In late 2019, a Manufacturing Works Member that manufactures iron and steel forgings began receiving notifications from their customers that they were required to perform a NIST 800-171 self-assessment. NIST 800-171 requirements include "The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems."
"We thought that by putting in a new firewall, we would be done. However, after attending a Manufacturing Works webinar on CMMC, we learned that it is not that simple."
CMMC, they learned, stands for Cybersecurity Maturity Model Certification and is a requirement for companies doing business with the Department of Defense (DOD). As a company for which about 30% of their business is for the DOD, they quickly took action.
After the webinar, they engaged the services of fellow Manufacturing Works Member, On Technology Partners, to complete a cybersecurity assessment. This assessment was subsidized through the CARES act, which meant that there was no cost directly to the manufacturer.
"We thought that by putting in a new firewall, we would be done."
Five issues were uncovered that needed to be resolved to continue supplying the DOD with materials:
Working with a service provider, the company is in the process of developing ongoing solutions, which include:
While the work is still in process, the company has improved basic cybersecurity, is confident in keeping their DOD business by preparing for Level 1 CMMC compliance, and is looking forward to a new ERP system that will serve their company, and customers, into the future.
CMMC is presently being revised from CMMC 1.0 to CMMC 2.0 and is currently in the public discussion phase. While this will delay the requirement, it will not be abandoned. This gives companies more time to plan and implement basic cybersecurity practices.
If you have questions about CMMC or other cybersecurity issues, contact Ron Clough, Vice President of Manufacturing Services, at 216.920.1968.