People in the upper tiers of the Department of Defense’s (DoD) supply chain are fully aware of the Cybersecurity Maturity Model Certification (CMMC) required by its suppliers starting in 2021, with rolling deadlines over the next few years.
The CMMC is an assemblage of information and computer security controls, with additional requirements—namely NIST SP 800-171; NIST SP 800-53; and the CIS (Center for Internet Security) Controls. While suppliers have been required to be NIST800-171-compliant since early 2018, the self-verification process wasn’t robust enough to ensure the security of the Defense Industrial Base (DiB); a company could cite that it was compliant but it did not have to get audited and certified. As nation state, corporate and criminal hacks became more sophisticated and pervasive, the DoD decided to move away from self-attestation towards a verifiable certification process, and to that end, developed the new, comprehensive CMMC standard.
There are five levels of CMMC compliance. What a supplier provides, or where it fits in the supply chain, dictates the level of certification required by the DoD. For example, military aircraft engine OEMs may need to have a Level 5 certification, but a job shop providing fasteners for that engine may only need to have a Level 3 certification. As the DoD’s initial focus has been top-tier suppliers, the OEMs and Tier One suppliers are well on the road toward CMMC compliance. However, as the focus shifts onto their subcontractors’ cybersecurity posture, businesses will have to start preparing to meet the level of certification required of them.
ProShop ERP conducted an informal survey among our followers this year and discovered that almost half of the people who responded did not know about CMMC.
One of the first steps a defense parts supplier can take is to assign an interested staff member to understand the requirements of CMMC as it pertains to their business. Then, a gap assessment that captures the current state of an organization’s security architecture will help inform the implementation of the CMMC controls.
As a developer of a comprehensive ERP platform, or “digital ecosystem,” we are working with customers in this monumental effort. Our system facilitates several areas of CMMC compliance, such as configurable password requirements, session management, two-step authentication, auditing tools, user tracing and other documentation for meeting the requirements. We are even developing a bundled framework called the “Cybersecurity flying start package” to aid our customers on this path because preparing for CMMC is like preparing for ISO or AS9100 on steroids. It is considerably more strenuous and resource intensive—and necessitates a true organizational shift toward integrated cybersecurity practices.
Companies must be prepared to invest time and potentially tens of thousands of dollars, depending on the nature of the business as it relates to government work.
Of course, all this is weighed against income from the DoD multiplied over many years. While commercial aircraft production is down due to the COVID pandemic, defense production is still quite active, and the forecast in this sector continues to be positive.
While some lower-tier suppliers may not be formally asked to prove their certifications for a few years yet, it could take all that time for a company to implement the necessary requirements, resulting in an active, responsive and integrated cybersecurity department.
From a broader perspective, CMMC may eventually be a requirement for all critical, sensitive component OEMs, making it well worth the effort to obtain.
Having cybersecurity architecture within a business sets it apart from competitors. Additionally, it is the logical evolution in good business practice.
As the saying goes, “hackers never sleep,” and it would be a comfort to any customer, in whatever critical industry, to know that a supplier has robust physical and digital security.