As cybersecurity becomes the top national security priority, the Department of Defense has been pushing their supply chain to improve cyber maturity and defense capabilities to protect critical Defense Industrial Base capabilities, stop the theft of intellectual property, and serve the modern war-fighter.
This has put the defense manufacturing industry in the center of what has felt like ever-changing cybersecurity compliance requirements for the last several years, from DFARS 7012 to the advent of the CMMC draft. In the fall of 2022, we finally received clear guidance in CMMC 2.0 that allows DIB manufacturers and qualified Managed IT & Cybersecurity partners to move forward with confidence.
What Do NIST & CMMC 2.0 Compliance Mean for Manufacturers?
The intention of creating and enforcing technological security standards is to promote and protect U.S. innovation and industrial competitiveness. Until now, the U.S. Department of Defense’s supply chain has been encouraged to meet the cybersecurity standards of NIST. NIST (The National Institute of Standards and Technology) is a non-regulatory federal agency within the U.S. Department of Commerce.
The DOD has since introduced The Cybersecurity Maturity Model Certification (CMMC) as a new standard of information security. Its goal is to protect Controlled Unclassified Information (CUI) across the entire defense industrial base worldwide.
CMMC 2.0 Levels
There are three (3) levels to CMMC 2.0 – Level 2 & 3 affects Defense Industrial Base manufacturers who handle Confidential Unclassified Information (CUI), while Level 1 will affect everyone working as part of a Federal Contract.
CMMC was previously estimated to affect 300,000 suppliers—and while the launch of CMMC 2.0 will greatly reduce the number of contracts required to receive third-party audits through the CMMC-AB, any contractor handling CUI will still need to meet the cybersecurity framework requirements to pass the self-assessment that will now be required. The changes reflected in CMMC 2.0 will be implemented through the rulemaking process, which can take anywhere from 9 – 24 months. RFPs already include CMMC requirements as of fall 2020 and are slated to be mandatory as soon as rulemaking is completed. Per Acquisition & Sustainment, Office of the Under Secretary of Defense: “The DoD is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period.”
Why it is Imperative for Manufactures to Take Action Now
It’s important to focus on the maturity part of the Cybersecurity Maturity Model Certification: compliance is inherently non-static. New threats and defenses are established all the time, so an integral part of compliance at any level is maintaining that compliance. This can be challenging, and it is a major process to meet CMMC requirements. Creating, enforcing, and maintaining security controls take time and when certification is available, manufacturers don’t want to be left behind.
We may experience a backlog from those that are ready for certification between now and when the certification goes live. And remember that meeting CMMC L2 will be required for all Department of Defense (DOD) contractors, with self-attestation being minimum and L3 capabilities with third-party certification being required for some contractors. Talk to your Federal Contracting Officer or Prime about the programs you work on.
There is also a complete culture shift involved with achieving the above. Everyone needs to be cognizant of their role upholding compliance at every level of your organization. So, these new compliance requirements mean more than just a change to the policies of your IT department. Rather, there will be changes to how information is handled throughout your organization, and IT will underpin these changes across each department.
Ready for NIST & CMMC Compliance?
The compliance deadline may seem a long way off but reaching and maintaining compliance across your organization is no simple feat. You need to not only find a technology partner who understands NIST and CMMC, but that also understands the unique challenges of the defense contracting/manufacturing industry.
Contact us to get started with a free one-on-one customized consultation with our CMMC experts!