This list of cybersecurity acronyms was compiled by the late Joe Coleman, former cybersecurity officer at Bluestreak Consulting™. Joe wrote a regular column called the Cybersecurity Desk in Heat Treat Today’sprint publication.
“Even if a heat treater is not a DoD contractor or in the DoD supply chain, NIST 800-171 is a great “best practice” standard for any organization to improve overall cybersecurity health. This will help in obtaining future orders because customers will know critical data is secure.” – Joe Coleman
CLICK BELOW TO VIEW OR DOWNLOAD THE CYBERSECURITY ACRONYMS LIST
CLICK TO VIEW OR DOWNLOAD THE CYBERSECURITY ACRONYMS LIST
About The Author
Joe Coleman
Joe Coleman was the cybersecurity officer at Bluestreak Compliance, which is a division of Bluestreak | Bright AM™. Joe worked for over 35 years in diverse manufacturing and engineering positions. His background included extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Joe presented at the Furnaces North America (FNA 2024) convention on DFARS, NIST 800-171, and CMMC 2.0.
Joe Coleman, cybersecurity officer at Bluestreak Compliance, discusses critical aspects of NIST 800-171 and CMMC with host Doug Glenn. Joe touches on how to become compliant, how long compliance takes, compliance pricing, and the limitations companies may face if not compliant. Learn more in this episode of Heat TreatRadio.
Below, you can watch the video, listen to the podcast by clicking on the audio play button, or read an edited transcript.
The following transcript has been edited for your reading enjoyment.
What Is CMMC? (03:34)
Doug Glenn: Let’s jump in. Cybersecurity, while it’s not unique to heat treaters, is across all manufacturing sectors. But there are some unique elements of it that tie into the metal treating industry.
Let’s start with some basic definitions for those who don’t know: What is CMMC and what’s the purpose of it?
Joe Coleman: CMMC stands for Cybersecurity Maturity Model Certification. And we’re currently on version 2.0. It’s a verification program to ensure that defense contractors and subcontractors are able to protect sensitive information from the DoD (Department of Defense). That includes FCI, which is federal contract information, and CUI — or some people call it “coui” — which is Controlled Unclassified Information.
Cybersecurity acronyms “cheat sheet” available as a free download. Click on the image for a link.
It’s going to affect about 300,000 companies in the U.S. Also, it’s going to start impacting companies later this year or early next year. That’s when it’s said to be fully released, and they’ll start adding it to contracts and RFQs and things like that.
Doug Glenn: So, in CMMC 2.0 version, the DoD is asking companies, “Do you comply with CMMC 2.0?”
Joe Coleman: Rather, it is saying you must comply by 2025 and at a certain level; there are three levels.
Doug Glenn: What are these requirements based on?
Joe Coleman: DFARS 252.204-7012 was implemented in 2016. In it, they were saying that people must be NIST 800-171 compliant by December 2017. If you’re not, you’re way behind the ball. They just haven’t pushed it until recently. Now they’re really pushing it. It’s based on NIST 800-171 recommendations — that’s Rev 2, and a subset of NIST 800-172.
Doug Glenn: You mentioned DFARS. Can you just briefly explain that?
Joe Coleman: DFARS is Defense Federal Acquisition Regulation Supplement.
Doug Glenn: Also, I’m kind of curious about this: Who’s actually pushing it? Is it the Department of Defense, or is it government in general, or is it controlled by (kind of like Nadcap and things of that sort) an independent organization outside of the federal government?
Joe Coleman: No, CMMC does cover other things, but it’s mostly by the DoD. They are the ones pushing itbecause of foreign adversaries stealing our information and ransomware attacks and things like that.
Doug Glenn: Right, okay. So that’s CMMC 2.0. Is NIST 800-171 is a sub part of that, or is NIST 800-171 something different?
Joe Coleman: That’s something different. NIST 800-171 is published by the National Institute of Standards and Technologies. DoD doesn’t have a lot to do with NIST. They are two different standards; the DoD is just borrowing NIST 800-171 for CMMC’s requirements.
Doug Glenn: I see. They’re using NIST’s package that’s already there as part of their requirement.
I think you’ve already kind of hit on it, but let’s just be explicit about it. What started the push by the DoD to require CMMC or require any type of enhanced security?
Joe Coleman: The DoD finally realized just how vulnerable defense contractors are and how vulnerable their computer systems and networks are to cyberattacks and to sensitive information being leaked by the DoD or contractors, that kind of thing. They’re trying to pull everything together to improve national security and to help secure this important data.
Doug Glenn: So, in a sense, it’s really the DoD just trying to cover their rear end, so to speak, and protect sensitive, national defense type information.
What Is DFARS? (08:45)
We talked about DFARs briefly. I’ve heard a DFARS interim rule mentioned. What is that?
Defining DFARS
Joe Coleman: That came about in November of 2020. It plays along with the DFARS 7012 — 252.204-7012. They came up with three new clauses to improve how cybersecurity is handled and enforced.
