Manufacturers that supply materials to the U.S. Department of Defense will need to take their cybersecurity practices up a notch to comply with a new government certification program.
The Department of Defense rolled out its Cybersecurity Maturity Model Certification (CMMC), which includes five levels, earlier this year. Businesses with access to Controlled Unclassified Information are required to meet Level 3, which includes all companies that manufacture a component that goes into a product made for the DOD.
While large government contractors, such as Oshkosh Corp. and Fincantieri Marinette Marine, are probably 90 to 95 percent of the way to meet the new requirements, their subcontractors may be in a bit of a bind, says Josh Moore, a senior solutions architect with Information Technology Professionals.
“(Subcontractors) will be hit the hardest by the new rules. Small- and medium-sized manufacturers do not have the deep pockets to comply with the new requirements without some help,” he says.
To obtain Level 3 certification, manufacturers need to meet all National Institute of Standards and Technology SP 800-171 requirements and have an information security continuity plan in place. The new rule will impact more than 300,000 businesses in the country, and all will have to go through a third-party assessment or certification process, according to the DOD.
Some of the requirements for Level 3 include improvements in asset management (managing cell phones and computers), recovery and backup systems, and security software packages as well as new cybersecurity processes. In addition, manufacturers must document all processes and procedures.
“For some manufacturers, they will need to build their processes from the ground up, and many will need to hire additional help or work with a contractor to monitor the processes and manage the assets and software,” Moore says.
Mike Burgard, chief information security officer for Marco, says becoming certified may prove cost prohibitive for some small- and medium-sized businesses.
“At this time, it appears that reimbursement for certification costs may be allowed; however, certification must be active and in place prior to being considered for a bid,” he says. “This may be problematic for many small and medium businesses. Further, the new requirements apply to all subcontractors, including an individual, whether the business or contractor has access to or uses (controlled unclassified information) or not.”
While it may be a challenge for some businesses to obtain Level 3 certification, Tom Wojcinski, a member of Wipfli’s cybersecurity services team, says it is necessary to protect U.S. warfighting capabilities. “You’re only as strong as your weakest link,” he says. “The DOD just wants to make sure we maintain our advantage.”
While a large OEM may have strong and secure networks, it may be possible for someone to hack into a supplier’s network and from there, gain access to the large OEM’s network system, Wojcinski says. “Businesses will need help to understand where they are and what they are missing to develop a plan to fill in their gaps. It is necessary to protect the supply chain,” he says.
Moore says the DOD understands the effect the changes will have on suppliers. “The government knows they are putting stress on their supply chain, but it’s what is needed to keep bad actors out of our most secret information, such as equipment designs which could be used to find a weakness,” he says.
To be considered certified and eligible to participate in RFPs for the DOD, businesses need to coordinate directly with an accredited, independent third-party commercial certification organization. That organization will schedule a CMMC assessment, and the business will need to specify the level of the certification it’s looking to obtain. After the assessment, the certifying organization will notify the business what level is awarded. If a manufacturer is going for Level 3 and fails one aspect on the list, it will automatically receive a Level 2 certification. Businesses, of course, can make corrections and go through the entire process again.
Most businesses will not be able to comply with the new rules “right out of the gate,” Moore says.
The new framework goes into effect starting in June on new requests for proposal and requests for information, says Burgard, adding some small- and medium-sized businesses may need to partner with managed service providers that have experience with CMMC to help them become fully compliant and to stay that way.
“Larger enterprises have dedicated IT staff, security staff, and in many cases, dedicated compliance/risk management staff” who can ensure the business remains CMMC compliant.
While contractors do not have to achieve Level 3 certification before submitting a bid, they do need to have the certification in place before any work can begin, Moore says. “There’s a limited time to get this done.”
Dates to know
The U.S. Department of Defense has put the new Cybersecurity Maturity Model Certification (CMMC) on the fast track. The new standards were announced in January, and all contractors involved with any DOD work must be certified. Here are some important dates that contractors need to know:
CMMC requirements appear in DOD Requests for Information (RFIs)
DOD contractors will need to be certified to bid on Requests for Proposal (RFPs)