The prescribed level of compliance relates to the five stages of CMMC, with Level 5 being the most stringent, examples include:
- Level 1: Rivet producer
- Level 3: Key structural component supplier
- Level 5: Proprietary weapons system producer/assembler
The CMMC echelons associate with the nature of the supplier’s work and where it fits into the DOD’s supply chain. The original equipment manufacturers (OEMs) and Tier 1 and 2 companies in the supply chain are already moving toward CMMC compliance; however, many of their subcontractors are just starting, and some haven’t yet started (see CMMC resources sidebar below).
“In a recent webinar we hosted on the topic, we learned that almost 60% of the participants hadn’t started the CMMC compliance effort yet,” says Paul Van Metre, founder of ProShop ERP. “And some in that group didn’t even know about CMMC. While that number may not reflect an accurate percentage of the entire defense sector, it’s an indication that CMMC compliance by non-critical defense suppliers is at its earliest phase, and they need to focus on this now if they want to continue working with the DOD.”
ProShop got involved in CMMC compliance because the enterprise resource planning (ERP) company offers a comprehensive digital ecosystem. A built-in quality management system (QMS) makes software and customer advisors well-versed in ISO quality, AS9100, and International Traffic in Arms Regulations (ITAR) certifications. The CMMC essentially assembles cybersecurity controls from others, including NIST SP800-171; NIST 800-53; DFARS 252-204-7021; and Center for Internet Security (CIS), plus additional requirements.
“While DOD suppliers have been required to be NIST 800-171 compliant since early 2018, the self-verification process wasn’t robust enough to ensure the security of the Defense Industrial Base (DIB),” says Julia Boswell, ProShop’s Security and Compliance lead. “A company could cite that it was compliant, but it didn’t have to get audited and certified.”
As criminal hackers became more pervasive and sophisticated, the DOD shifted from self-assessment toward a verifiable certification process, hence the all-encompassing CMMC standard. Van Metre provides an example of a 50+ person machine shop that produces aerospace, defense, medical, and other commercial precision parts. They felt they were practicing good cyber-hygiene and even had an on-premises (as opposed to cloud-hosted) ERP with redundant local backups. Then ransomware entered their system through a phishing email. Hackers escalated privileges, exfiltrated data, then encrypted the entire network making all of it inaccessible. Finally, the criminals threatened the machine shop with release of its data if a ransom wasn’t paid. To recover, the company had to wipe the server and all the machines connected to the network. Their database backup wasn’t running as designed, but fortunately, the ERP team was able to restore their database without losing data. There’s now an ongoing investigation by the DOD and Federal Bureau of Investigation (FBI), who are monitoring the dark web to determine whether the data is released for sale.
Boswell suggests that companies begin their CMMC treks by assigning an interested staff member to understand the requirements of the standard as it pertains to their business. Then, conduct a gap assessment that captures the current state of an organization’s security architecture. This will help inform implementation of the CMMC controls.
“As part of our platform, we’re working with customers in this rather daunting effort,” Boswell says. “Our system facilitates several areas of CMMC compliance, such as complex password requirements, two-step authentication, auditing tools, user tracing, and other required reporting and documentation.”
For example, one of ProShop’s customers, Southern Machine Works in Duncan Oklahoma, became a beta tester of ProShop’s Cybersecurity Flying Start Package that provides a framework within ProShop to understand the requirements, project manage the process of getting CMMC compliant, and document the actions taken for the CMMC audit.
Southern Machine Works was already an AS9100D and ITAR-registered machine shop serving the aerospace, defense, and other industries requiring precision-engineered components. The company practices a continuous improvement methodology to augment its information technology (IT) data infrastructure and staff’s privacy training. One example is its facility is closed to the public and meetings are by appointment only. That physical security is just one line item of a few hundred distinct requirements in the CMMC standard.
Customer Service and Compliance Lead Zach Young is guiding the CMMC initiative at Southern Machine Works, and he says the company started working toward NIST 800-171 in 2019 and began its relationship with ProShop in 2020.
“With ProShop’s expertise in the various quality standards, including AS9100, they already had a solid foundation from which to build a CMMC framework into their software,” Young explains. “For instance, although difficult to visualize without a demo, I can create records for each electronic device we have across the enterprise – computers, phones, cameras, everything – and all I must do is put in one link to this group, and then it takes me to a page where it lists every device that I put into it so far.”
Although the company was well into complying with NIST 800-171, Young says the comprehensiveness of the CMMC standard surprised him at first, but made sense from a security standpoint, and it helped to have outside partners such as ProShop and a manufacturing extension partnership (MEP) organization.
The CMMC requirements are divided into 17 domains ranging from purely technical controls of a company’s network and devices to personnel management and security awareness training – all making the standard a company-wide endeavor. When ready for assessment, Van Metre and Boswell suggest a company find and book a C3PAO (a CMMC third party assessor organization) from the CMMC Accreditation Body (CMMC-AB) Marketplace who will conduct the on-site assessment. This must be someone other than the person hired for cybersecurity consulting. Once assessed, the company will have 90 days to remediate any findings. If the company makes the corrections within three months, they won’t have to book a reassessment; they’ll be issued the certification which is good for three years.
CMMC implementation and assessment costs depend on several factors including:
- Certification level to be obtained
- Complexity of the Defense Industrial Base company’s contracts
- New, additional equipment/platform purchases
- Staffing, implementation costs
- Booking C3PAO audit
- Maintaining certification
The DOD has provided a rough order of magnitude cost estimates for CMMC assessments as part of the Federal Register Notice for Defense Federal Acquisition Regulation Supplement (DFARS) Case 2019-D041, starting at as little as $3,000 for Level 1 to more than $100,000 for Level 3 and higher.
Of course, all the outlay must be weighed against the income from the DOD multiplied throughout many years. While lower tier subcontractors may not be formally asked to prove their compliance for a few years, it could take all that time for a smaller company with limited time and resources to implement the necessary requirements.
“And, while this is a DOD demand currently,” Boswell says, “let’s not be surprised if more original equipment manufacturer (OEM) customers and top tier suppliers in other critical industries ask for cybersecurity proof. Having cybersecurity architecture within a business not only sets it apart from competitors, but it’s also the logical evolution in good business practice for the organization’s own health and safety.”