Check out this article that our co-founder, Paul Van Metre, wrote for the SME blog!
The upper tiers of the Department of Defense’s (DoD) supply chain are aware of the Cybersecurity Maturity Model Certification (CMMC). It is required by its suppliers starting in 2021, with rolling deadlines over the next few years. CMMC is an assemblage of other cybersecurity controls with additional requirements—namely NIST SP 800-171; ISO 27001; ISO 27032; and NIST SP 800-53. The key difference is those standards only called for self-verification. A company could cite that it was compliant but did not have to get audited and certified. With hacking at an all-time high, the DoD concluded “enough is enough.” They developed the new, comprehensive CMMC standard that must be audited and certified by accredited third-party entities.
Examples of DOD Cybersecurity Compliance
There are five levels of CMMC compliance. What a supplier provides, or where it fits in the chain, dictates the degree of security required by the DoD. For example, military aircraft engine OEMs may need to be level five. However, a job shop providing fasteners for that engine might only need to be a level three. (There are resources listed at the end of this article for more information about CMMC and its requirements). Certainly, the OEMs and Tier One suppliers are well on the road toward CMMC compliance. That being said, their subcontractors have to catch up. I conducted an informal survey among our followers earlier this year. We discovered that almost half of the people who responded did not know about CMMC.
One of the first steps a defense parts supplier will need to take is to assign a staff member to understand the scope of CMMC as it pertains to their business and begin working to assure compliance. Since we’re developers of a comprehensive ERP platform, or “digital ecosystem,” we are working with customers in this effort. Our system checks off several boxes for CMMC compliance, such as requiring complex passwords, two-step authentication, auditing tools, user tracing, and other documentation for meeting the standard. In fact, we’ve created a bundled framework called “Cybersecurity Flying Start Package” to aid our customers on this path because preparing for CMMC is like preparing for ISO or AS9100 on steroids. It is considerably more strenuous and resource intensive. Companies must be prepared to invest time and potentially tens of thousands of dollars, depending on the nature of the business as it relates to government work….