Those in the upper tiers of the Department of Defense’s (DoD) supply chain are fully aware of the department’s Cybersecurity Maturity Model Certification (CMMC.) It is required by its suppliers starting in 2021, with rolling deadlines over the next few years. CMMC is an assemblage of other cybersecurity controls with additional requirements—namely NIST SP 800-171; ISO 27001; ISO 27032; and NIST SP 800-53. The key difference is those standards only called for self-verification. A company could cite that it was compliant but did not have to get audited and certified. With hacking at an all-time high, the DoD concluded “enough is enough” and developed the new, comprehensive CMMC standard that must be audited and certified by accredited third-party entities.
There are five levels of CMMC compliance. What a supplier provides, or where it fits in the chain, dictates the degree of security required by the DoD. For example, military aircraft engine OEMs may need to be level five, however, a job shop providing fasteners for that engine might only need to be a level three. (There are resources listed at the end of this article for more information about CMMC and its requirements). Certainly, the OEMs and Tier One suppliers are well on the road toward CMMC compliance, however, their subcontractors have to catch up. I conducted an informal survey among our followers earlier this year and discovered that almost half of the people who responded did not know about CMMC.
One of the first steps a defense parts supplier will need to take is to assign a staff member to understand the scope of CMMC as it pertains to their business and begin working to assure compliance. As a developer of a comprehensive ERP platform, or “digital ecosystem,” we are working with customers in this effort. Our system checks off several boxes for CMMC compliance, such as requiring complex passwords, two-step authentication, auditing tools, user tracing, and other documentation for meeting the standard. In fact, we’ve created a bundled framework called “Cybersecurity Flying Start Package” to aid our customers on this path because preparing for CMMC is like preparing for ISO or AS9100 on steroids. It is considerably more strenuous and resource intensive. Companies must be prepared to invest time and potentially tens of thousands of dollars, depending on the nature of the business as it relates to government work.
This investment must be weighed against potential income from the DoD over many years. While commercial aircraft production is down, defense is still quite active, and the forecast in this sector continues to be positive. While some lower tier suppliers may have a few more years yet to become CMMC certified, it may take all of that time for a company to get the whole CMMC certified package wrapped up with a bow.
From a broader perspective, my estimation is that CMMC may soon be a requirement by all critical, sensitive component OEMs, making it worth the effort—not only to lock down any business’s vulnerability—but also to raise that company above its competitors. As the saying goes, “hackers never sleep,” and it would be a comfort to any customer, in any critical industry, to know that a supplier has robust physical and digital security.
Resources:
“The Complete Guide to Cybersecurity Maturity Model Certification”: getpeerless.com/guide-to-cybersecurity-maturity-model-certification
DoD pages on CMMC compliance:
www.acq.osd.mil/cmmc/updates.htmlwww.acq.osd.mil/cmmc/draft.htmlAccreditation website: cmmcab.orgPaul Van Metre, 360-515-7576,paul@proshoperp.com
Connect With Us
