Many manufacturers do business with the U.S. Department of Defense (DOD) directly or through original equipment manufacturers (OEMs) and other contractors. The industry is paying attention to the new Cybersecurity Maturity Model Certification (CMMC) because contractors without the cybersecurity certification will be unqualified to compete for DOD contracts if they don’t have it a few years from now.
“Manufacturing technologies are constantly increasing connected systems. Digital manufacturing is the core of advancing manufacturing technology,” said Ben Moses, director – technology, Association For Manufacturing Technology (AMT), which owns and operates IMTS. “With increasingly connected systems come the concerns of security, which is the confidence in protecting your organization. There are several ways to qualify this confidence, such as penetration and adversarial testing. Accreditation of the tools and processes is a path that the DOD has chosen. This will allow the defense community to quantify and communicate the security confidence in the supply chain.”
CMMC is a scalable certification standard for the implementation of cybersecurity processes and practices across the Defense Industrial Base (DIB). CMMC is designed to assure DOD and DIB companies can protect sensitive unclassified information, accounting for information flow down to subcontractors in a multitier supply chain.
Comprised of five cumulative levels, CMMC measures a company’s cybersecurity maturity. Level one is basic cyber hygiene. Level five is “advanced/progressive.”
As a company achieves a specific CMMC level, it must also demonstrate attainment of the preceding lower levels. Cybersecurity certification will be valid for three years.
In November 2020, the U.S. DOD implemented its initial phase toward CMMC, when the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Final Rule took effect. This rule requires DOD contractors and subcontractors to complete scored self-assessments on their compliance with the National Institute of Standards and Technology’s (NIST) 800-171, the precursor to CMMC security requirements and included in Level III of the CMMC.
CMMC’s familiar origins
In addition to including the NIST SP 800-171, the CMMC model also incorporates other standards, references, and/or sources, such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense,” and Computer Emergency Response Team (CERT) Resilience Management Model (RMM).
Gradual release planned
DOD is rolling out the five-tier standard for CMMC in phases over a period of five years. In fiscal year 2021, 15 new prime acquisitions will be released to meet CMMC requirements. These contracts will focus on mid-sized programs that require the contractor to process or store CUI (CMMC Level three). Primes will be required to flow down the appropriate CMMC requirement to their subcontractors.
For subsequent fiscal years of the rollout, the DOD intends to incorporate CMMC Levels four and five on a small number of contracts while increasing the quantity of prime acquisitions that include a CMMC requirement.
Companies can get a head start on cybersecurity certification by familiarizing themselves with the CMMC requirements and performing a basic assessment on where they currently stand.
Attaining CMMC compliance will vary depending on a company’s size, position on the supply chain, and size of IT department. Some DIB contractors will need to partner with trusted advisors while others can rely on DIY.
Companies can begin their CMMC journey by checking out the DOD CMMC website.
Manufacturers realize cybersecurity risks, taking steps
Program developed to train cybersecurity professionals