With a cybersecurity threat risk that shows no signs of subsiding, the Department of Defense (DoD) has dictated that Cybersecurity Maturity Model Certification (CMMC) will be a requirement for any participant in the defense contractor supply chain, as a non-negotiable condition of doing business and working with the DoD. Therefore, all contractors already doing business with the DoD, or any firm interested in doing so, including manufacturers and component material suppliers, are affected.
The primary goal of the Cybersecurity Maturity Model Certification is to safeguard Controlled Unclassified Information (CUI) across the DoD supply chain, and shield it from access by unethical entities and enemies of the United States. CUI refers to any information created or possessed by the government or another entity on the government’s behalf, in forms such as financial, legal, intelligence, logistics, or distribution digital data.
There are 5 levels and associated requirements for CMMC certification, and each certification level improvement is founded upon requirements set forth in the levels before it.
CMMC Certification Levels Definition:
Level 1– Basic Cyber Hygiene – DoD contractors must pass an audit for compliance to 17 controls of NIST 800-171.
Level 2– Intermediate Cyber Hygiene – DoD contractors must implement 65 controls of NIST 800-171, plus seven additional controls.
Level 3-Good Cyber Hygiene – Level 3 is where 80%+ of participants in the DoD Supply chain will land. To achieve this certification, 110 controls of NIST 800-171 and 20 other controls must be implemented and maintained.
Level 4 and Level 5 -Highly proactive and sophisticated advanced cybersecurity compliance to the standard, and usually found at Tier 1 Original Equipment Manufacturing companies.
What steps should WNY Manufacturers Take Next?
It’s important to know that the CMMC requirement is happening now, and all DoD suppliers should be acting sooner than later, in order to ensure they have their systems, infrastructure, policies, procedures, and physical security up to compliance, and the entity itself is capable of receiving the certification as soon as necessary, well ahead of 2025. This gap transition time is definitely invaluable, as the road to CMMC certification is neither fast nor inexpensive. For example, the waiting period between an application and certification audit scheduling is at least six months, and CMMC specifies the audit and certification be performed by a prequalified CMMC third-party assessing organization (C3PAO). The entire CMMC process is very similar to developing and implementing a quality management system, such as ISO9001:2015 or AS9100D, where the preparation and system development are driving the Company to ultimately bring in a 3rd party registrar to validate the system.
The Cybersecurity Maturity Model Certification states that contractors can choose a specific compliance level for its entire enterprise network, or selective compliance for particular segments that handle or store the protected information. However, DoD contract bid solicitations will specify what maturity level each supplier needs to be at in order to respond to future requests for proposal. Therefore, it is recommended to start the CMMC journey with an independent external assessment of the business, as soon as possible, to accurately determine what (or if) CUI is part of your cybersecurity future.
Since 2020, Insyte Consulting, through a network of trusted consulting partners, has been providing CMMC assessments and remediation assistance to manufacturers. In many cases we have been successful in obtaining the support of our regional utility partners, National Grid and NYSEG, to offset a portion of the cost of these critical steps for them. For more information, and to discuss your specific situation, please reach out to Dave Hanitz (firstname.lastname@example.org) or Ryan Case (email@example.com).
Looking ahead… October is National Cybersecurity Awareness Month (NCSAM). An Insyte Consulting-Freed Maxick Cybersecurity Workshop is planned for Wednesday, October 13th.
The event will cover two topics:
- DoD Cybersecurity Maturity Model Certification (CMMC) Process – Readiness and Certification
- Cybersecurity Best Practices for Manufacturing – Right Size Approach
Stay tuned for more details & registration information.