This seventh article in the series from the Cybersecurity Desk helps you determine if CMMC applies to your business, learn about what changes were made to CMMC 1.0., know what you should be doing NOW to prepare for CMMC 2.0., and more.
Today’s read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today’s May 2023 Focus on Sustainable Heat Treat Technologies print edition.
Introduction
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™
Along with determining if CMMC (Cybersecurity Maturity Model Certification) applies to your business, this 7th article in the series from Heat Treat Today’s Cybersecurity Desk will give you a better understanding of what the certification is all about and the requirements to become certified. Also, we will cover the changes that were made to CMMC 1.0, the current status of CMMC’s proposed rule, and what you should be doing NOW to prepare for when the CMMC 2.0 rule is finally released.
What Is Changing in CMMC 2.0
In November 2021, the Department of Defense (DoD) announced a major update to the CMMC program. To safeguard sensitive national security information, the DoD launched CMMC 2.0, a comprehensive framework to protect the Defense Industrial Base’s (DIB’s) sensitive unclassified information from frequent and increasingly complex cyberattacks. Manufacturers or suppliers that handle sensitive or Controlled Unclassified Information (CUI) in any way or those within the DIB need to pay attention. CMMC 2.0 condenses the original 5 CMMC maturity levels into 3 levels, eliminating levels 2 and 4, and removing CMMC unique practices and all maturity processes. They have also revised the number of controls required for each of the three new levels. Level 1 includes 17 controls, Level 2 has 110 controls, and the total number of controls in Level 3 is still to be determined. There are also several other changes made that somewhat relax the requirements from CMMC 1.0.
Who Does CMMC Impact?
Manufacturers in the DIB are going to be held accountable to safeguard sensitive information and must comply with CMMC 2.0. Any contractor, subcontractor, supplier, or manufacturer that provides parts or services to the DoD or anyone within the DIB (no matter how minuscule) will need to comply with one of the three levels of CMMC compliance.
What Should Heat Treaters Be Doing Now?
Although CMMC 2.0 is still in the rulemaking phase, the new CMMC proposed rule is expected to be released sometime in mid-2023. This will give some much needed clarity on how to move forward and will help streamline the implementation of CMMC. Warnings will be issued to the DIB through DoD primes and will be passed down through the supply chain. Manufacturers that do not comply will be at risk of losing contracts.
If you (or your clients) are doing work for any DoD primes (or NASA), such as Raytheon, Lockheed Martin, McDonnell Douglas, Northrup Grumman, or L3Harris (and many more), then this applies to your business. If you are unsure, check the fine print in your contracts, and/or ask your clients about their requirements.
If you handle CUI in any way, you need to be at a CMMC Level 2 or Level 3. The most common level is Level 2. If you don’t handle CUI in any way, but you do handle FCI (Federal Contract Information), you will need to be certified at a Level 1.
On average, it can take a company of up to 100 employees between 12 to 18 months for NIST 800-171 (CMMC Level 2) implementation. Meaning, even though CMMC 2.0 is not completed yet, don’t wait until it is. You’re already a year behind if you haven’t started your NIST 800-171 implementations and you want to be ready for when the CMMC 2.0 rule is released
CMMC certification requires government oversight whereas NIST 800-171 compliance can be self-attested. You should always hire a qualified CMMC consultant to ensure that you’re “audit-ready” for your certification audit.
What’s the Difference Between FCI and CUI?
FCI is information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service. CUI and FCI share important similarities and a particularly important distinction. Both CUI and FCI include information created or collected by or for the government, as well as information received from the government. However, while FCI is any information that is “not intended for public release,” CUI is information that requires safeguarding and may also be subject to dissemination controls. In short: All CUI in possession of a government contractor is FCI, but not all FCI is CUI.
About the Author:
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.
