CMMC 2.0 IS COMING – CYBERSECURITY GUIDELINES FOR DOD MANUFACTURERS NATIONWIDE

THE WHO, WHAT, WHEN, AND HOW

In early November 2021, the Department of Defense announced a massive update to the Cybersecurity Maturity Model Certification (CMMC) program. Manufacturers or suppliers that handle any Controlled Unclassified Information (CUI) or those within the Defense Industrial Basse (DIB) will need to pay attention. The latest update to the CMMC, “CMMC 2.0” marks the completion of an internal program assessment spearheaded by Department of Defense (DoD) leadership. CMMC 2.0 condenses the original 5 CMMC maturity levels into 3 levels and applicable manufacturers will need to know where they stand, what is changing, which maturity level they need to meet, and the penalties for non-compliance.

What is Changing in CMMC 2.0?

CMMC began as a way to protect CUI held by DoD contractors and subcontractors on any non-federal
contractor information system. As manufacturers comply with their appropriate maturity level, it will
safeguard this critical information from evolving cybersecurity threats which supports and enables
the U.S. military. The original CMMC comprised five maturity levels, but this is changing. The DoD conducted an internal assessment of the CMMC program in March of 2021 which took into
consideration direct feedback from the more than 850 public comments in response to the interim
DFARS rule. It led to the development of “CMMC 2.0”, an upgrade to the program’s critical structure
and changes in its maturity levels. Streamlining and improving the implementation was the main goal of updating the program, however, manufacturers will need to be acutely aware of these changes to make sure they remain compliant or risk losing current and future DoD contracts.

MODIFICATIONS INCLUDED IN CMMC VERSION 2.0 ARE LISTED BELOW:

Eliminating levels 2 and 4 and removing CMMC – unique practices and all maturity
processes from the CMMC Model

• Allowing annual self-assessment with an annual affirmation by DIB company leadership for CMMC level 1
• Bifurcating CMMC level 3 requirements to identify prioritized acquisitions that would require annual self-assessment and annual company affirmation
• CMMC level 5 requirements are still under development
• Development of a time-bound and enforceable Plan of Action and Milestone Process
• Development of a selective, time-bound waiver process, if needed and approved

Who/What Does This Impact?

No business is completely safe from cybersecurity threats. Manufacturers are particularly at risk. These organizations often supply the largest, most powerful corporations and governments with critical parts vital to our national security and way of life. Cybercrimes understand this fact and actively seek
to steal information or cause disruptions. Every company can benefit by investing in cybersecurity since a cyber breach could cost manufacturers millions but manufacturers working with the DoD need to go beyond just ensuring they’re up-to-date with the latest cybersecurity best practices.

Manufacturers in the DIB are going to be held accountable to safeguard sensitive information and must comply with CMMC 2.0. Any supplier, subcontractor, or manufacturer that conducts business with the DoD, no matter how minuscule will need some level of CMMC. Identifying the appropriate CMMC maturity level will either be determined by a prime DoD contractor or uncovered through a CMMC gap analysis. Determining which maturity level a manufacturing business must maintain is the critical first step toward compliance. Businesses that do not comply with these new DoD cybersecurity regulations
will be at risk of losing their government contracts. Now, with this update, manufacturers must ensure they fall within one of the updated three maturity levels.

When Do Manufacturers Need to Start Compiling?

CMMC 2.0 will be implemented through DoD rulemaking process 32 of the Code of Federal Regulations (CFR). Title 48 CFR will follow title 32 which will establish the contractual requirements. The DoD stated “The CMMC program team will work through the rulemaking processes as expeditiously as possible.”

CMMC 2.0 requirements will be mandatory and it has been announced that the rule will take effect in May of 2023. Warnings will be issued to the DIB through DoD prime contractors. Manufacturers that do not comply with their designated maturity level will be at risk of losing contracts.

Manufacturers that handle CUI will still be responsible for implementing the cybersecurity requirements
in NIST SP 800-171. Any manufacturer that has FCI, will still need to implement the basic cybersecurity
requirements in FAR 52.204-21. Even though at this moment the federal government will not be
auditing businesses, they are creating a means to prosecute contractors under the False Claims Act.
The government can pursue a false claims case against businesses in the DIB that are not taking
cybersecurity seriously. Preparation is key as contracts need independent assessments without any notice if a company states they are compliant.

How Can Manufacturing Businesses Prepare?

Manufacturers are in a challenging spot. Without building CMMC 2.0 into a manufacturers business plan today, they might not have the resources to take action once the certification comes into effect.

Even though manufacturers are facing this imposing disruption, there is help available. Each state,
including Puerto Rico, has some form of a Manufacturing Extension Partnership (MEP). These independent organizations work through a cooperative agreement with NIST and are the tip of the spear when it comes to helping manufacturers ensure they meet NIST SP 800-171 regulations as well as identifying the appropriate CMMC 2.0 maturity level. Many may even offer support to become compliant within a specific maturity level. Depending on the state, MEPs often offer general cybersecurity support for manufacturers outside the DIB since every business will feel the pressure of cyberthreats well into 2022 and beyond.

As stated above, manufacturers handling CUI will still need to implement NIST SP 800-171. Those that
engage with FCI will need to comply with FAR 52.204-21 guidelines. May 2023 marks the day all DoD manufacturers must comply with CMMC 2.0. To ensure no contracts are lost, businesses must prepare immediately. Manufacturing businesses in the DIB must take action and protect their business.
Cyberthreats have matured and now it’s time to ensure cybersecurity and regulations follow suit.

NEW DEADLINES FOR CMMC 2.0 COMPLIANCE

It was recently announced that all manufacturers operating within the DoD sector will need to reach compliance by Q1 2025. Due to the time-consuming nature of navigating the complexities of CMMC 2.0 compliance, it’s important for DoD suppliers and manufacturers to make changes immediately. Some CMMC 2.0 projects can take upwards of a year to complete, so it’s critical to begin the process ASAP.