The first one is clause 252.204-7019. It mandates that you when you do your assessment: you come up with an assessment score based on 110 controls, and your score can be from a positive 110 (the perfect score) to a negative 203. That score needs to be turned into the SPRS, the Supplier Performance Risk System, so other companies can see what your score is.
So, 7019 mandates that you do turn in your score and that it can be no older than three years old. They are requesting that if they say you’re DFARS-required on a contract, things like that, you need to be NIST 800-171 compliant.
The next one is 252.204-7020. And that one states that you have to give full access to your company — your internet system, your IT, all of your information, and your employees, if they decide to come in and do a medium or high assessment or just an audit. You will have to turn over that control to them.
Joe Coleman: There are three different levels of assessments that can be done under NIST 800-171. There is a basic level which you attest yourself. It’s all self-attestation for NIST 800-171. There’s a medium level which means you have to have a DoD official come in and do your final assessment. And then there’s a high, which you also need a DoD official to come in and do that. The majority of them are basics, which you can self-attest to.
Doug Glenn: How does a company know if they need to even have the CMMC?
Joe Coleman: If your company is a defense contractor, subcontractor, vendor/supplier, or if you’re in the DIB (the defense industrial base), you will need to be compliant if you process, store, transmit, or handle FCI or CUI in any way. If you handle CUI or FCI, you must become CMMC certified at one level or another.
Doug Glenn: Let’s just take an example. Say I’m almost third tier down in a supply chain, and the guy I’m doing business for is obviously doing defense work. Do I need to be CMMC certified at that point, even on the basic level?
Joe Coleman: Well, it depends on what type of data you’re handling. There is a flow down process. It starts with the prime contractor. Then it goes to the contractor and then on down the line. And if you are dealing with CUI or FCI, you need to have that same certification level as your client or as your contractor.
Doug Glenn: Would my client in that case, the person I’m doing business with, would it be incumbent upon them to tell me that I am dealing with FCI or CUI?
Joe Coleman: Yes. It would be in your contract.
Doug Glenn: If someone listening has a specific question about whether they’re required, I’m sure they could contact you and you could probably help them on that just to make sure.
Joe Coleman: Anytime. I also have an ebook that I made that is ready to be sent out, so I can always send them a free copy of that.
Doug Glenn: Now, I think you’ve already answered this question, but how many maturity levels are in CMMC and what are they?
Joe Coleman: A little, there are three levels. There is level one, which is the foundational level, and that is for contractors or vendors or suppliers that deal with only FCI. They do not deal with CUI. So, there’s a much smaller set of requirements for level one. And about 60% of the 300,000 companies will be going for level one.
Then there’s level two, which is advanced, and that is for contractors and vendors and suppliers that deal with CUI in any way. It can come in an email and leave. But as long as they have access to CUI, they need to be at least a level two certification. And there are about 80,000 companies that are going to be impacted by that of the 300,000.
Level three is expert, and level three is based on the 110 controls in NIST 800-171 plus a subset of controls that are in 800-172. Level two mirrors NIST 800-171. It’s borrowing all the requirements from NIST 800-171, enhancing them a little bit, and putting them into CMMC. So, there are a few more hoops you have to jump through to be CMMC certified.
Doug Glenn: We’ve talked about two different sets of levels. We talked about a basic, medium, and high. And then we talked about level one, two, and three. Are these things the same or are they different? Can you help me understand the difference between those?
Joe Coleman: The basic, medium, and high is an assessment level that assesses your whole system and facility, and that’s based on NIST 800-171. CMMC, you have three different maturity levels, and that’s level one, level two, and level three.
Doug Glenn: When you say maturity levels, that shows the degree to which your company has gone to implement these things.
Joe Coleman: Yes. It is a certification.
On CMMC level one, you can self-attest your own certification. Level two and level three, you will have to have it’s called C3PAO (or a CMMC third-party assessment organization). They will have to come in and do your final assessment. Bluestreak Compliance can take you all the way to that assessment audit ready. But then you’ll have to have a C3PAO come in and do the final audit and the certification level.
Doug Glenn: That was going to be one of my questions because you guys mentioned that you’re a registered practitioner organization. You don’t actually do the assessments, but you can get everybody up to the door, right? You prepare them for it?
Joe Coleman: Yes. You would need a CMMC certified assessor to do that.
Doug Glenn: All right. And when is all this going to be required? Right now, it’s not required but it will be required?
CMMC: Mark Your Calendars! Companies will need to prepare for the eventual implementation of CMMC level two certification. A phased rollout is planned to simplify the process; however, a shortage of registered practitioner organizations (RPO) may lead to a backlog.
Joe Coleman: CMMC is not required currently. It’s in the last phase of being released for approval. Either late this year or early next year, it’s going to be a phased rollout. Later this year or early next year, you’re going to have phase one, which is that if you need to be level one certified, you will need to become certified right away. That’s the one you can self-attest.
