Cybersecurity in 2020 is a huge issue. We all know a company who has been subject to a virus, been hacked, had data held hostage in a ransomware attack, had data stolen and more. In all types of companies that manufacture defense related products, including machine shops, fabrication shops, contract manufacturers, commonly referred to as the DIB (Defense Industrial Base) it is a particularly large and growing problem. According to The Center for Strategic and International Studies (CSIS), in partnership with McAfee, as much as $600 Billion, nearly 1% of global GDP, may be lost to cybercrime each year. The estimate is up from a 2014 study that put global losses at about $445 Billion.
Machine shops and fabricated metal and composite manufacturers are at the core of the DIB. Consider any significant defense product like airplanes or satellites: they are primarily built from machined and fabricated components. Because this is the case, protecting CUI (Controlled Unclassified Information) is critical in the defense supply chain. CUI is defined as information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. The CUI registry can be found at https://www.archives.gov/cui.
The loss of CUI from the DIB sector (which includes any machine shops or defense contract manufacturers) increases risk to national economic security and in turn, national security. In order to reduce this risk, the DIB sector must enhance its protection of CUI in its networks.The need to increase security of this data has led to a number of regulatory requirements that apply to manufacturers in the DIB.
Most companies have some information security measures in place, but without a comprehensive information security management system (ISMS) to tie those measures into a cohesive system, gaps will persist and the company will be vulnerable.
Let’s look at a few of the security measures and systems that shops need to consider:
Most shops are familiar with ITAR (International Traffic in Arms Regulations); enacted in 1976, it was put in place to help eliminate the dissemination of information and data related to products on the USML (US Munitions List) to any non-US person. Any company that is handling ITAR controlled data should be registered with the DDTC (Directorate of Defense Trade Controls). ITAR regulations state that companies must control the “export” of any controlled data so that it is never seen by a non-US person (US citizen or permanent resident). The regulations are very clear: a “non-US Person” (as defined by the standard) viewing a controlled drawing, even while in the United States, is considered an “export!” Many companies have been fined huge sums of money for allowing exports to happen.
The National Institute of Standards and Technology published the NIST 800-171 standard in 2014 to provide guidelines to private sector organizations in the United States to assess and improve their ability to prevent, detect, and respond to cyber attacks. Although this NIST standard is primarily focused on the digital domain (your computers and your network), it provides a holistic approach to security by requiring controls on your personnel and your physical spaces as well. This standard was created in an effort to protect CUI – information which is deemed sensitive but not classified. Some Department of Defense (DoD) contracts require NIST compliance via DFARS clause 252.204-7012 which stipulates that any company which stores or accesses CUI must self-assess that they meet all 110 requirements of the NIST 800-171 standard. A company can become compliant to the NIST standard, but they cannot be certified to NIST 800-171. There is no system of 3rd party auditors who will provide a company a certificate.
ISO/IEC 27001 is an information security standard that was last updated in 2013. It does require third party auditing to achieve certification. ISO 27001 is intended to bring information security under management control according to specific requirements. The standard stipulates that the organization must:
- Systematically assess all risks, vulnerabilities, and impacts to the organization
- Implementation of comprehensive measures to improve the information security systems of the organization
- Enact a continuous improvement system for the organization’s information security practices on an ongoing basis
In some regards, the ISO 27001 standard is more of a marketing initiative, with companies trying to show that their systems are more secure than their competitors. It is not a requirement for inclusion into government RFIs or RFPs. More information can be found on the ISO webpage here.
SOC 2 is developed by the American Society of CPAs to provide a certification for companies who host data in the cloud. Its goal is to make sure that systems are set up so they assure security, availability, processing integrity, confidentiality, and privacy of customer data. It provides guidelines for developing written security and procedures which will be verified by third party auditors. Similar to ISO 27001, SOC 2 certification is not a mandatory requirement. More information can be found at the AICPA website here.
CMMC stands for “Cybersecurity Maturity Model Certification”. Version 1.0 was published in January 2020. It will become the primary standard for cybersecurity requirements for all companies who work with CUI within the DIB supply chain. The CMMC standard builds upon the 110 security control requirements of NIST 800-171 but is more extensive and changes the model from self-assessment to an external assessment model. Third party assessments will be conducted by Third Party Assessment Organizations (C3PAOs) that are controlled by the The CMMC Accreditation Body (AB), a non-profit, independent organization (www.cmmcab.org).
As of this writing in July 2020 the network of C3PAOs is still under development., DIB companies will be able to book an approved C3PAO and schedule a CMMC assessment for a specific level. Certifications will generally be valid for 3 years before recertification is necessary. Detailed information about CMMC can be found on the The Office of the Under Secretary of Defense for Acquisition and Sustainment website.
The 5 levels of CMMC
The CMMC outlines 5 levels of maturity of a company’s cybersecurity. Level one is “Basic Cyber Hygiene” and level 5 is “Advanced/Progressive”. All 5 levels are outlined in the figure below. Based on the position within the supply chain and the types of data being managed, different levels of certification will be required of different companies. The level that will be necessary for a company will be based on the level of sensitivity of the information from the DoD that the company will be working with: most machine shops and similar companies who make subcomponents or smaller subassemblies will be required to reach Level 3. Although from the attached presentation from the DOD, it appears that the levels may ramp up over time.
