Most of the OEMs and subcontractors producing critical parts for the Department of Defense (DoD) are aware of the Cybersecurity Maturity Model Certification (CMMC) and its requirements. Last fall, the DoD evolved the original CMMC, now referred to as CMMC 1.0, to CMMC 2.0. The structure of CMMC 2.0 has been streamlined to be slightly less stringent and easier to implement, especially for shops in the lower tiers of the supply chain. CMMC 2.0 still demands a company to be rigorously locked down, however, and pay attention to the timeline, too. In a press release issued by the Pentagon last April, CMMC’s initial requirements are due to show up in DOD contracts by July 2023.
CMMC 1.0 was built largely on the legacy NIST SP 800-171 standard and added additional controls. CMMC 2.0 deleted most of the NIST SP 800-171 additions. For example, there used to be five levels of adherence relating to the critical nature of the information housed at a company. Now, there are just three levels.
Still, I caution, it won’t be easy.
At level 1 (the Foundational Level) for companies only handling Federal Contract Information (FCI), there is a checklist of 17 NIST controls that must be adhered to and self-attested. The Advanced Level 2 will be aligned with NIST SP 800-171 to any company handling Controlled Unclassified Information (CUI) such as CAD drawings, 3D models, etc., of machined defense related parts, and will require triennial 3rd party audits of the 110 controls from the NIST standard for critical national security information and annual self-assessment for selected programs. Level 3 is called Expert and is reserved for the highest level of prime contractors and is based on NIST-800-172. To anyone who has been skating under the radar of NIST 800-171, which has been the de facto standard for decades, it’s time to follow it to the letter.
In the meantime, to all companies, whether working for the DoD or not, there are five basic actions that every company should do to ensure fundamental protection from cyber threats.
1. Educate your team—most cyber incidents start because of human error, whether it’s setting too simple a password or clicking on a malicious link in an email, or not installing the latest security patches from software developers on devices.
2. Implement access controls—create mechanisms to only allow authorized users to access controlled and classified data, such as contract information, blueprints, and 3D CAD models.
3. Authenticate users—establish multi-factor authentication steps for each authorized user to not only verify the user identity but also to build more layers and walls to thwart hackers.
4. Monitor physical space—escort visitors, oversee activity in the building, and observe hardware devices so no dangerous malware is introduced. One scenario: a “spy” comes into a conference and drops a few USB sticks equipped with nefarious code around a conference hall. Someone innocently picks one up and inserts it into a networked laptop, where it executes the ransomware file throughout the system. It could happen and probably has already.
5. Update security protections—install the latest security patches immediately when available. Surprisingly, many companies are months behind in critical updates.
Some ERP systems, such as ProShop, incorporate all these basic cybersecurity fundamentals and more, such as ensuring data security compliance to the NIST 800-171, ITAR, and CMMC standards. It’s prudent to inquire with your current vendor to see what they offer. Even though CMMC 2.0 is more simplified and understandable now, it’s still challenging, and having a partner to assist will help shops retain business in the aerospace and defense sectors.
Connect With Us
