Suppliers throughout the Department of Defense supply chain received memos this fall from their biggest customers mandating they demonstrate steps taken toward obtaining cybersecurity certification, or lose out on new contracts. For many small manufacturers, it was a wakeup call to beef up their cyber defenses. Even those operating outside the DoD supply chain can benefit from looking at what’s behind this push and how they can be proactive.
“If you are unable to comply with new mandatory requirements,” says one of the memos, “GE Aviation will be unable to continue to do business with your company.”
This wasn’t GE’s call, or Raytheon’s, or any of the other major manufacturers who sent out similar messages in recent months. DoD issued an interim rule effective November 30, 2020, stipulating that top-level defense manufacturers must require all of their suppliers to document assessment action towards complying with NIST 800-171, the baseline of the new Cybersecurity Maturity Model Certification (CMMC) framework. CMMC is being phased in between 2020 and 2025 and represents one of the strongest cybersecurity protocols in any industry.
A Long Time Coming, a Long Way to Go
While this mandate may seem abrupt, it is not. On the heels of Chinese cyber spies stealing U.S. military designs, DoD first required adherence to NIST 800-171 by December 31, 2017. However, the rule had no teeth. Manufacturers were expected to self-assess their systems and bring themselves into compliance. Many saw the writing on the wall and brought their systems up to date. Without any real incentive or enforcement to do so, others did not. The memos that went out this fall are the first steps toward consequences for noncompliance.
While the language of the memos manufacturers just received is fairly strong, what they’re being asked to do at this stage is somewhat minimal: complete an assessment. Specifically, they need to complete a DoD Assessment Methodology and submit the results (no more than three years old) through the Supplier Performance Risk System (SPRS). Part of this submission will include a plan and estimated date for achieving full compliance with NIST 800-171. At this point, that’s all it takes to remain eligible to receive new or renewed contract awards under DoD supply agreements. However, additional interim rules are likely to be issued in the coming months requiring additional milestones.
Getting on the Level
CMMC, which builds upon NIST 800-171 adding other policies and best practices, has five levels of certification. By 2025, Maturity Level 3 compliance will be required to be part of the DoD supply chain. ML 3 includes 130 criteria, or “practices” to use the language of CMMC, so obtaining certification may seem daunting. However, many of the practices are common-sense steps most manufacturers have already taken. Oftentimes, to check off an item may simply entail quantifying or detailing a measure already in place in order to ensure there aren’t any gaps.
For example, multi-factor authentication, or MFA, is a CMMC practice familiar to most internet users. It’s a means of creating login security that’s stronger than a lone password. Users are texted a code (or receive one via an app) that they need to enter along with their password to log in. MFA can also include a physical object, like a fob, that has to be near a machine for the password to be accepted.
For an organization that takes cybersecurity seriously—for instance, one that handles plans and specs for military aircraft or submarines—MFA needs to be required for every user on every device in order to be effective. What a CMMC assessor is looking for is not just the presence of MFA, but the thoroughness and effectiveness with which it has been implemented.
Cybersecurity-awareness training is another example of a CMMC practice that has to be executed in a particular way. All employees have to train, and training needs to occur on a regular, ongoing basis. However, it can be quite brief—10 or 12 minutes a month completed on employees’ own schedule both checks the box and helps your team spot red flags and keep hackers out.
Physical security is intertwined with cybersecurity and part of CMMC as well. Since an unauthorized person inside your facility would have an easier time accessing sensitive data, identification badges and secure entrances and exits to your building are CMMC practices. When your employees are off-site, they must use a VPN (virtual private network) to access company systems. Mobile devices need to be locked and there has to be a way to wipe them remotely if lost. Patches. You have to patch your systems. No more out-of-date Windows.
Some manufacturers have all or many of these practices and other CMMC requirements in place, so the 2025 deadline provides plenty of time to obtain level 3 CMMC certification. It’s those manufacturers who haven’t started this process who are in for an uphill climb. One hurdle every manufacturer will face in the CMMC compliance process will be the requirement of an independent 3rd party auditor (C3PAO) to “certify” the Maturity Level achieved by the supplier. Like a financial auditor, the C3PAO will evaluate the practices in place and deliver either a remaining set of gaps or a confirmed certification which is valid for 3 years.
A Roadmap to Cybersecurity for Non-DoD manufacturers
If you don’t make something that at some point is used by the U.S. military, you’re off the hook for CMMC certification. Hackers, however, still want your data in order to sell it or withhold it for extortion. More than a third of cyberattacks against manufacturers cause over $1 million in damage. Even if your biggest customers aren’t demanding it, CMMC provides a top-notch playbook for preventing cybercrime.
With the exceptions of healthcare and financial services, most industries have nothing like CMMC to guide them in creating a defense-in-depth approach to cybersecurity. Manufacturers outside the DoD supply chain can truly benefit from seeing how they stack up against the CMMC standard. While they may not need to obtain a specific level of CMMC certification, the 171 practices it takes to achieve level 5 provide 171 potential layers to a defense designed to keep your company’s data safe and your production lines running.
Tom Sharp is vice president of operations at Kelser Corporation, an IT managed services provider in Connecticut.