Transitioning to CMMC: Advantages and Challenges in Manufacturing
May 07, 2021
By Jason Connotillo
While procuring contracts with the U.S. Department of Defense (“DoD”) can be extremely beneficial to many manufacturing businesses, it’s also fraught with regulatory hurdles, especially in the form of standards compliance. This applies particularly to understanding and complying with evolving regulatory processes for the secure handling of either Federal Contract Information (“FCI”) or the more sensitive, controlled unclassified information (“CUI”).
One fairly recent and extremely important example of exactly this kind of compliance transition process and its possible effects on businesses wishing to enter the government contracting business or keep existing DoD contracts is the Cybersecurity Maturity Model Certification (“CMMC”).
What the CMMC Model Is and What It Involves
The CMMC Cybersecurity standard was announced by the Federal Government in mid-2020 and went into effect later that year. What the new requirement does is essentially combine and supplement the Defense Federal Acquisition Regulation Supplement (“DFARS”) and the National Institute of Standards and Technology (“NIST”) 800-171 regulations pertaining to the management and handling of FCI and CUI into a single unified and updated standard.
CMMC forms not only a more comprehensive but approachable cybersecurity standard for a security-sensitive industry, it also replaces the ability to self-certify compliance with the supplemented NIST rules. Those that want to continue contracting with the DoD now must use an accredited third-party auditing service to obtain a CMMC certification.
Advantages of CMMC over NIST 800-171
CMMC obligates DoD supply chain participants, known as the defense industrial base (“DIB”), to enforce and understand best practices for cybersecurity around their handling of CUI. Unlike NIST 800-171, periodic self-assessment is no longer adequate to exhibit compliance. Participants in contracts with the DoD must now show enough evidence to independent assessors that they’re fully complying with their cybersecurity responsibilities under the newly supplemented standards set by CMMC.
One notable exception to the need for CMMC compliance certification is any company that exclusively provides commercial off-the-shelf products for the DoD. These organizations generally will not have to adopt the new standard and, in fact, this is an advantage for such providers in terms of regulatory and compliance hurdles.
In all other cases, these assessments by accredited third-party certification firms serve as proof that a given contractor is performing well by CMMC standards. They’re also now necessary for even competing on bids for select DoD contracts.
The advantages of CMMC are obvious from a security perspective. They place an emphasis on ensuring that participants in DIB projects become much more uniformly mindful of best practices for cybersecurity, not just for the sake of national security, but also for the sake of their own internal protection against breaches as prime targets.
In effect, the DoD is slowly raising the bar on what constitutes good cybersecurity in a way that’s not onerously difficult to comply with or too intense at all contracting levels. For example, for many smaller contractors, only CMMC Level 1 or Level 2 compliance requirements will be needed. In these cases, responsibilities could even be simpler than they previously were under NIST 800-171.
CMMC is a necessary outcome of an unfortunate reality: Malicious cyber threats from foreign and domestic actors, often working for other governments, aggressively do and will continue to target the DIB sector of the DoD supply chain.
Challenges of Complying with CMMC
Any participant that contracts directly with the DoD or subcontracts with another business that sells directly to the DoD must begin CMMC certification in 2021 and beyond. Participants will have to attain a CMMC level that fits the nature of their involvement in handling DoD contracts.
For participants handling only FCI, compliance will only be required for basic cybersecurity hygiene that safeguards FCI data. This means compliance for these participants is only required up to CMMC Level 1 standards. As stated previously, the requirements will likely be less rigorous than previous DFARS and NIST cybersecurity standards. In the case of participants that bid for contracts that involve the handling of CUI, Level 3 certification is generally a minimal requirement.
Worth emphasizing again here is that CMMC standards for cybersecurity compliance are not a whole replacement to the previous DFARS and NIST 800-171 regulations. They supplement the existing controls with new guidelines, while now making third-party compliance certification an obligatory part of the DoD contract procurement process.
On the one hand, this means that participants already experienced with handling DoD contracts under previous standards will still have considerable experience and best practices to back-up their efforts at passing a successful third-party audit. On the other hand, participants that did not meet minimum security requirements under DFARS and NIST 800-171 will have no choice but to update their security procedures in order to continue doing business with the DoD. External audits and certification work to ensure this.
How CMMC Certification Works
CMMC certification documentation in the form of CMMC Version 1.02 (the most recent update of CMMC compliance standards) is currently available from the Office of the Under Secretary of Defense for Acquisition & Sustainment. And though it’s a large document of more than 300 pages, its “Appendix E – Source Mapping” and “Appendix B – Process and Practice Descriptions” sections are enormously helpful.
The first of these appendices can be used in guiding participants who seek any CMMC certification level in understanding how CMMC supplements and ties to existing DFAR regulation clauses, NIST standards, and even the Center for Internet Security Critical Security Controls. The second uses language that’s easy to understand to describe each individual CMMC process.
Beyond reading these for an introductory start to CMMC certification, a participant going through this process will, at some, point obviously have to pass a third-party audit by a certification firm that has been accredited by the CMMC Accreditation Board. Audits are being processed as quickly as possible to ensure a smooth flow of DoD procurement contracts, but delays may still occur due to CMMC being a new process.
How to Make CMMC Certification Easier
Before undergoing an initial CMMC certification audit, participants should conduct a gap analysis and readiness assessment of their cybersecurity practices. This may be done directly within the participant business by its own information security and technology staff or performed through a third-party consultation performed by a professional services firm.
A very crucial aspect of CMMC certification for any participant comes from knowing what level of CMMC certification it needs in the first place. Having this clearly delineated can remove enormous hurdles that might occur from trying to comply with unnecessary compliance requirements. Thankfully, CMMC-level requirements for individual contracts will be revealed to participants by the DoD in “Requests for Information and Requests for Proposals” beginning in 2021.
Many participants will only need to concern themselves with achieving CMMC Level 1 or Level 2 certification, while those handling CUI will need to comply with certifications that range from Level 3 to Level 5, depending on their level of importance to the DIB as a potential cyber event threat.
Conducting a gap assessment or an analysis of your company’s CMMC compliance readiness through comprehensive examination can be made much easier with the help of an experienced third-party assessment service firm. Using their services in conjunction with your own internal expertise can make successfully passing an independent CMMC audit much more likely from a first attempt.