Is your manufacturing company part of America’s defense industrial base (DIB)? Whether you’re a prime contractor, a subcontractor, or farther down the supply chain, the U.S. Department of Defense (DOD) expects you to take cybersecurity seriously. In fact, your continued ability to bid on, win, and work on defense-related projects could depend in part on something called CMMC. Manufacturers who want to join the defense supply chain will also need to meet this emerging standard.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard that’s designed to reduce exfiltration of controlled unclassified information (CUI) from members of the DIB. CMMC combines various cybersecurity standards and best practices while building upon part of the Defense Federal Acquisition Regulation Supplement (DFARS) known as DFARS 252.204-7012. This clause covers the safeguarding of defense information and cyber incident reporting.
CMMC adds a verification component for cybersecurity requirements and establishes a model framework with 18 different domains. Each domain covers a key set of cybersecurity capabilities. In turn, these cybersecurity capabilities contain practices and processes that are mapped to five numbered levels. The lower CMMC levels are easier to meet and, therefore, the most cost-effective. For example, Level 1 covers basic cybersecurity for small businesses. Level 2 includes universally acceptable best practices.
Examples of Level 1 practices include meeting Federal Acquisition Regulation (FAR) requirements and using anti-virus software. Level 2 practices include risk management, awareness and training, and security continuity. Level 3 involves ensuring that all NIST 800-171 Rev 1 requirements are met. CMMC Levels 4 and 5 are for the subsector of the DIB that supports critical DOD programs and technologies. In other words, many smaller companies need only meet the lowest and most affordable CMMC Levels.
How Long Until CMMC Takes Effect?
Earlier this fall, the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) released Draft CMMC Model Rev 0.4 and requested feedback. (OUSD(A&S)) plans to release CMMC Rev 1.0 in January 2020, which is just two months away. Beginning in June 2020, the CMMC framework will include requests for information (RFIs). A year from now, during the fall of 2020, CMMC will also cover requests for proposal (RFPs).
For New York State manufacturers who are part of the defense supply chain, cybersecurity assistance is available. Join FuzeHub, the National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) Network, the Advanced Institute for Manufacturing (AIM), and the Manufacturing and Technology Resource Consortium (MTRC) on Thursday, December 5th for the Cybersecurity Forum for Manufacturers at Stony Brook University. No matter where you are along the defense supply chain, CMMC applies to you.