Why is the Department of Defense Implementing the Cybersecurity Maturity Model Certification (CMMC), and are DoD Associated Manufacturers in WNY Prepared?
How would not being able to bid on contracts or manufacture Department of Defense (DoD), aerospace, or military supply chain products affect your revenues?
For over a decade, the DoD has been leading the charge in efforts to improve our nation’s cybersecurity profile and strengthen policies in order to deter the theft of classified materials, defense secrets, and intellectual property by unauthorized entities. They have determined that the most significant source of the digital asset leaks is coming through the thousands of contractors in the United States that have access to sensitive and Controlled Unclassified Information (CUI). This information is essential for the contractor to access, and move back and forth, in order to deliver on their contracts for goods or services.
Several years ago, the National Institute of Standards and Technology (NIST) issued the 800-171 Cybersecurity regulations, which provided a robust framework for all manufacturing companies, not just defense related manufacturers, to measure their preparedness for doing business electronically in the now often compromised digital economy. With 110 control elements, the 800-171 guideline was designed to be a foundation on which robust cybersecurity protection for administrative, physical, and technical aspects of a manufacturer’s organization could be measured. Compliance to these regulations, for the most part, were based on the honor system and most company’s IT administrators were found to be overly optimistic in their self-assessments.
The DoD subsequently decided this 800-171 Standard was not substantive enough, and did not adequately address the highest level security that must be in place at the advanced/ progressive suppliers who’s work directly feeds back into the military, aerospace and government entities in the USA.
The CMMC has just been released! The requirement for certification of conformance to 140 elements by DoD is being included in request for proposals (RFP’s) being issued going forward in 2020, and certification of conformance to CMMC by manufacturers will be required as a part of all DoD contracts issued for 2021. What is important to understand is that there is a requirement that DoD supply chain partners MUST BE certified by an independent third party that is themselves licensed and certified to perform the assessment and provide a certification of compliance. This CMMC certification requirement applies not only to prime contractors, but their subcontractors, and then some tier 3 and 4 providers lower in the supply chain. Failure to be certified to CMMC, or pass a CMMC audit, would result in companies not being allowed to bid on contracts until they become certified. A compromise of the company’s systems might also trigger a temporary suspension in business, while the organization is being recertified.
For many DoD contractors and their subcontracting partners, the most effective way to meet this new CMMC cybersecurity requirement will be to find a properly credentialed consulting partner to help your organization become compliant. More importantly, not only is the prime contractor responsible to attain the CMMC certification, but they must also be assured their subcontractors are equally qualified. For more information, please contact Ryan Case (firstname.lastname@example.org) or Dave Hanitz (email@example.com).