Featured Image
Technology |Data-Driven Manufacturing

CMMC: What Is It and Why Should Every Manufacturing Company Be Paying Attention

CMMC stands for Cybersecurity Maturity Model Certification. This is an initiative of the Department of Defense (DOD) to address cybersecurity concerns at non-governmental organizations participating in the DOD supply chain.
by John Turner
Jan 28, 2022

CMMC stands for Cybersecurity Maturity Model Certification. This is an initiative of the Department of Defense (DOD) to address cybersecurity concerns at non-governmental organizations participating in the DOD supply chain. The primary goal of CMMC is to improve the protection of sensitive government information and to enhance the reliability of the supply chain. CMMC is based on National Institute of Standards and Technology (NIST) standards SP 800-171, SP 800-172, and a variety of supplemental DOD purchasing clauses (DFARs). CMMC is being implemented in phases over the next three to four years. 

CMMC not only applies to DOD prime contractors, but those contractors must pass along the CMMC requirements to all sub-contractors – all the way down the chain until you reach suppliers of COTS products (commercial-off-the shelf products). Essentially, CMMC can apply to anyone producing products designed for, or customized for, a DOD project. 

Today, CMMC applies only to DOD projects. However, other federal government agencies are evaluating adoption of CMMC as part of their purchasing processes. With all the supply chain issues industry is facing today and the major disruptions we have seen due to cyberattacks, it is not unreasonable to expect that CMMC, or requirements similar to CMMC, begin to be imposed by any number of commercial companies. Security of the supply chain and protection of sensitive corporate information is an ever-increasing concern for most companies. So even if you are not a supplier to the federal government, you can expect CMMC-like requirements becoming part of your purchasing agreements with your major customers.

What is really involved with CMMC?

Achieving CMMC compliance is a lot more involved than simply adding new security functions to your business’s network – it also involves implementing a series of specific cultural behaviors, policies, and practices within your business. For companies who have sought ISO 9000 compliance, you will recognize that CMMC compliance requires many of the same types of business practices and policies as are required for ISO compliance. 

Released November 2021, CMMC 2.0 has streamlined some of the original requirements for CMMC and is currently going through the adoption process. Until fully adopted, the original CMMC requirements are suspended, and CMMC requirements will not be included in DOD purchasing contracts until adoption is complete.

Once adoption of CMMC 2.0 is complete, contracts stipulating CMMC compliance will specify one of three levels of compliance that suppliers must achieve, with each level requiring increasing levels of functionality. The NIST standards define an extensive list of specific practices to be addressed to enhance a business’s security environment. Each level of compliance requires adherence with subsets of these business practices. CMMC also includes assessments to ensure compliance with security standards.

The requirements for compliance at each level are summarized below:

The list of practices is too numerous to list here. You can access the NIST standards at Protecting Controlled Unclassified Information in Nonfederal Systems (nist.gov) (SP 800-171) and Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (SP 800-172). SP 800-171 lists specific practices for addressing a business’s security environment. SP 800-172 defines actions that can be taken to address each of the practices, but does not specify specific tools, products, or architectures required to implement the practices.

Generally, the practices outlined by the NIST standards address the following:

  • Define and document the practices and procedures you plan to implement to achieve a secure environment.

  • Train your personnel on these practices and procedures

  • Implement 

  • Monitor systems and personnel for compliance with your practices and procedures

  • Document occurrences of non-compliance and implement correct action plans

The practices and procedures defined for CMMC compliance provide well-structured guidance for any company choosing to enhance their security environment. These standards highlight the fact that achieving enhanced security extends well beyond your network technology – incorporating the practices and procedures to be followed by your personnel. In future articles, we will dig deeper into these policies and procedures and explore best practices to achieve an enhanced cybersecurity environment.

Tagged
Systems and SoftwareData Driven Manufacturing
PicturePicture
Author
John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Smart Manufacturing Experience 2024 Set for June 4-5 in Pittsburgh
Event to Connect Small and Medium Manufacturers with Experts in Smart Technologies
Computing on the Edge
Edge computing in digital manufacturing involves placing devices between data sources and the network, and ranges from basic data collection to distributed systems. Learn more about its benefits like data processing, isolation, organization, and security.
Is Semantic Data Worth the Effort?
What are the benefits of harvesting semantic data from equipment on the shop floor? For starters, it's easier to integrate machines into shop maintenance and monitoring systems. Learn how the industry has responded to semantic data – and where it's going.
Efficient Evolution
A digital twin is more than a computer approximation or simple 3D model – it is an ever-evolving, data-driven digital representation of a system.
Achieving Operational Advantage Through Digital Manufacturing
Siemens is one of the world’s biggest manufacturing companies – and a company that uses the digital tools it develops to achieve operational excellence.
Similar News
undefined
Technology
Trends in Utilizing AI To Complement Integrated Force Control
By Nina Anderson | Jul 18, 2024

AI and advanced sensors transform robotics, enabling direct force control with feedback. This article explores AI's role in integrated force control, predictive modeling, and their impact on robotic performance and end effectors across applications.

5 min
undefined
Technology
Hundreds of Leading Software Solutions for Manufacturing Converge at IMTS 2024
By Bonnie Gurney | Jul 17, 2024

The Software Sector at IMTS 2024, which runs Sept. 9-14, showcases solutions from more than 120 exhibitors demonstrating CAD-CAM software, controls, ERP, monitoring, data management, and other digital solutions to optimize machine and business performance.

8 min
undefined
Technology
IMTS 2024 Offers Hidden Technology Gems, New Exhibitors
By Bonnie Gurney | Feb 08, 2024

At IMTS 2024, discover unexpected solutions, including haptic feedback to improve remote robot operation and digital training, quality control software, additive manufacturing powders and gases, services to address labor issues via an app, and more.

5 min