Six months after that, they’re going to start requiring that CMMC level two is implemented. This means you’ll have to go through the process of getting a C3PAO. And that’s when it comes time to hire an RPO (registered practitioner organization), because they’ve got the training and the certification to get you there.
Now, one thing on the C3PAO: there are currently only 54 C3PAOs in the entire country. So, there’s going to be a huge backlog. You could be talking a year backlog, so plan accordingly.
Finally, at level three, an enhanced version of level two because it has more requirements, you’re also requiring a C3PAO for certification.
What’s Involved in Becoming NIST Compliant? (21:14)
Doug Glenn: Joe, let’s talk for a second about the process, if you will. What’s involved in becoming CMMC certified?
Joe Coleman: That all depends on if you are NIST 800-171 compliant already. If you are not NIST compliant already, you need to get NIST compliant as soon as possible. That has a big impact on your CMMC implementation.
Doug Glenn: Can you address that then: What do you have to do to become NIST compliant?
Joe Coleman: To become compliant, you have to do an assessment on your network and your facilities to come up with an assessment score. So, it’s the same as CMMC.
Then, you will have to do a gap analysis. You will come up with a POAM list (a plan of action and milestones); that is your to-do list based on your assessment, your shortcomings, or what you’re not compliant to. And you’ll need to come up with a system security plan (an SSP). That’s mandatory; you cannot be compliant without an SSP.
Once you get your SSP and your POAM list, then you need to take your score, your beginning score/baseline score, and submit that to the SPRS. And that is the library that holds all of the scores and shows your level.
From there, you start remediating and implementing your POAM list. But that also includes coming up with policies and procedures, plans, and a lot of documentation — everything gets documented based on where you stand and where you’re going, until the end when you do your final score.
Now, the SSP is a living document. It’s going to constantly change. If you have a change in your network, a major change, you’ll need to go in and update that right away.
How To Become CMMC Compliant? (23:46)
Doug Glenn: So that’s how you get to be NIST compliant. For CMMC, is there more to it?
Joe Coleman: There’s a few more requirements in CMMC, but the major difference is that with NIST 800-171 it’s all self-attestation. CMMC you will need to have a C3PAO.
Doug Glenn: That is, somebody’s going to need an outside validator, so to speak.
Joe Coleman: And they’re very expensive.
Now, another reason they came up with CMMC is because people were saying that they were compliant to NIST 800-171, and they really weren’t. That gets into the False Claims Act and things like that. They really go after people that do that.
Doug Glenn: Yeah. Any sense of the time frame for either becoming NIST compliant and/or CMMC compliant?
Joe Coleman: If you are not NIST compliant yet, that can take up to 6 to 12 months. I’ve seen it take more. You can do CMMC and NIST together if you need to because you’re using the same documents. If you’re not NIST compliant, that can take up to 18 months or more. If you are NIST compliant already, you’re talking 6 to 12 months to be CMMC certified.
Joe discusses the limitations of not being NIST compliant.
Doug Glenn: Okay. You just alluded to it, but I just want to make it clear. Can you do them both at the same time in parallel tracks?
Joe Coleman: Yeah, I’m working with clients that are not currently NIST compliant. So, we’re just rolling it into one using the same documents. It’s just that we’ll have to have a different assessor at the end.
Doug Glenn: Let’s say a company just decides they’re not going to be either NIST or CMMC compliant. You can still be a company, right?
Joe Coleman: Oh yeah, you can still do business; you just can’t do business with the DoD. A lot of companies base it on how much of their workload or how much of their business percentage is based on DoD work or from a contractor or subcontractor. If it’s 1%, 2%, 3%, 5%, you need to take a good hard look and say, is it worth putting a lot of money into?
Cost of Certification (26:52)
Doug Glenn: So, they can still be in business and doing well, but they just can’t do any DoD work. So, any ballpark figures? And I realize this probably varies widely depending on the size of the company and everything, but any ballpark sense of how much change we’re talking about here?
Joe Coleman: There’s no official word from the DoD on this, but there are some guesses out there. For NIST 800-171 compliance, depending on your current cybersecurity program that you currently have and how involved it is, I’ve seen it from $15,000 to $60,000.
Doug Glenn: Okay. That’s just for NIST?
Joe Coleman: Just for NIST. For CMMC, and again depending on if you’re NIST compliant, if you are not NIST compliant you’re going to do them together, it could be over $200K (probably easily) to become CMMC certified because you’re also becoming NIST compliant.
Doug Glenn: I’m curious. How come it’s going to cost you maybe 3x as much?
Joe Coleman: One of the main reasons is that with CMMC, you’ll want to hire a registered practitioner organization to guide you through the process and to do the documentation for you. The other is the C3PAO. There are only 54, and they can name their own price.
I can imagine it’s going to be over $100K just for the final assessment.
