Certification Under CMMC 2.0 Requirements
In late 2019, a Manufacturing Works Member that manufactures iron and steel forgings began receiving notifications from their customers that they were required to perform a NIST 800-171 self-assessment. NIST 800-171 requirements include "The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems."
"We thought that by putting in a new firewall, we would be done. However, after attending a Manufacturing Works webinar on CMMC, we learned that it is not that simple."
CMMC, they learned, stands for Cybersecurity Maturity Model Certification and is a requirement for companies doing business with the Department of Defense (DOD). As a company for which about 30% of their business is for the DOD, they quickly took action.
After the webinar, they engaged the services of fellow Manufacturing Works Member, On Technology Partners, to complete a cybersecurity assessment. This assessment was subsidized through the CARES act, which meant that there was no cost directly to the manufacturer.
"We thought that by putting in a new firewall, we would be done."
What They Learned
Five issues were uncovered that needed to be resolved to continue supplying the DOD with materials:
- The company needed to verify it actually had CUI (Controlled Unclassified Information)
- The company did not have a supported ERP system (their system provider was no longer in business)
- Due to the expired ERP, there was no viable backup process in the event of a systems interruption
- The company needed documented and auditable policies with assigned owners
- These issues needed to be addressed both for basic cybersecurity hygiene, as well as CMMC requirements
Working with a service provider, the company is in the process of developing ongoing solutions, which include:
- Contacting their prime contractors to identify specific CUI documents and requirements
- Within a reasonable budget, beginning to deploy basic security practices (e.g. having all users on Windows 10 Pro, migrating all email accounts to Microsoft Outlook, installing basic layered ransomware protection, etc.)
- Creating backup and recovery protocols
- Identifying a future ERP solution to include inventory control, invoicing, and disaster recovery
- Performing the NIST 800-171 assessment
While the work is still in process, the company has improved basic cybersecurity, is confident in keeping their DOD business by preparing for Level 1 CMMC compliance, and is looking forward to a new ERP system that will serve their company, and customers, into the future.
What You Should Know About CMMC Compliance
CMMC is presently being revised from CMMC 1.0 to CMMC 2.0 and is currently in the public discussion phase. While this will delay the requirement, it will not be abandoned. This gives companies more time to plan and implement basic cybersecurity practices.
- Understanding if, and what kind of, CUI and FCI (Federal Contract Information) is critical to what you need to do in the future. If you are not sure, start by asking your prime contractors.
- Some issues constitute basic cybersecurity hygiene and are risks to your business whether or not you do work for the defense industry.
- Service providers may have grants available. In this case, CARES funding for support was available through 2021.
If you have questions about CMMC or other cybersecurity issues, contact Ron Clough, Vice President of Manufacturing Services, at 216.920.1968.