CMMC: Coming Soon to a Contract Near You

We hear a lot of warnings about “impending cyber attacks” on American networks. The truth is, the attacks are already here.

Not only is the American manufacturing industry frequently targeted as a part of our critical infrastructure, but a large percentage of American custom precision manufacturers are ITAR registered, meaning they’re responsible for making parts for our national defense. Whether they realize it or not, businesses in this industry have a target on their backs.

Regardless of the dire need to protect the information shared between these businesses, there is often technical, confidential data flowing through the supply chain largely without the necessary security protections. As a result, we see adversaries fielding systems like naval ships and drones that look remarkably similar to the systems Americans have spent billions developing.

2022 is a turning point for cyber regulation for 3 key reasons:

1. First, the Department of Defense has worked through the bulk of the bureaucracy needed to roll out new cybersecurity requirements to the defense supply chain.
2. Second, the Biden administration has established a cybersecurity strategy calling for stricter security requirements on software purchased by the government and for rules requiring businesses to report cyber incidents and ransomware payments.
3. And third, in the wake of Russia’s invasion of Ukraine, the need for better cybersecurity seems to be a very rare example of something Congress can agree on.

What does this mean for your shop?

Manufacturers who dabble in defense work must soon make the decision to either commit to cybersecurity compliance or walk away from certain contracts.

So what does committing to cybersecurity compliance look like? Right now, it’s achieving Cybersecurity Maturity Model Certification (CMMC).

What is CMMC?

CMMC is a DoD initiative to improve the security posture of the defense supply chain. Originally announced in 2019, CMMC was updated in late 2021 with some small changes and a plan to fully roll out within 24 months.

The core requirements haven’t changed since then, and they’re based on a standard called NIST 800-171, which includes 110 controls. These controls range from enacting written policies to using government-approved algorithms to encrypt data – in other words, you won’t be able to implement these requirements overnight.

There is a lot of uncertainty around exactly when CMMC will hit your business, who will be certified assessors, and how much it will cost. But by all indications, this wave is coming for thousands of U.S. manufacturers.

This will be particularly challenging for small businesses who have been reluctant to proactively invest in cybersecurity. While it’s tempting to think the government will take steps to find a way to reduce this burden on small businesses, in reality, CMMC is already a stripped down version of tougher security standards. Many pundits believe the government would rather see wide scale consolidation in the supply chain than continue to kick this can down the road.

Regulations and Requirements on the Horizon

The Biden administration issued an executive order in 2021 to begin modernizing standards to adopt so-called “zero trust” architecture: an assumption that nothing can be trusted. Your local network or a company computer isn’t trusted any more than an employee’s personal device or a public WiFi network. Now, simply being on a company network is not enough to get access to any data.

Even shops that don’t make parts for the defense industry are starting to face tough questions from prospective customers; cybersecurity questionnaires have become table stakes to work with OEMs and many larger customers. The market expects manufacturers to have written policies, employee background checks and training, up-to-date software, and security controls like multi-factor authentication and malware protection.

Additionally, many states and countries are passing data privacy laws similar to the European Union’s GDPR. Some of these laws impose requirements on B2B businesses, like parts manufacturers. The federal government has also recently debated legislation to require critical infrastructure companies (like some manufacturers) to report certain types of cybersecurity incidents and ransomware payments.

What steps can you take today?

Before CMMC is fully implemented, here’s how to set your shop up for success by establishing a direct path to compliance:

• Bring in an advisor who can quickly analyze security gaps and estimate the cost and timeline to get compliant.
• Make the business case for pursuing defense work in the future.
• Partner with experts – such as a Managed Service Provider who knows job shops – and move quickly on remediation.
• Get your business aligned around the NIST 800-171 cybersecurity standard.
• Once you’ve remediated your gaps, get audited by a third-party. That will ensure your CMMC assessment goes smoothly.

Rising to the Challenge

No matter who you sell to, if you manufacture custom parts, your customers are trusting you with their intellectual property. This isn’t the first time this industry has faced challenges and re-invented itself; precision manufacturers have adopted more automation and advanced tools to stay relevant. In the same way, it’s time to rise to the challenge of cybersecurity.