Featured Image

Keep Calm and Plan On

The new Cyberspace Maturity Model Certification (CMMC) 2.0 may sound scary and overwhelming for smaller companies to comply with, but there are some simple steps manufacturers can take now to get a handle on their current cybersecurity situation.
Apr 05, 2022

As the U.S. Department of Defense (DoD) continues to finalize the Cyberspace Maturity Model Certification (CMMC) 2.0, many manufacturers anxiously wonder when and how to begin the process of compliance. The good news is that there's no need to panic. It may not be as difficult or complex as some people think.

CMMC 2.0 is a comprehensive framework to protect the defense industry from cyberattacks. The policy requires all military contractors and subcontractors that supply products to the DoD to follow prescribed cybersecurity standards and demonstrate accountability. To date, no release schedule has been announced.

CMMC contains all NIST800-171 requirements that address organizational, managerial, and technological controls. This may include login procedures, access control, and full scanning requirements for all software used within the company's system. Even a seemingly harmless music streaming download by an employee can introduce malware that takes down an entire company's system.

For more detail about CMMC 2.0 standards, read the article “CMMC: What Is It and Why Should Every Manufacturing Company Be Paying Attention.”

Start with an assessment   The best way for manufacturers to think proactively about CMMC compliance is to start assessing their current situation. Rather than start from scratch, consider hiring a 3rd party cybersecurity consultant to assess all aspects of the company's security posture.

ProShop ERP (IMTS booth: 133027) of Bellingham, Wash., helps customers get ready for CMMC compliance by beta testing a program called “Flying Start,” a package that combines ERP software with a playbook to meet CMMC standards.

“With Flying Start, manufacturers can work down the checklist of things to do, follow the templates, and get further down the line to compliance so they spend less time with a cyber consultant,” says ProShop CEO Kelsey Heikoop. “We're already embedding tools into the architecture of our software to make compliance easier, but this playbook guides companies to take steps toward CMMC compliance on their own.”

Similar to other certifications  While compliance may seem daunting to some manufacturers, the concepts will likely look very familiar.

“CMMC certification has a lot of parallels to other programs many companies have gone through, such as ISO 9000 certification and Lean Six Sigma,” says John Turner, director of technology for FA Consulting & Technology (FAC&T) and a member of the MTConnect Institute. “It's less scary when they realize that some areas are similar to what they've already done in the past.”

Even for manufacturers not currently in the DoD supply chain, implementing CMMC controls is crucially important because bad actors are targeting medium- and small-sized companies that may appear to be a “weak link” in the supply chain. In other words, small vendors that serve large organizations have high risk factors.

Plus, being CMMC-compliant can be a differentiator over competitors during an RFP that specifies a CMMC-approved supplier. Eventually, CMMC is likely to become an industry standard beyond DoD requirements.

Boston-based Paperless Parts (IMTS booth: 133268), a manufacturing quoting software provider, is taking many steps to secure its own networks internally while helping customers with CMMC compliance. It has even hired a new director of cybersecurity governance, Jonall Cobble, who was previously a CMMC assessor.

“The threat landscape is big and there are many state-sponsored malicious actors that have a huge interest in the manufacturing industry,” Cobble says. “We've taken the mindset that security needs to be built into the product and not done as an afterthought. If you're just putting a security blanket over the top of it, it's actually not secure once you're on the inside.”

Although it may not impact a manufacturer's ability to get a DoD-related contract anytime soon, now's the time to begin looking at cybersecurity needs with goal of achieving CMMC compliance.

Ryan Kelly
General Manager, San Francisco Tech Lab
Recent technology News
Top manufacturers, publishers, and organizations present scores of learning opportunities that run concurrently with the IMTS show.
Who would have imagined CNC controls as simple as using your smartphone? IMTS 2022 exhibitors have made significant strides advancing CNC controls — making them more intuitive, flexible, and powerful to address the growing shortage of skilled machinists.
“FutureView,” brought to you by ZEISS Industrial Quality Solutions, is an IMTS+ Network Original Series that documents the development of technologies at the MDF that could revolutionize the manufacturing industry.
IMTS 2022 offers job shop stakeholders the technology, new products, practical learning, and networking opportunities that will grow their businesses and profit margins, make them more resilient, and help them adapt to changing markets and ...
The first step to optimizing manufacturing and job shop efficiency starts with a visit to the Controls & CAD-CAM Pavilion at IMTS 2022, where exhibitors will showcase new digital twin and virtual solutions.
Similar News
By John Turner | May 02, 2022

Cybersecurity protects your – and your clients' – assets. This series dives into how you can integrate a successful cybersecurity plan. From company culture to training and maintaining your personnel, creating a safe business environment starts here.

5 min
By John Turner | May 06, 2022

To build or enhance your company's cybersecurity plan, one of the first steps to consider is mapping out all access points to your company’s systems and network, including the interaction points between various systems within and outside the network.

5 min
By John Turner | Jun 03, 2022

Access control in an advanced cybersecurity plan go well beyond usernames and passwords. It means defining, implementing, and monitoring rules to control which persons and systems may access resources within your company’s network and computer systems.

5 min