Is Your Manufacturing Software Vendor Guilty of “CMMC-Washing?”

With Cybersecurity Maturity Model Certification (CMMC) requirements hitting all defense contracts within the next year, manufacturing software companies are all over the map when it comes to readiness. If your shop is outsourcing their IT needs to Managed Service Providers (MSPs) or Enterprise Resource Planning (ERP) software companies in an effort to go cloud-based, it’s important to know which providers you can trust to help you rather than hurt you on your journey to becoming CMMC compliant.

It’s important to be cautious when choosing a cloud-based solution, as very few companies are truly on top of the CMMC requirements necessary for cloud-based software; Microsoft and some others are in good shape, but many others may not be fully compliant with the rules. When looking for a cloud-based solution to host sensitive data at your shop, here’s what to keep an eye out for:

Failure to use the term “FedRAMP Moderate”
It’s critical to clarify whether the cloud-based software provider you’re working with will be FedRAMP Moderate compliant (with either authorization or equivalency) by the middle of this year. This standard has three times the requirements as CMMC. If your MSP or ERP is hosting sensitive data in the cloud, be sure they are clear that this is the standard they’re pursuing, rather than just implementing a lower standard (or no standard at all, like “best practices”).

Lack of clarity between their on-prem and cloud-based security levels
If your provider does not have a clear roadmap to becoming FedRAMP Moderate, they may need to move you back to their on-prem solution to allow you to meet your CMMC requirements. Going cloud-based is beneficial for your shop, as it helps reduce the overhead and expenses of maintaining the infrastructure on your own (nobody wants to squeeze a huge IT closet into a job shop).

However, it benefits many software companies to keep their customers on a cloud-based pricing model because they’re receiving a monthly payment rather than a perpetual license. This means that they’ll often be unclear about the difference in their security levels.

If you need to move off of the cloud, this will change costs and require you to invest in and manage the infrastructure needed to host it yourself. If you find this out after the assessment process has kicked off, it will likely be too late to make the switch.

Glossing over the importance of CMMC
Beware of companies that fail to acknowledge the urgency and importance of CMMC compliance, as they may not be fully committed to meeting the requirements.

There are a lot of nuances in the requirements, and a company who isn’t serious about becoming FedRAMP moderate might claim to be CMMC compliant without sharing why, how, or when they’re getting there. For example, NIST 800-171 is the minimum requirement for job shops, but for software companies, it is just a starting point. Don’t be fooled by software companies bragging about meeting NIST 800-171 standards. NIST has also drafted an updated Revision 3 for 800-171, which means some stronger controls are looming in the future.

Paperless Parts and Your Journey to CMMC Compliance

Coming spring 2023, Paperless Parts’ IT Module will provide all the features needed to use Paperless Parts in a CMMC environment. We will be encouraging our customers to use single sign-on with identity providers like Microsoft Azure Active Directory. This will allow them to centrally control authentication, such as by enforcing MFA and strong password policies.

If you have any questions regarding Paperless Parts’ CMMC readiness, please don’t hesitate to reach out. You can email your Customer Success Manager or [email protected] for more information.