I’ll never forget the moment I learned about the Cybersecurity Maturity Model Certification. It freaked me out.
I was listening to a webinar led by Paperless Parts (before we were even a customer) and the reality sunk in: our small—7 full-time employees, small—machine shop would need to pursue CMMC if we wanted to stay competitive.
It was right at the onset of COVID-19, and we had just brought on our first full-time salesperson at Midway Swiss Turn to help with our predicted growth (we identified government work as an area that would likely remain steady during the economic shutdown). We were exploring all options to expand our customer base in that direction, and could not afford to lose our contracts that involved Controlled Unclassified Information (CUI).
It was a real wake-up call. Before I knew it, I’d racked up over 100 hours of research on CMMC, desperately trying to understand exactly how it would apply to our business.
CMMC: A Marathon, Not a Sprint
If you’ve recently found yourself in a similar situation, it’s easy to feel overwhelmed; preparing your business to get audited against standards created by the U.S. military is a daunting task. But if a shop with less than 10 employees can tackle it, so can you.
CMMC is a marathon, not a sprint. It takes a lot of time, resources, and money. It’s not something you should dive right into—I don’t regret a minute of the 100 hours I spent researching the topic before we started taking action.
We’ve been working towards our certification for almost a year now, and with hindsight (almost) 20/20, here are 3 pieces of advice I can give to other shops on their CMMC journey:
- Understand what you don’t know.
As our CEO, my focus is on running the business. I know very little about cybersecurity. When we realized we needed to pursue CMMC, we hired a part-time IT specialist to help with the technical aspects of compliance.
- It takes a village.
There are so many decisions around how your business operates that cannot fall solely on the shoulders of your IT team: there are operational decisions to be made around your remote work policy. There are HR responsibilities involved when employees start complaining about new security controls impacting their day-to-day. There are financial decisions to make regarding vendor selection, hardware installation, and consultant fees. The decision to prioritize CMMC must come from the top down.
- Rely on other (trustworthy!) people to help you.
In the early days, we turned to a variety of resources to help us get started. We continually attended webinars on CMMC, from those put on by the government to those hosted by companies like Paperless Parts. We also worked with our local Public Technical Education Center and MAGNET, a local economic development organization, to find the guidance and support we needed. Our software vendors, like Paperless Parts, JobBOSS, and Preveil, also help by offering products to assist with the implementation process.
Why the Juice is Worth the Squeeze
We’ve been working towards our CMMC certification for close to a year now. The process has been slow and gradual, with a lot of decision-making involved. It took us about 9 months to implement the necessary tech and processes. Depending on whether we decide to put in a server or go all cloud-based, we anticipate being certified within the next year or so. Of course, this is also dependent on auditor availability and any changes that may occur when the government rolls out the program.
Despite the massive undertaking it requires, from what I’ve heard from industry peers, many people are not as concerned with CMMC as they should be. Some may be writing it off as something to deal with later in the year or early next year, while others may mistakenly think they don’t do any work for the DoD (the government may not be labeling the small nuts and bolts you’re making for them as “CUI” just yet, but they will be soon).
Regardless, the benefits you’ll reap after becoming certified will all be worth it in the end:
You’ll win more contracts.
As a small-mid sized shop, becoming CMMC compliant offers a powerful competitive edge. As OEMs begin to see CMMC as table stakes, they’ll stop awarding work to shops that aren’t certified. Smaller shops will be the last to invest in this expensive, resource-intensive process, meaning that if yours can be an early adopter, you’ll be first in line to win government contracts.
You’ll have a strong cybersecurity defense.
At Midway Swiss Turn, we’ve seen how pursuing CMMC compliance has helped us become better equipped to handle real cyber threats. It has caused us to adopt a cybersecurity-first mindset, and become early adopters of cloud-based software. We had an attempted ransomware attack, but because we didn’t have a physical server and had the controls and offsite back-ups in place, we quickly de-escalated the situation and kept our data safe. It was a minor inconvenience rather than an incident that shut us down.
You’ll keep critically sensitive data protected from adversaries.
CMMC requirements are there for a reason. They’re not just to create busy work and force businesses’ attention away from their core functions. When you fail to protect military data, you potentially allow adversaries to compromise blueprints that could fuel a national security threat. CMMC helps ensure that that can’t happen.
If you’re a small business, you’re at an even greater risk of enabling this data to be compromised; hackers assume that small businesses don’t have a mature protection program in place, so you have an even bigger target on your back.
A Light at the End of the Tunnel
Throughout our journey to compliance at Midway Swiss Turn, we’ve learned the importance of staying informed and prepared for any possible scenario. This has been a lengthy process, but we expect to become certified by the end of the year.
I feel obligated to advocate for the importance of CMMC wherever I can. I see this as a community-wide effort to engage the entire supply chain— otherwise, who will we outsource our finishing services to? How can we collaborate with material suppliers if they don’t match our level of security?
It’s time to stop looking at CMMC as a looming, potential threat and start embracing it as an inevitable step in the right direction for the evolution of our industry.
Want more tips for becoming the shop defense contractors can trust? Watch this on-demand recording of a recent expert panel hosted by Paperless Parts.
Jayme Rahz is the Chief Executive Officer of Midway Swiss Turn, Inc.: an Ohio-based CNC machine shop specializing in Swiss style CNC screw machining. Their 45+ years’ experience combined with excellent education has created a one-of-a kind organization that runs quality parts while still maintaining the “small company” flexibility and atmosphere. Jayme will be speaking on a panel of experts at this year’s Precision Machining Technology Show (PMTS). To learn about how Midway Swiss Turn has found success using Paperless Parts, read their case study here.