NFFS Cybersecurity: Incident and Response

On the morning of Friday, August 15, NFFS discovered something no organization wants to see—unusual email activity coming from one of our staff accounts. The account had been compromised and was used to send out emails with a suspicious PDF attachment to external recipients, including some of our members and partners.

As soon as we detected the activity, our team moved quickly. The account was immediately disabled to prevent further misuse, and we began a thorough review of our system and email logs. Thankfully, the investigation confirmed that the incident was limited to this single account and that the attacker’s access had been blocked without further impact due in part to the swift response by our IT team. Importantly, we found no evidence that sensitive data—such as Controlled Unclassified Information (CUI), DoD contract data, or member records—had been accessed or misused.

Although the impact of this breach was contained, NFFS took the situation very seriously. We promptly notified affected parties, reported the incident to the Department of Defense’s Defense Industrial Base Cybersecurity Program (DCISE), and began reviewing our policies and procedures to ensure our defenses remain strong.

Lessons for Foundries

This incident underscored an important truth: cybersecurity events can happen to any organization, regardless of size. Just as foundries invest in safety programs to protect employees on the shop floor, it is equally important to prepare for incidents that threaten our digital operations.

From our experience, the most critical step is to respond immediately—disable any compromised accounts or systems before the problem spreads. The first rule when you are in a hole is to stop digging! A careful investigation should follow, reviewing logs and records to determine the scope of the event and whether sensitive information was compromised. Communication is another essential piece. Employees, customers, and suppliers need to be informed if they may have been affected, and DoD contractors in particular must understand when incidents rise to the level of requiring a formal report within 72 hours. Finally, no incident should be wasted. Each event is an opportunity to strengthen defenses, whether by refining policies, investing in safeguards, or providing refresher training so employees are better equipped to recognize and report suspicious activity.

Cybersecurity is not a one-time project—it is an ongoing process of vigilance and improvement. Incidents will happen, but how an organization responds can make the difference between a minor disruption and a major crisis. By sharing our experience, NFFS hopes to help member foundries prepare their own incident response strategies and reduce the risk of serious disruption should a cyber event occur.