NENS recently hosted a webinar focused on the Cybersecurity Maturity Model Certification (CMMC) for defense contractors and related manufacturers.
CMMC is a compliance framework and certification program designed to increase the cybersecurity maturity of companies in the defense industrial base (DIB).
On the webinar, NENS welcomed Joy Belinda Beland as our guest speaker. Joy is a compliance and cybersecurity industry veteran and now serves as VP of Partner Strategy and Cyber Education at Summit 7.
Joy is also a provisional assessor for CMMC compliance, in addition to being an instructor for other CMMC assessors.
The webinar is available for on-demand viewing here. Now, let’s explore compliance frameworks before exploring CMMC compliance specifically.
Achieve and Maintain CMMC Compliance With a Trusted Partner
Keep your business compliant with guidance and assessments from NENS.
What is a Compliance Framework?
Before we dive into our discussion about the biggest takeaways from the webinar, it’s important to explain what exactly a compliance framework is.
A compliance framework is a set of guidelines and best practices that organizations should follow to meet regulatory requirements, comply with the law, improve processes, and strengthen security.
It can help you achieve business objectives, such as becoming a public company or selling services to a specific type of customer.
Specific compliance frameworks will often be identified by regulators as appropriate for meeting certain levels of legal or regulatory compliance.
For example, the Securities and Exchange Commission (SEC) has specifically identified the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) as an appropriate framework for registered investment advisors and broker dealers.
Similarly, the US Department of Defense requires that defense manufacturers comply with additional cybersecurity frameworks by NIST for CMMC, such as NIST SP 800-171 R2.
(NIST is effectively the science and technology department of the U.S. Federal Government and is the authority on numerous different frameworks which are required for federal regulatory compliance.)
Now that you understand what a compliance framework is, let’s discuss the six biggest takeaways from our recent webinar.
|Watch the Webinar|
6 Big CMMC Compliance Takeaways
1. Who Must Comply and What is the Defense Industrial Base (DIB)?
Any company that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) from the U.S. Department of Defense is covered by CMMC.
Starting as soon as CMMC has been implemented, defense contracts will specify the level of CMMC applicable to each contract
According to some estimates, the US defense industry amounts to $768 billion in economic activity per year and makes up roughly 3.2% of the US GDP. As many as 300,000 primary contractors and subcontractors will require some level of CMMC compliance.
2. How do DFARS and CMMC Relate?
The Department of Defense has been working to shore up cybersecurity standards in the defense industrial base for well over a decade.
In the mid-2000s, with the rise in cybercrime and espionage by nation-state actors like China, the risks from breaches at defense contractors became a top priority.
In 2012, the Defense Federal Acquisition Regulations Supplement (DFARS 242.204-7012) was introduced.
DFARS was designed to safeguard defense information, require the implementation of the NIST SP 800-171 controls, and mandate the reporting of cyber incidents by contractors to the Department of Defense.
DFARS was amended and upgraded in 2016 and required full implementation by 2017. Unfortunately, DFARS required only self-attestation by defense contractors and in time, this was viewed as insufficient to ensure thorough and widespread implementation.
CMMC was born of the desire to put more teeth into the regulations, requiring the largest contractors to undergo government inspection and certification. Even the smallest firms would need to step up to more thorough cybersecurity controls when in possession of CUI.
3. Defining FCI and CUI
CMMC looks to protect FCI (Federal Contact Information), which are the details in actual federal procurement contracts. FCI is valuable, since anything the government is procuring will reveal strategies and other important secrets.
Ensuring adequate secrecy and control over the contracting process is an important part of the process of keeping state secrets out of the hands of our adversaries.
CUI (Controlled Unclassified Information) is even more valuable, since it includes the details on the actual parts, products, and services the government is procuring.
Obviously, design documents, CAD files, bills of material and the like are sensitive and valuable pieces of information which require privacy, secrecy, and control. CMMC is designed to protect both FCI and CUI being handled by private corporations and contractors.
4. What is CMMC 2.0 and What are its Levels?
The CMMC regulations were revised in February 2022, dubbed CMMC 2.0, and released for a comment period, before finalization in March 2023.
CMMC 2.0 calls for three levels of compliance with the following attributes:
5. Why Should Manufacturers be CMMC Compliant?
From what we have seen, starting in May 2023 all defense contracts will require CMMC certification. This requirement will flow downstream to everyone receiving FUI or CUI as part of their Statements of Work.
For competitive organizations looking to win new contracts, CMMC compliance is a new area to stand out from the competition. Many manufacturers who have been dragging their feet will be caught flat footed once CMMC is standard in all new contracts.
Realistically, to be ready to do a self-assessment in 2023, organizations will have needed to have been preparing throughout 2022 and earlier.
Many defense contractors are already subject to DFARS and the 110 controls spelled out in NIST SP 800-171. For companies with DFARS clauses in contracts today, CMMC Level 2 compliance is a must to continue to remain compliant with existing contracts, since the controls are the same.
6. How do I Prepare for CMMC Compliance?
The hardest part of compliance is actually doing the work. This includes improving internal controls, changing policies and procedures, training and actually implementing new controls and procedures, and investing in the technology to support higher levels of maturity and compliance.
Depending on the organization, these changes can take months or years to implement, not days or weeks. Complying with all 110 controls in NIST SP 800-171 is non-trivial.
Every company at Level 2 and above will either have to self-attest or have a third-party assessor audit them. The good news is, no matter where you are, now is the time to start.
For many companies with good IT and cybersecurity controls, getting to all 110 is possible with the right focus. The best approach for many is to hire a third-party MSP or CMMC consultant to do a CMMC compliance assessment.
There is a standard list of milestones that an organization should have completed before engaging with a CMMC assessor for a third-party assessment. All of these items need to be discovered and documented in the CMMC assessment.
The checklist includes:
- System Security Plan: Every single control, how it is implemented and the complete asset inventory
- POAM: Your completed plan of action and milestones
- Policies and procedures for most controls, or other collected evidence of implementation
- Shared Responsibility Matrix demonstrating who performs what duties for every practice and down to the assessment objective level
- Infrastructure map
- Data flow diagram (for CUI)
Interested in learning more about CMMC compliance? Check out these blogs:
Achieve CMMC Compliance With Help From NENS
Now that you understand the fundamentals and necessity of CMMC compliance, you need a trustworthy IT partner who can help your business comply with this important industry standard.
At NENS, we help manufacturers attain CMMC compliance, along with providing the ongoing managed IT and cybersecurity services that are required to keep and maintain your compliance posture.
We welcome inquiries from prospective clients who are exploring how to accelerate and advance on your CMMC compliance journey.
For more information about our CMMC compliance services, contact us today to schedule a consultation with one of our experts.