What Manufacturers Need to Know
Cybersecurity Lead, DoD, NIST 800-171 and CMMC Specialist, NJMEP
Cybersecurity is not a new subject in manufacturing. The moment that connected equipment, innovative software, and advanced robotics systems began making their way to the shop floor, cybersecurity was part of the conversation. Cybersecurity made headlines alongside Industry 4.0 articles, but the buzz of flashy new technologies dominated the conversation.
Manufacturers tend to put cybersecurity on the backburner. This is no longer going to be an option for many. The manufacturing industry has consistently ranked in the top 5 of industries most vulnerable and targeted for cyberattacks. The Healthcare, Financial Services and Government Agencies sectors have all been held to a higher standard when it comes to security compliance and risk management. The manufacturing industry has not yet been held to a higher standard and therefore even more vulnerable to cybercrime.
The Cybersecurity Maturity Model Certification (CMMC) is bearing down on the industry and below are the 6 critical questions manufacturers need to ask.
What is the CMMC?
CMMC stands for Cybersecurity Maturity Model Certification. This certification takes a unique approach to ensuring critical intellectual property stays secure. At first, CMMC will only be required for manufacturers and suppliers that handle Controlled Unclassified Information (CUI) for the Department of Defense (DoD).
The Cybersecurity Maturity Model Certification (CMMC) is the method to certify that the appropriate levels of cybersecurity processes and protections are in place for the approximately 300,000 contractors and subcontractors in the DoD supply chain. The CMMC process will now require a CMMC Third Party Assessment Organization (C3PAO) to certify that companies are complaint, and that CUI is secure.
There are 5 maturity levels part of the CMMC which range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. As the maturity level increases, so too do the rules and guidelines a business must follow in order to become certified and remain compliant.
Why is the CMMC being created?
The Department of Defense recognized cyberattacks as a significant threat, especially to the small to mid-sized subcontractors supporting the larger primes. Bad actors recognized that the primes were spending more resources to prevent attacks and that their supply chain was an easier target. The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 cybersecurity requirements were developed to protect sensitive information for contractors working with the Department of Defense (DoD) to adhere to the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 clause. When the DoD estimated that only a small percentage of the supply chain was conforming to these guidelines, the Cybersecurity Maturity Model Certification (CMMC) was created.
Cyber-attacks are an everyday occurrence, unfortunately. “With over 80 percent of the national defense information living on partners’ networks, it is no longer a conversation of what you are doing, or what I am doing; it’s more important what we are doing as a collective to protect the national defense,” said Katie Arrington, special assistant to the Assistant Secretary of Defense for Acquisition for Cyber, and one of the main proponents behind the CMMC.
In December of 2018, Chinese hackers reportedly stole information from Navy contractors which included ship maintenance data and missile plans. These actions are a direct threat to national security. Even if a large DoD supplier like Lockheed Martin has a top tier cybersecurity program in place, every subcontractor and supplier in the DoD supply chain must protect themselves as well or else they become an entry point for cybercriminals. Just one weak link in the DoD supply chain can put the entire country at risk.
Does my company need the CMMC?
Every company should invest in strengthening its cybersecurity. According to the Radware Survey, the estimated cost per cyber-attack is $4.6 million1. 13% of survey participants experienced a cyber-attack that cost their company $10 million or more, a figure that doubled in just one year between 2018 and 2019. New Jersey Manufacturing Extension Program (NJMEP)’s cybersecurity subject matter experts suggest every manufacturer would benefit from achieving the equivalent of “Intermediate Cyber Hygiene”, or Level 2 of the CMMC as a best practice. For DoD contractors, the maturity level will depend on where in the DoD supply chain a company falls.
Identifying which of the five CMMC maturity levels a DoD supplier, sub-contractor, or manufacturer must abide by will either be determined by the prime DoD contractor or can be uncovered through a CMMC gap analysis. All suppliers, sub-contractors, or manufacturers that do any work, no matter how minimal, with the DoD will need some level of the CMMC but the maturity level will differ depending on the information that businesses handles and the work being conducted.
If a Defense Industrial Base (DIB) company does not possess Controlled Unclassified Information (CUI) but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1.
When do I need to start the certification process?
Now. DoD suppliers, sub-contractors, and manufacturers should begin the process of becoming CMMC as soon as possible to avoid the risk of losing critical DoD contracts. From start to finish, the process could take upwards of a year. In June of 2020, CMMC started appearing on RFI’s. Businesses can expect RFP’s to mention CMMC beginning in September of 2020 and Assessments will begin in the Fall of 2020.
Acting now and working with a consultant intimately familiar with the CMMC and the framework from which the CMMC originated, NIST 8001-171, will be vital. Certification begins with an assessment to identify where in the CMMC maturity level an organization currently resides. The next step would be to perform an in-depth gap analysis and then move onto full-service remediation. Each CMMC maturity level takes a different amount of time and effort. However, starting as soon as possible will lessen the burden on the company, leadership, and workforce.
What happens if I don’t become certified?
For DoD contractors, sub-contractors, suppliers, or manufacturers…
Achieving the necessary CMMC maturely level could mean the difference between securing that next DoD contract or not. DoD prime contractors will begin requiring all sub-contractors to comply with these critical new rules. Any manufacturer that does not abide by these guidelines and achieve the proper CMMC maturely level will not be able to continue conducting DoD business.
For Non-DoD Manufacturers…
As of now, DoD contractors are the only ones at risk for losing DoD work if they do not acquire the CMMC. However, small-medium sized manufacturers are always at risk of a cyber-attack completely crippling their business, sometimes to the point where they will never be able to financially recover. This certification provides non-DoD manufacturers with a fantastic cybersecurity baseline and best practices. Depending on the results from a cybersecurity assessment, a business can determine which maturity level would work best for them.
Who can answer all my other questions about the CMMC?
Acquiring the CMMC can be a challenge, especially without the right support. The certification is still in its infancy which creates a difficult environment for manufacturers to navigate on their own. Exploring websites like acq.osd.mil/cmmc/faq.html or working alongside consultants like NJMEP are the best ways to start and will help turn a daunting process into a streamlined value-add for any business.
Understanding the CMMC, which businesses will be impacted, when to act, and identifying the necessary maturity level can be intimidating. Don’t go at it alone. Cybersecurity is essential but can be complex. Working with the right team and having access to the right information will prove invaluable.
There have been so many questions around this topic and so many developments while it has been rolling out. Early on, there were many companies claiming to be able to help and charging a significant amount, even when the final version of the guidelines had not even been decided or communicated. There are countless companies selling solutions or services to help and it may be difficult to determine who to trust. This is not something that can simply be outsourced to a Managed Service Provider (MSP) claiming to be familiar with the requirements.