The Who, What, When, and How
This guest blog post is courtesy of New Jersey MEP's Mike Womack, Marketing & Communications Manager.
In early November 2021, the Department of Defense announced a massive update to the Cybersecurity Maturity Model Certification (CMMC) program. Manufacturers or suppliers that handle any Controlled Unclassified Information (CUI) or those within the Defense Industrial Basse (DIB) will need to pay attention. The latest update to the CMMC, “CMMC 2.0” marks the completion of an internal program assessment spearheaded by Department of Defense (DoD) leadership. CMMC 2.0 condenses the original 5 CMMC maturity levels into 3 levels and applicable manufacturers will need to know where they stand, what is changing, which maturity level they need to meet, and the penalties for non-compliance.
What is Changing in CMMC 2.0?
CMMC began as a way to protect CUI held by DoD contractors and subcontractors on any non-federal contractor information system. As manufacturers comply with their appropriate maturity level, it will safeguard this critical information from evolving cybersecurity threats which supports and enables the U.S. military. The original CMMC comprised five maturity levels but this is changing.
The DoD conducted an internal assessment of the CMMC program in March of 2021 which took into consideration direct feedback from the more than 850 public comments in response to the interim DFARS rule. It led to the development of “CMMC 2.0”, an upgrade to the program's critical structure and changes in its maturity levels. Streamlining and improving the implementation was the main goal of updating the program, however, manufacturers will need to be acutely aware of these changes to make sure they remain compliant or risk losing current and future DoD contracts.
Modifications included in CMMC Version 2.0 are listed below:
• Eliminating levels 2 and 4 and removing CMMC – unique practices and all maturity processes from the CMMC Model
• Allowing annual self-assessment with an annual affirmation by DIB company leadership for CMMC level 1
• Bifurcating CMMC level 3 requirements to identify prioritized acquisitions that would require annual self-assessment and annual company affirmation
• CMMC level 5 requirements are still under development
• Development of a time-bound and enforceable Plan of Action and Milestone Process
• Development of a selective, time-bound waiver process, if needed and approved.
Who/What Does This Impact?
No business is completely safe from cybersecurity threats. Manufacturers are particularly at risk. These organizations often supply the largest, most powerful corporations and governments with critical parts vital to our national security and way of life. Cybercrimes understand this fact and actively seek to steal information or cause disruptions. Every company can benefit by investing in cybersecurity since a cyber breach could cost manufacturers millions but manufacturers working with the DoD need to go beyond just ensuring they’re up-to-date with the latest cybersecurity best practices.
Manufacturers in the DIB are going to be held accountable to safeguard sensitive information and must comply with CMMC 2.0. Any supplier, sub-contractor, or manufacturer that conducts business with the DoD, no matter how minuscule will need some level of CMMC. Identifying the appropriate CMMC maturity level will either be determined by a prime DoD contractor or uncovered through a CMMC gap analysis. Determining which maturity level a manufacturing business must maintain is the critical first step toward compliance. Businesses that do not comply with these new DoD cybersecurity regulations will be at risk of losing their government contracts. Now, with this update, manufacturers must ensure they fall within one of the updated three maturity levels.
When Do Manufacturers Need to Start Compiling?
Proactive action is always recommended. Deadlines from the federal government are issued swiftly and with little warning. CMMC 2.0 will be implemented through DoD rulemaking process 32 of the Code of Federal Regulations (CFR). Title 48 CFR will follow title 32 which will establish the contractual requirements. The DoD stated, “The CMMC program team will work through the rulemaking processes as expeditiously as possible.”
CMMC 2.0 requirements will be mandatory however an official deadline has not been set as of 12/27/21. Once title 32 CRF rulemaking is complete, and the requirements have been implemented as needed into acquisition regulation through title 48, warnings will be issued to the DIB through DoD prime contractors. Manufacturers that do not comply with their designated maturity level will be at risk of losing contracts once a deadline has been established.
Manufacturers that handle CUI will still be responsible for implementing the cybersecurity requirements in NIST SP 800-171. Any manufacturer that has FCI, will still need to implement the basic cybersecurity requirements in FAR 52.204-21. Even though at this moment the federal government will not be auditing businesses, they are creating a means to prosecute contractors under the False Claims Act. The government can pursue a false claims case against businesses in the DIB that are not taking cybersecurity seriously. Manufacturers will need to be prepared because the government can decide contracts need independent assessments without any notice if a company states they are compliant.
How Can Manufacturing Business Prepare?
Manufacturers are in a challenging spot. The absence of a CMMC 2.0 deadline and the promise by the government to strictly enforce the new cybersecurity certification make it difficult to plan for the future. Some estimate the rulemaking can take between 9-24 months but there is no word if there will be a grace period once the rules are established. Manufacturing businesses may be required to comply with their newly designated CMMC maturely level immediately. Without building CMMC 2.0 into a manufacturers business plan today, they might not have the resources to take action once the certification comes into effect
Even though manufacturers are facing this imposing disruption, there is help available. Each state, including Puerto Rico, has some form of a Manufacturing Extension Partnership (MEP). These independent organizations work through a cooperative agreement with NIST and are the tip of the spear when it comes to helping manufacturers ensure they meet NIST SP 800-171 regulations as well as identifying the appropriate CMMC 2.0 maturity level. Many may even offer support to become compliant within a specific maturity level. Depending on the state, MEP’s often offer general cybersecurity support for manufacturers outside the DIB since every business will feel the pressure of cyberthreats well into 2022 and beyond.
As stated above, manufacturers handling CUI will still need to implement NIST SP 800-171. Those that engage with FCI will need to comply with FAR 52.204-21 guidelines. CMMC 2.0 deadlines are not an “if” but a, “when”. Businesses must prepare immediately to ensure their operation is not interrupted and no contracts are lost. Manufacturing businesses in the DIB must take action and protect their business. Cyberthreats have matured and now it’s time to ensure cybersecurity and regulations follow suit.