As the U.S. Department of Defense (DoD) continues to finalize the Cyberspace Maturity Model Certification (CMMC) 2.0, many manufacturers anxiously wonder when and how to begin the process of compliance. The good news is that there's no need to panic. It may not be as difficult or complex as some people think.
CMMC 2.0 is a comprehensive framework to protect the defense industry from cyberattacks. The policy requires all military contractors and subcontractors that supply products to the DoD to follow prescribed cybersecurity standards and demonstrate accountability. To date, no release schedule has been announced.
CMMC contains all NIST800-171 requirements that address organizational, managerial, and technological controls. This may include login procedures, access control, and full scanning requirements for all software used within the company's system. Even a seemingly harmless music streaming download by an employee can introduce malware that takes down an entire company's system.
For more detail about CMMC 2.0 standards, read the article “CMMC: What Is It and Why Should Every Manufacturing Company Be Paying Attention.”
Start with an assessment The best way for manufacturers to think proactively about CMMC compliance is to start assessing their current situation. Rather than start from scratch, consider hiring a 3rd party cybersecurity consultant to assess all aspects of the company's security posture.
ProShop ERP (IMTS booth: 133027) of Bellingham, Wash., helps customers get ready for CMMC compliance by beta testing a program called “Flying Start,” a package that combines ERP software with a playbook to meet CMMC standards.
“With Flying Start, manufacturers can work down the checklist of things to do, follow the templates, and get further down the line to compliance so they spend less time with a cyber consultant,” says ProShop CEO Kelsey Heikoop. “We're already embedding tools into the architecture of our software to make compliance easier, but this playbook guides companies to take steps toward CMMC compliance on their own.”
Similar to other certifications While compliance may seem daunting to some manufacturers, the concepts will likely look very familiar.
“CMMC certification has a lot of parallels to other programs many companies have gone through, such as ISO 9000 certification and Lean Six Sigma,” says John Turner, director of technology for FA Consulting & Technology (FAC&T) and a member of the MTConnect Institute. “It's less scary when they realize that some areas are similar to what they've already done in the past.”
Even for manufacturers not currently in the DoD supply chain, implementing CMMC controls is crucially important because bad actors are targeting medium- and small-sized companies that may appear to be a “weak link” in the supply chain. In other words, small vendors that serve large organizations have high risk factors.
Plus, being CMMC-compliant can be a differentiator over competitors during an RFP that specifies a CMMC-approved supplier. Eventually, CMMC is likely to become an industry standard beyond DoD requirements.
Boston-based Paperless Parts (IMTS booth: 133268), a manufacturing quoting software provider, is taking many steps to secure its own networks internally while helping customers with CMMC compliance. It has even hired a new director of cybersecurity governance, Jonall Cobble, who was previously a CMMC assessor.
“The threat landscape is big and there are many state-sponsored malicious actors that have a huge interest in the manufacturing industry,” Cobble says. “We've taken the mindset that security needs to be built into the product and not done as an afterthought. If you're just putting a security blanket over the top of it, it's actually not secure once you're on the inside.”
Although it may not impact a manufacturer's ability to get a DoD-related contract anytime soon, now's the time to begin looking at cybersecurity needs with goal of achieving CMMC compliance.