Doug Glenn: Right, that’s helpful. I think that gives everybody a pretty good sense of what we’re talking about here with CMMC 2.0 and NIST 800-171.
What Can a Registered Practitioner Do for You? (29:02)
Your division of your company, which is Bluestreak Compliance (you’ve already mentioned you’re a registered practitioner), can you give a brief summary of what it is? What do you guys bring to the table?
Joe Coleman: A registered practitioner organization has been certified by the Cyber Accreditation Board (Cyber AB), or CMMC accreditation body. A registered practitioner organization (RPO) works with and hires RPs (registered practitioners) or RPAs (registered practitioner advanced). I happen to be an RPA. And we’ve gone through all the training that we need to have so that the Cyber AB says, okay, you are qualified to do this.
So, when I quote a job, I usually quote it two different ways. One way is just guiding you through the process, so you’re going to do all the heavy lifting. I can supply you with templates and things like that for your documentation and guide you through each step. Or I can quote it where we manage the whole process. We will do all your documentation for you.
Joe Coleman: “You’re going to have at least 1 or 2 full-time employees doing nothing but this.”
Your team will have to be involved in the implementation process. And that’s true both ways. But we normally quote it two different ways, and they choose which one they want based on their budget and things like that.
Doug Glenn: It sounds like what you’re bringing to the table is the ability to get that company from where they are now, wherever they self-assess to start with, up to the point where they can bring in one of the third-party auditors and actually have a reasonable shot at passing the CMMC 2.0 assessment.
Joe Coleman: Correct. And it’s going to take a lot of input from the client or from the companies, too, because you’re going to have at least 1 or 2 full-time employees doing nothing but this. You’ve got to build that cost into it.
That’s what I tell people when we say we can quote it either guiding you or leading the project. It’s not as much work if I am leading the project. But if I’m not leading the project, you’re going to need a team of people to do this. It’s a lot of work.
Cybersecurity Areas To Be Aware Of (31:48)
Doug Glenn: I’m not sure there is an easy answer to this question, but can you give a list of top 3 to 4, or 4 to 5, areas that a company needs to look at when they start doing the NIST and CMMC checklists? Where do you see most companies falling down, or what are the areas they need to be aware of?
Joe Coleman: A lot of the smaller companies do not have a robust cybersecurity program. That is going to be a big pitfall. That’s going to be a big jump for them, not just the work that they have to put into it, but the expense; a lot of small companies just can’t afford that.
Joe Coleman: Some of the things are making sure that your network is totally secure and locked down, firewalls. Along with that, you’re going to need endpoint protection on all your devices, mobile device manager. You’re going to have to track every device that has access or could have access to CUI. You have to have a full inventory of that. Your IT system has to be locked down.
Now, this also includes your facility; it includes physical security. That’s talking about your door locks, your alarm systems, things that are going to protect CUI. Camera systems, your server rooms have to be locked down. It’s a lot of physical security, too.
Doug Glenn: Interesting. As well as the protocols for how you handle emails, how data is transferred, where it’s stored, and backups, stuff like that?
Joe Coleman:Yes. And you need to have a policy and a procedure for each one of those. They have to be fully documented every step of the way.
Doug Glenn: Wow. Okay. Sounds like fun, Joe.
Joe Coleman: It is. I enjoy it, but it’s a lot of work.
Doug Glenn: Well, that’s good, I appreciate it. The columns and things that you’ve written for our publication have been helpful to people, I know. And I think this podcast will also be helpful to them. But do you know, for those who are listening and might be attending Furnaces North America, do you know when your talk is?
Joe Coleman: It’s going to be on the 16th at 8:50 a.m., and it’s in room 222.
Doug Glenn: All right.
All right, Joe. Thank you very much. I appreciate your time. We’ll look forward to more of your input.
Thanks everyone for listening.
About The Guest
Joe Coleman Cyber Security Officer Bluestreak Consulting
Joe Coleman is the cybersecurity officer at Bluestreak Compliance, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Joe will be speaking at the Furnaces North America (FNA 2024) convention, presenting on DFARS, NIST 800-171, and CMMC 2.0.
Artificial intelligence remains a hot topic for every industry, not least heat treating. Understanding the how and why of AI’s potential impacts on the industry, however, is not so easily apparent.
Today’s article, written by Joe Coleman, cybersecurity officer at Bluestreak Consulting, breaks down the pros and cons of implementing AI, to help you decide if artificial intelligence might be a beneficial addition to your heat treat operations.
Joe Coleman, cyber security officer, Bluestreak Consulting
As all of you are aware, artificial intelligence (AI) is getting more and more attention, and companies are beginning to use AI to help with many aspects of running their businesses. I’m sure you’ve heard of ChatGPT and other intelligent user interfaces (IUI). You may be one of those businesses considering the idea or experimenting with it to access its potential benefits for your business.
Like any industry, there are quite a few pros and cons associated with using AI to improve the heat treating processes. This article will outline some of these advantages and disadvantages. Always make sure you do your own research before jumping into the AI world because it’s not always what it seems.
