacturers Association. Accepting on behalf of IST was Tim Levy, current President of IST. Members of the Levy family in attendance included current VP, Tom Levy, and former IST President, Bernard Levy. Bernard was the 2nd generation Levy family owner and spent his entire 50-year career at IST before retiring and passing the reins to his three sons in 1998.
Bluestreak Compliance™, a division of Bluestreak | Bright AM™, received approval as a Registered Practitioner Organization (RPO) by the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (Cyber-AB). This significant achievement enables Bluestreak Compliance™ to offer expert consulting services to defense contractors and suppliers aiming to comply with CMMC cybersecurity standards and prepare for their Cybersecurity Maturity Model Certification (CMMC) audits.
IHEA has announced Dr. Avi Shultz as keynote at the first Industrial Heating Decarbonization SUMMIT. Dr. Shultz, Director of the U.S. Department of Energy’s Industrial Efficiency and Decarbonization Office (IEDO), will provide the keynote address at its first summit, to be held October 28-20 at the Conrad Indianapolis.
Swiss Steel Group has launched a new website which focuses on customer needs, including a Product Finder that generates automated product suggestions based on customer requirements and specifications, and detailed information about green initiatives and sustainability as well as special requirements for steel grades for specific applications.
IHEA recently announced its 2024–25 Board of Directors and Executive Officers. Taking over as President is Jeff Rafter of Selas Heat Technology Co. LLC; Vice-President is Gary Berwick of Dry Coolers, Inc.; and Treasurer is Jason Safarz of Karl Dungs, Inc. Brian Kelly of Honeywell Thermal Solutions assumes the Past President position. Finalizing the lineup of IHEA’s Board of Directors for 2024-2025, the following members continue their tenure: Scott Bishop, Electric Power Research Institute (EPRI); Bob Fincken, Super Systems, Inc.; Ben Gasbarre, Gasbarre Thermal Processing Systems; Doug Glenn, Heat Treat Today; John Podach, Fostoria Infrared; John Stanley, Karl Dungs, Inc.; Michael Stowe, Advanced Energy; Helen Tuttle, WS Thermal Process Technology Inc.; and Jeff Valuck, Surface Combustion, Inc.
Dr. Bora Ozkan-Paul van Doesburg (L) and Lutz Dietzold (R) with their German Innovation AwardTim Levy (L) and Bernard Levy (R)Dr. Avi Schultz, keynote speaker at IHEA’s Industrial Heating Decarbonization SUMMITThe 2024-25 IHEA Board of Directors: Back row, left to right; John Stanley, Bob Fincken, Gary Berwick, Brian Kelly, Scott Bishop, Doug Glenn, and Jeff Rafter. Front row, left to right; Jeff Valuck, Ben Gasbarre, Helen Tuttle, IHEA Executive Vice President Anne Goyer, Jason Safarz, and John Podach. Not pictured: Michael Stowe
