Manufacturers are under mounting scrutiny from both cybercriminals and regulators. Due to limited resources and budgets, manufacturers (especially small to medium sized) need cybersecurity guidance, solutions and training that is practical and cost-effective. Should a hacker manage to infiltrate a manufacturers’ systems and data, the cybercriminal has the potential to shut down operations and render them unable to fulfill client requests and contracted orders. This in turn leads to lost clients, lost revenue, and inability to pay employees. Not good.
The Department of Defense (DoD) recently announced that contractors who provide services and products in the Defense Industrial Base (DIB), will have to comply with the CMMC (Cybersecurity Maturity Model Certification). Lots of abbreviations – stay with us. There are 5 levels of the CMMC that have specific requirements and controls, mostly taken and modeled from the NIST SP 800-171 framework. The level that each manufacturer will have to comply with will depend on the types and size of the contracts that they are bidding on.
Key dates to be aware of for CMMC:
- January 2020: The DoD introduces version 1.0 of the CMMC
- June 2020: Program requirements were released. RPO (Registered Provider Organization) and C3PAO (Certified third-party assessor organization) applications begin being accepted to perform readiness assessments and certification audit
- 2021-2026: Phased rollout of CMMC implementation
- FY 2026: CMMC certification a requirement for all companies doing business with DoD
As the CMMC is still in its infancy in terms of rollout, a lot of the key dates and audit information is TBD (hence the large 5 year gap in rollout). The required controls have been released though, and it is only a matter of time until the DoD begins clamping down on the requirements in Requests for Proposals (RFPs).
Next steps to take?
We are suggesting that if you are a defense contractor and believe you will have CMMC requirements to comply with, that you get ahead of the game. A good first step is to perform self-assessment with the controls of the level of CMMC you are required to comply with. The next step after completing a self-assessment is to contact an RPO and perform a readiness assessment. This will get you in good shape security-wise, and let you know where the gaps currently are in terms of CMMC compliance. After meeting the criteria that the RPO states you need to fulfill to comply, you can contact a C3PAO for the audit and gain the certification.