What Is Artificial Intelligence (AI)?
Artificial Intelligence is the simulation of human intelligence in machines that are programmed to think and learn like humans. It includes a wide range of techniques and approaches, including machine learning, allowing computers to perform tasks that typically require human intelligence, such as understanding natural language, recognizing patterns, solving problems, and making decisions. AI systems are designed to learn from data, improving their performance over time without direct programming. These technologies find applications in many areas, from virtual assistants and language translation services to autonomous vehicles and industrial diagnostics, revolutionizing industries and helping to shape the future of technology
Pros of AI in Heat Treating
Quality Improvement:
AI systems can monitor and help control the heat treatment process in real time, ensuring you have consistent quality and to minimize defects.
Predictive analytics in AI can anticipate potential defects, allowing for corrective actions before they occur.
Increased Efficiency:
AI algorithms can optimize processing parameters and reduce bottlenecks, leading to faster and more efficient heat treating processes.
AI-driven automation can improve employee labor throughput and increase overall production speed.
Cost Reduction:
By optimizing utilities usage and resources, AI can help reduce the plethora of operational costs within heat treating facilities.
Predictive maintenance generated by AI can prevent costly equipment breakdowns and production downtime.
Customization and Personalization:
AI algorithms can analyze customer requirements and tailor heat treating processes to their specific needs.
Improved data analysis can lead to the development of new and specialized heat treatments for different metals and alloys.
Data Analysis and Information:
AI systems can process enormous amounts of data generated during heat treatment, collecting valuable information that can be used for process improvements and better-quality management.
Pattern recognition and statistical process control (SPC) analysis by AI can identify trends and correlations that could normally be overlooked.
Click image to download a list of cybersecurity acronyms and definitions.
Cons of AI in Heat Treating
Initial Investment:
Implementing an AI system requires a significant initial investment in the technology, training, and infrastructure, which may be a showstopper for smaller businesses.
Dependency on Technology:
Dependencies on AI systems can be a problem if there are technical glitches or breakdowns, disrupting the entire heat treating process.
Data Security and Privacy:
AI systems rely heavily on data. Ensuring the security and privacy of sensitive data is critical, especially when dealing with Controlled Unclassified Information (CUI), your proprietary heat treating processes, and sensitive customer information.
Ethical Concerns:
AI decision-making processes raise ethical questions, especially if the technology is used in critical applications, ensuring fairness, transparency, and accountability in AI decision-making is essential.
Skilled Workers Replaced:
Automation using AI might reduce the need for certain manual tasks, potentially leading to skilled workers losing their jobs without the necessary skills to operate or maintain AI systems.
Here’s the bottom line: You should always do your own research to see if AI is a good fit for your business. AI is not always better. There are upsides of using it, and there are definitely downsides to using it. You can’t always trust AI to give you the best information, so always make sure you confirm the information it is giving you through V&V (verification and validation).
At the Metal Treating Institute’s (MTI) national fall meeting, held October 9–11 in Tucson, AZ, Jay Owen gave an excellent presentation entitled, “Artificial Intelligence: Be Afraid or Be Excited.” Contact MTI by visiting www.heattreat.net.
This seventh article in the series from the Cybersecurity Desk helps you determine if CMMC applies to your business, learn about what changes were made to CMMC 1.0., know what you should be doing NOW to prepare for CMMC 2.0., and more.
Today’s read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today’sMay 2023 Focus on Sustainable Heat Treat Technologies print edition.
Introduction
Joe Coleman Cybersecurity Officer Bluestreak Consulting™ Source: Bluestreak Consulting™
Along with determining if CMMC (Cybersecurity Maturity Model Certification) applies to your business, this 7th article in the series from Heat Treat Today’s Cybersecurity Desk will give you a better understanding of what the certification is all about and the requirements to become certified. Also, we will cover the changes that were made to CMMC 1.0, the current status of CMMC’s proposed rule, and what you should be doing NOW to prepare for when the CMMC 2.0 rule is finally released.
What Is Changing in CMMC 2.0
In November 2021, the Department of Defense (DoD) announced a major update to the CMMC program. To safeguard sensitive national security information, the DoD launched CMMC 2.0, a comprehensive framework to protect the Defense Industrial Base’s (DIB’s) sensitive unclassified information from frequent and increasingly complex cyberattacks. Manufacturers or suppliers that handle sensitive or Controlled Unclassified Information (CUI) in any way or those within the DIB need to pay attention. CMMC 2.0 condenses the original 5 CMMC maturity levels into 3 levels, eliminating levels 2 and 4, and removing CMMC unique practices and all maturity processes. They have also revised the number of controls required for each of the three new levels. Level 1 includes 17 controls, Level 2 has 110 controls, and the total number of controls in Level 3 is still to be determined. There are also several other changes made that somewhat relax the requirements from CMMC 1.0.
Who Does CMMC Impact?