Source: Department of Defense, Cybersecurity Maturity Model Certification (CMMC) Version 1.0
The DoD was planning on adding CMMC requirements to RFIs (Requests for Information) starting in June 2020, and to RFPs (Requests for Proposals) in October 2020. However, this timeline has been shifted forward by a few months.
It is expected that around 1,500 companies will be affected in the first round of implementation and will need to be CMMC certified by Fall 2021. By the Fall of 2026, it’s expected that all new DoD contracts will include CMMC requirements. This DOD presentation shows that once fully implemented, a conservative estimate is that nearly 50,000 companies will be affected.
All companies who are subcontractors on DoD contracts, with the exception of companies who strictly manufacture COTS (Commercial Off The Shelf) products, will need to be CMMC certified or will not be granted DoD contracts.
CMMC Scope and Impact
The introduction of CMMC changes the model introduced by ISO 27001, NIST 800-171 and SOC 2: rather than a mostly optional or self-certified model, the CMMC introduces a required mandate to be certified in order to participate in the DIB supply chain. For any companies who are part of the DIB and handle CUI, the new mandate for CMMC certification will require a significant change in the amount of time, money and resources which will be required to develop and maintain their cybersecurity processes. The CMMC offers a holistic system for building and maintaining a company’s security department: some of the processes involved will include tracking and maintaining hardware and software, configuring logons with multi-factor authentication, ensuring the principle of “least privilege” is followed wherever possible, regularly performing Risk Assessments, and creating an agile Incident Response plan in the event of an security breach or incident, to name just a few.
During my conversations with hundreds of shops around the country, many of whom perform defense related work, it’s staggering to me how many of them have never heard of CMMC before and the sheer enormity of the effort they have ahead of them without even knowing about it yet. Most shops think that being ITAR registered (which requires no third party auditing) is sufficient for performing defense work and they self certify as compliant. The scope of the requirements are enormous and will leave all but the most sophisticated shops scrambling to understand what’s required of them and how to build their new processes to become compliant and pass the third party audits.
What ProShop is Doing About CMMC
Since late 2019 when we ourselves became aware of the looming standard, our developers have been working to ensure that ProShop ERP is able to facilitate meeting some of the Level 3 Requirements; as of June 2020, we have released new features that companies can utilize to meet certain areas of compliance. But CMMC extends far beyond just your ERP system and we’d like to help our customers become certified with as little frustration as possible (it’s still a huge effort!).
For a little context, let’s look at another offering of ours. ProShop has a deeply integrated suite of QMS modules that help a company maintain the documented processes and records for managing their QMS to a standard such as AS9100. We have developed what we call the QMS Flying Start package which includes a complete set of business and quality processes that are designed to meet the requirements of the standard. It includes a high-level Quality Manual, many Quality Procedures, hundreds of specific Tasks, Training documents, and a comprehensive set of Company Positions with specific training requirements that are related to the Standard. We’ve helped many shops become AS9100 or ISO 9001 certified much faster and with fewer monetary and staff resources spent using the QMS Flying Start Package than is typically possible.
So with the CMMC in mind, we are rapidly developing a Cybersecurity Flying Start Package. Within that package we have what we call the CMMC Standards Implementation Process or SIP which is a fully developed template and workflow to help a company understand the requirements, and develop a plan to become compliant. It will eventually address every requirement of all 5 levels, embedded into a series of ProShop CMMC SIP Work Orders, with useful explanations of the requirements, links to relevant and helpful information or resources, and the ability to check off each requirement as it is implemented. Just like a shop would use a work order to ensure that they had understood, mitigated and met the requirements of building a complicated machined part, and signing off on all those requirements, the CMMC SIP work order will be followed just like any job in the shop, can be assigned to different employees and worked through to completion. Does that mean it will be easy or handed to shops on a platter? Definitely not. The CMMC SIP is designed to help you build your own tailor-made cybersecurity department. Achieving CMMC certification will be a monumental task for any company and may make some question whether or not they want to continue doing defense related work. But for those who are deeply embedded into the DIB supply chain, the task will be to understand the requirements, make the necessary changes to replace non-compliant software programs, update all their systems and policies, and become certified as quickly as possible before the deadlines prohibit their ability to bid on new contracts
While the CMMC may require us to participate in security in ways we may not have foreseen or chose, the benefits of developing a cybersecurity department go way beyond a certification. The cost of a data breach or security incident can damage the reputation and financial health of an organization immeasurably; the holistic approach of the CMMC is designed to prevent or mitigate this risk. Having measures in place provides peace of mind to management and fosters a sense of trust between employees and stakeholders. Security is no longer a “nice to have;” it is truly foundational to the success of an organization.
We are also doing that work ourselves. As a provider of enterprise software solutions to many companies in the DIB, we will be CMMC certified ourselves and are rapidly building our new processes so we are ready to be audited as soon as assessments can be performed by an approved C3PAO. We recommend you talk to all the software companies you work with, including your ERP provider to see what their plans are for their products and company, and ensure their product will support your efforts to become certified.