CMMC Is Here. Are You Prepared?
Be The Shop Defense Contractors Can Trust.
Beginning in 2024, every business in the defense manufacturing supply chain—an estimated 300,000 companies—will need to obtain third-party certification in cybersecurity. The level of required security will depend on what kind of data is handled by each company. Are you prepared?
What Every Job Shop Needs to Know About Getting Ready for CMMC
The Cybersecurity Maturity Model Certification
CMMC is a U.S. Department of Defense (DoD) program that applies to Defense Industrial Base (DIB) contractors. It is a unifying standard and new certification model to ensure that DoD contractors properly protect sensitive information. CMMC builds largely on the DFARS (Defense Federal Acquisition Regulation Supplement) and incorporates much of the pre-existing NIST (National Institute for Standard and Technology) 800-171 cybersecurity requirements.
However, CMMC is different from previous cybersecurity standards in that self-reporting compliance is no longer enough. Rather, certification by third-party auditors will be a precondition for quoting work. This is a major game changer for job shops.
What You Need to Know Now
CMMC requirements will begin hitting contracts in early 2024 – which means if you don’t already have a plan in place, now is the time to start getting prepared. CMMC requirements will be introduced gradually to contracts, but if you wait until required by a contract to think about cybersecurity compliance, it will be too late. It takes a typical shop many months to assess and remediate gaps (Think of it as roughly similar to the process of getting ISO 9001/AS9100 certified). Third-party certification takes additional time. Shops that are ahead of the game have an opportunity to differentiate themselves with buyers.
Is Paperless Parts CMMC-Compliant?
Paperless Parts’ compliance program is designed to support our customers who will require CMMC 2.0 Level 2 (previously called CMMC Level 3) and use Paperless Parts as an External Cloud Service Provider (CSP) to handle Controlled Unclassified Information (CUI).
As part of a CMMC assessment, manufacturers will need to demonstrate that they have ensured their External CSPs satisfy “DFARS 7012″ requirements. We are preparing to meet these requirements based on the information currently available. After the Department of Defense issues the Final Rule on CMMC and final draft of the CMMC Assessment Process, Paperless Parts will prepare and provide a documentation package required for a CMMC audit.
Expert Panel: How to Pass Your CMMC Audit & Be the Shop Defense Contractors Can Trust
We asked a job shop owner, an IT expert, and a CTO what CMMC really means for job shops. Hear what they had to say in the recording of our CMMC Expert Panel: "How to Pass Your CMMC Audit & Be the Shop Defense Contractors Can Trust."
Five Steps to Get Ready for CMMC
- Identify which CMMC tier is right for your shop
- Identify the right security resources
- Take a pulse check by updating supporting documents
- Get cracking on the “To Do” list
- Conduct a Self-Assessment
Don’t stop there. Maintaining proper security posture isn’t a one-and-done exercise. Continuously maintain and refine your security program, invest in training, and keep documentation up to date.
- Cloud-native software hosted on Amazon GovCloud
- All data encrypted in-transit using TLS v1.2 with modern ciphers
- Uploaded files are encrypted at rest with AES-256 encryption
- 100% US-based system administrators and support team
- System Security Plan based on the FedRAMP Moderate baseline
- Network and servers approved for Controlled Unclassified Information
- Your files are never sold or shared with third parties
- All data is securely backed up nightly
- Always retain ownership of data you upload
Are CMMC compliance standards finalized?
Not quite. The final rules and requirements are expected to be published in early 2024. While there have been slight changes to the details and timeline since CMMC was first announced in 2019, the requirements have mostly stayed the same. Paperless Parts is taking proactive steps to prepare, and so should our customers.
Why is CMMC important?
The U.S. projects its power via military technology, in which we’ve invested trillions of dollars over many decades. We have started to see adversaries field extremely similar systems at a fraction of the timeline and cost, most likely helped by the theft of intellectual property. As critical national infrastructure, manufacturing is a major target for cybercrime. Businesses of all sizes and at any point in the supply chain are targeted. Cyberattacks cost businesses $200,000 on average, and four in 10 companies have experienced multiple incidents. Research shows that the number of publicly recorded ransomware attacks against manufacturing has tripled in the last year alone—and even job shops and contract manufacturers are at risk: 43% of cyberattacks are aimed at small businesses. To protect Controlled Unclassified Information (CUI), the government needs to ensure that shops are taking appropriate steps.
Does every shop have to be audited and certified?
With CMMC 2.0, some companies with defense contracts will need third-party certification, while others will be able to self-assess. Every company with a defense contract is still required to implement NIST800-171, and must submit their Supplier Performance Risk System (SPRS) score. Depending on the sensitivity of work performed, you may be asked to undergo a complete CMMC Audit. What was formally “Level 3” in CMMC 1.0 is now contained up to “Level 2” in CMMC 2.0. Even if your company is not pursuing Level 2 compliance, most shops do benefit from a third-party audit of their company’s Cybersecurity architecture.
Who do I contact to conduct a CMMC Compliance Audit?
Once the full requirements are released, a number of third-party accredited assessors will offer audit services. Paperless Parts does not provide this service, however, we’re happy to work with you to provide recommendations as the landscape of services providers becomes clearer.
I don’t make parts with CUI. Do I need to get CMMC certified?
No – but cybersecurity should be a top priority for all shops. More and more buyers are including cybersecurity in their vendor evaluation criteria. A buyer’s primary job is to manage risk. In addition to risks with hitting cost and delivery goals, part buyers are increasingly concerned about their intellectual property.