Manufacturers in the DIB are going to be held accountable to safeguard sensitive information and must comply with CMMC 2.0. Any contractor, subcontractor, supplier, or manufacturer that provides parts or services to the DoD or anyone within the DIB (no matter how minuscule) will need to comply with one of the three levels of CMMC compliance.
What Should Heat Treaters Be Doing Now?
Although CMMC 2.0 is still in the rulemaking phase, the new CMMC proposed rule is expected to be released sometime in mid-2023. This will give some much needed clarity on how to move forward and will help streamline the implementation of CMMC. Warnings will be issued to the DIB through DoD primes and will be passed down through the supply chain. Manufacturers that do not comply will be at risk of losing contracts.
If you (or your clients) are doing work for any DoD primes (or NASA), such as Raytheon, Lockheed Martin, McDonnell Douglas, Northrup Grumman, or L3Harris (and many more), then this applies to your business. If you are unsure, check the fine print in your contracts, and/or ask your clients about their requirements.
If you handle CUI in any way, you need to be at a CMMC Level 2 or Level 3. The most common level is Level 2. If you don’t handle CUI in any way, but you do handle FCI (Federal Contract Information), you will need to be certified at a Level 1.
On average, it can take a company of up to 100 employees between 12 to 18 months for NIST 800-171 (CMMC Level 2) implementation. Meaning, even though CMMC 2.0 is not completed yet, don’t wait until it is. You’re already a year behind if you haven’t started your NIST 800-171 implementations and you want to be ready for when the CMMC 2.0 rule is released
CMMC certification requires government oversight whereas NIST 800-171 compliance can be self-attested. You should always hire a qualified CMMC consultant to ensure that you’re “audit-ready” for your certification audit.
What’s the Difference Between FCI and CUI?
FCI is information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service. CUI and FCI share important similarities and a particularly important distinction. Both CUI and FCI include information created or collected by or for the government, as well as information received from the government. However, while FCI is any information that is “not intended for public release,” CUI is information that requires safeguarding and may also be subject to dissemination controls. In short: All CUI in possession of a government contractor is FCI, but not all FCI is CUI.
About the Author:
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.
Find heat treating products and services when you search on Heat Treat Buyers Guide.com
This sixth article in the series from the Cybersecurity Desk will give you a better understanding of how to submit your basic NIST 800-171 self-assessment score into SPRS (Supplier Performance Risk System).
Today’s read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today’sMarch 2023 Aerospace Heat Treating print edition.
Introduction
This sixth article in the series from the Cybersecurity Desk will give you a better understanding of how to submit your basic NIST 800-171 self-assessment score into SPRS (Supplier Performance Risk System).
Why Should You Do This?
Joe Coleman Cybersecurity Officer Bluestreak Consulting™ Source: Bluestreak Consulting™
The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7020 is one of the three newly released clauses (after the original 252.204-7012) of the DFARS 252.204-70 series (7019, 7020, 7021) in November 2020. DFARS 252.204-7019 is the “Notice of NIST 800-171 DoD Assessment Requirements”; whereas DFARS 7020 consists of the requirements alone. DFARS 7020 requires you to submit your basic NIST 800-171 self-assessment score to SPRS. Contractors and service providers are to provide the government access to its facilities, systems, and personnel any time the Department of Defense (DoD) is renewing or conducting a Medium or High assessment.
Once your self-assessment score has been submitted and accepted into SPRS, you will be eligible to be awarded contracts. Your score must remain in SPRS throughout the duration of the contract(s). You’ll need to show that you are working towards full compliance.
If a self-assessment score submitted to SPRS is required in order to win a contract, and you don’t have a self-assessment score in the system because you don’t have CUI, does that mean you will lose the contract? Maybe.
The requirement for NIST SP 800-171 DoD self-assessment is being enforced whether or not you have CUI. So, it makes sense to get started on this ASAP to position your company for additional business. Plus, having better cybersecurity controls in place is definitely a business best-practice.
How To Submit Your Basic Self-Assessment Score to SPRS
There are two ways to submit your basic self-assessment score to SPRS.
Option 1: Using email to send the information. Submitting your self-assessment score via email to SPRS includes the following steps:
Get an accurate NIST 800-171 Self-Assessment and Score. Conduct the self-assessment and obtain your score using cybersecurity professionals that carefully follow the required DoD Assessment Methodology for NIST Special Publication (SP) 800-171A.
Identify your SPRS “Scope of Assessment.” Your SPRS score submission will fall into one of three categories: Enterprise, Enclave, or Contracts.
Determine your expected completion date. The “Plan of Action Completion Date” must be determined according to your compliance project timelines.
Find your commercial and government entity CAGE codes. Your CAGE codes represent the part(s) of your organization included in the assessment and represented in the final System Security Plan (SSP) document.
Provide a brief description of the SSP format and system architecture.
