Get Ready to Implement CMMC
Category: Manufacturing Technology • Jan 6, 2021
By Kathy Keyes Webster, AMT Exhibitions Content Manager – Correspondence
Many in the IMTS community do business with the U.S. Department of Defense (DOD) directly or through OEMs and other contractors, and the sector is abuzz about the new Cybersecurity Maturity Model Certification (CMMC). The crux is that increasingly over the next five years, contractors without CMMC will be unqualified to compete for DOD contracts.
“Manufacturing technologies are constantly increasing connected systems. Digital manufacturing is the core of advancing manufacturing technology,” says Ben Moses, Director – Technology, AMT – The Association For Manufacturing Technology, which owns and operates IMTS. “With increasingly connected systems come the concerns of security, which is the confidence in protecting your organization. There are several ways to qualify this confidence, such as penetration and adversarial testing. Accreditation of the tools and processes is a path that the DOD has chosen. This will allow the defense community to quantify and communicate the security confidence in the supply chain.”
CMMC is a scalable certification standard for the implementation of cybersecurity processes and practices across the Defense Industrial Base (DIB). CMMC is designed to assure DOD and DIB companies can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.
Comprised of five cumulative levels, CMMC measures a company’s cybersecurity maturity. Level one is Basic Cyber Hygiene. Level five is “Advanced/Progressive.”
As a company achieves a specific CMMC level, it must also demonstrate attainment of the preceding lower levels. Certifications will be valid for three years.
DOD Takes the First Step
On Nov. 30, 2020, the U.S. DOD implemented its initial phase toward CMMC, when the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Final Rule took effect. This rule requires DOD contractors and subcontractors to complete scored self-assessments on their compliance with the National Institute of Standards and Technology’s (NIST) 800-171, the precursor to CMMC security requirements and included in Level III of the CMMC.
CMMC is Familiar
In addition to including the NIST SP 800-171, the CMMC model also incorporates other standards, references, and/or sources, such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense,” and Computer Emergency Response Team (CERT) Resilience Management Model (RMM).
DOD CMMC Plans Gradual Release
DOD is rolling out the five-tier standard for CMMC in phases over a period of five years. In FY 2021, 15 new prime acquisitions will be released to meet CMMC requirements. These contracts will focus on mid-sized programs that require the contractor to process or store CUI (CMMC Level three). Primes will be required to flow down the appropriate CMMC requirement to their subcontractors. In December 2020, Federal Drive podcaster Tom Temin speculated on FederalNewsNetwork.com that the first 15 contracts would be defense weapon systems related.
For subsequent fiscal years of the rollout, the DOD intends to incorporate CMMC Levels four and five on a small number of contracts while increasing the quantity of prime acquisitions that include a CMMC requirement to the following targets:
What can DIB contractors do?
“The first thing DIB contractors should do is familiarize themselves with the CMMC requirements and use those to complete a basic assessment of the current security posture of their organization," says Julia Boswell, Security & Compliance Lead at ProShop ERP, a shop management system that includes ERP, MES, QMS, and soon, CMMC.
"The CMMC will look at the maturity of an organization's information security program, meaning any work you can get started on now will pay off significantly in the coming months." Boswell is leading the company’s efforts to be CMMC certified themselves, and helping their customers attain certification. “If you are familiar with NIST SP 800-171, NIST SP 800-53, or the aforementioned standards, you are positioned well, but if this is new material to you, know that there are many excellent resources available and that this certification is an achievable goal."
Attaining CMMC compliance will vary depending on a company’s size, position on the supply chain, and size of IT department. Some DIB contractors will need to partner with trusted advisors while others can rely on DIY. In either case, companies can begin their CMMC journey by checking out the DOD CMMC website.