Submit your self-assessment score to SPRS. To submit your score, send an email (optionally encrypted and signed) to webptsmh@navy.mil with the subject line “SPRS Self-Assessment Score Submission” in the exact format specified below:
Assessment date
Assessment score
Scope of assessment
Plan of action completion date
Included CAGE(s) codes
Name of System Security Plan (SSP) assessed
SSP version/revision
SSP date
Wait for email confirmation
Option 2: Using the PIEE (Procurement Integrated Enterprise Environment).
Register a PIEE account at https://piee.eb.mil/. Once your business is registered, choose the SPRS link and follow all instructions. You will need to provide all the same information as shown in Option 1.
Funding & Cost Sharing May Be Available for Heat Treaters
With the huge push for stricter cybersecurity practices by the government and many businesses, cost sharing and funding sources have been identified that may cover a substantial percentage of the costs associated with these critical cybersecurity projects. Every state has at least one MEP (Manufacturing Extension Partnership). Many states are more than willing to help out with the cost of implementation.
About the Author:
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.
Find heat treating products and services when you search on Heat Treat Buyers Guide.com
For any heat treater interested in getting these high-security contracts, review the following steps that will help you successfully complete your basic and final self-assessment.
Today’s read is a Cybersecurity Desk feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today’sFebruary 2022 Air & Atmosphere Furnace Systems print edition.
Introduction
Joe Coleman Cybersecurity Officer Bluestreak Consulting™ Source: Bluestreak Consulting™
Do you have plans to perform your NIST SP 800-171 self-assessment, but need more clarity about what’s involved? DFARS 252.204-7012 and the DFARS Interim Rule, including DFARS 252.204-7019, state that all DoD contractors in the Defense Industrial Base (DIB) that process, store, and/or transmit CUI (Controlled Unclassified Information) and want to be eligible for any contract award must complete a self-assessment (or basic assessment) using the DoD’s NIST SP 800-171 Assessment Methodology and generate a points-based score. This score will then be uploaded into the Supplier Performance Risk System (SPRS). At the time of contract award for a DoD contract containing the new 7019 clause, a DoD contracting officer will verify that a score has been uploaded to the SPRS.
For any heat treater interested in getting these high-security contracts, review the following steps that will help you successfully complete your basic and final self-assessment.
Identifying and Defining Your Organization’s CUI
Your NIST 800-171 basic self-assessment should start by identifying CUI sources and flows and mapping them within your organization’s IT systems. Organizations need to understand that CUI is an information category that includes Covered Defense Information (CDI) and Controlled Technical Information (CTI).
Define the Scope of the Self-Assessment
When finished identifying all CUI, you’re ready to scope the environment. To scope the environment correctly, first, determine what systems, applications, and business procedures that process, store, or transmit CUI. Second, define details of how data moves through your network.
NIST 800-171 Self-Assessment Procedure
You can find the self-assessment procedure for all compliance requirements in NIST SP 800-171A. Basically, a self-assessment is performed evaluating all 320 assessment/control objectives. Assessment/control objectives include the determination statements related to a particular security requirement. The 320 assessment/control objectives are divided among 110 separate controls which are included in 14 different control families.
Self-assessment methods include:
Examining: reviewing, inspecting, observing, or analyzing assessment objects
Interviewing: discussing with individuals to facilitate understanding, clarification, or gather evidence
Testing: confirming that assessment objects under specified conditions are met
Organizations are not expected to use all assessment methods and objects in NIST 800-171A. Instead, they have the freedom to determine which methods and objects are best for them to get the desired results.
Must Have a System Security Plan (SSP)
One of the most important requirements for a successful self-assessment is having a System Security Plan (SSP). Not having an SSP is a definite obstacle.
The SSP describes the system boundaries, how the IT system operates, how the security requirements are implemented, and the relationships with, or connections to other systems. It also includes information on security requirements.
Plan of Action & Milestones (POA&M)
To best protect CUI, organizations need to implement the CUI security requirements to the fullest extent possible. But, when some of the requirements are not completely implemented, a POA&M must be generated. The POA&M includes the tasks needed to resolve deficiencies, along with the resources and timelines required.
The purpose of the POA&M is to identify, assess, prioritize, and monitor the progress of corrective actions, allowing the organization to achieve the desired assessment score.
Next month we will discuss: “Submitting Your Basic Self-Assessment Score(s) To The SPRS.”
About the Author:
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.
Find heat treating products and services when you search on Heat Treat Buyers Guide.com
Cybercrime is hands-down one of the quickest growing crimes around the globe and it continues to impact organizations from all industries. Being protected from cyber-attacks is becoming more and more challenging. While cyber criminals are constantly looking for ways to take advantage of your security vulnerabilities, it’s very difficult for most organizations to keep up with them.
This fourth article in the serieswritten by Joe Coleman, cybersecurity officer at Bluestreak Consulting™, will give you a better understanding of some general cybersecurity best practices for all businesses, and a few tips for what you should and shouldn’t do.
This column is found in Heat Treat Today'sDecember 2022 Medical and Energyprint edition.
Joe Coleman Cybersecurity Officer Bluestreak Consulting™ Source: Bluestreak Consulting™
What Are the Risks of Having Poor Cybersecurity?
It’s difficult to remain 100% protected 100% of the time, but the risks from failing to have proper cybersecurity are hefty. The risks include: malware that can delete your entire system; the selling of your data or your customers’ data; an attacker hacking your system and altering files; an attacker using your computer to attack others; or an attacker stealing your credit card information and making unauthorized purchases.
12 Best Practices To Reduce the Chance of Cyberattacks
Follow these cybersecurity best practices to minimize the risks of cyberattacks and improve your cybersecurity:
Use complex passwords: Use at least 12 to 16 characters, including letters (upper and lower case), numbers, and special characters. Remember to change your passwords frequently.
Keep software up to date, including antivirus and antimalware: Install software patches as soon as they become available. Also, be sure to enable automatic virus definition updates to ensure maximum protection against the latest threats.
Utilize a firewall: Firewalls may be able to prevent some types of attacks by blocking malicious code before it can infect your computer. Enable and properly configure the firewall as specified.
Enable Multi-Factor Authentication (MFA) or 2-Factor Authentication (2FA): This gives you an additional layer of protection that helps to verify that you are an authorized user.
Be suspicious of unexpected emails: Phishing emails are currently one of the biggest risks to a user. The goal of a phishing email is to gain information about you, steal money from you, or install malware on your device (if you click on something in the email).
Click the Image TO Download More Than 350 Cybersecurity Acronyms
Use VPNs to ensure connections are private: To have a more secure and private network connection, use a VPN (virtual private network). Your connection will be encrypted, and your private information protected.
Look for HTTPS on websites (instead of just HTTP): On websites that do not use HTTPS, there’s no guarantee that the information between you and the site’s servers is secure.
Scan external storage devices: External storage devices have the same risk as internal storage devices. Always scan external storage devices for malware before accessing them.
Train your employees: If your cybersecurity program has any chance of working, make sure your employees are well trained and always using security best practices. It only takes one mistake. Educate your staff to be aware and on the lookout for different types of malicious social engineering (including a simple phone call asking for a username and/or password).
Backup your important data: Critical data can be lost with security attacks. Make sure you backup your important data frequently to the cloud or local storage device (preferably multiple devices).
Don’t use public networks: Avoid public networks or use a VPN to connect. All of your information is vulnerable on public networks at hotels, coffee shops, airports, and other similar locations.
Use secure file-sharing to encrypt data: When sharing sensitive or confidential information, always use a secure file-sharing solution. If emails are intercepted, unauthorized users will have access to your data.
Improve Your Cybersecurity Weaknesses
NIST SP 800-171 is an excellent best practice, even if you are not in the DoD downstream or military-related supply chain, to ensure your data and your customer’s data is always secure.
My fifth article in this Cybersecurity Desk series will be: “Performing Your Basic & Your Final NIST 800-171 Assessments.”
About the Author:
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Joe will be speaking at the Furnaces North America (FNA 2022) convention, presenting on DFARS, NIST 800-171, and CMMC 2.0. Contact Joe at joe.coleman@go-throughput.com.
Find heat treating products and services when you search on Heat Treat Buyers Guide.com
As the next installment in this series on cybersecurity, this third article will give you a better understanding of the Department of Defense’s DFARS interim rule and its requirements.
Today's read is a Cybersecurity Desk feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today'sNovember 2022 Vacuumprint edition. Refresh with part 1 and part 2 in earlier editions.
Joe Coleman Cybersecurity Officer Bluestreak Consulting™ Source: Bluestreak Consulting™
DFARS Interim Rule
On September 29, 2020, the Department of Defense (DoD) published the DFARS (Defense Federal Acquisition Regulation Supplement) interim rule 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements, with an effective date of November 30, 2020. These new clauses are an extension of the original DFARS 252.204-7012 clause that has been required in DoD contracts since 2018.
The interim rule implements the NIST SP 800-171 DoD Assessment Methodology and the CMMC (Cybersecurity Maturity Model Certification) framework. The interim rule requires contracting officers to take specific action prior to awarding contracts, giving task or delivery orders, or extending an optional period of performance on existing contracts on or after November 30, 2020.
DFARS 252.204-7019 Clause: Notice of NIST SP 800-171 DoD Assessment Requirements
All DoD contractors in the Defense Industrial Base (DIB) must complete a self-assessment using the DoD’s NIST 800-171 Assessment Methodology and generate a points-based score. If the self assessment score falls below 110, contractors are required to create a POAM (Plan of Action and Milestones) and indicate by what date the security gaps will be remediated and a score of 110 will be achieved as part of the Supplier Performance Risk System (SPRS). At the time of a DoD contract award containing the new 7019 clause, a DoD contracting officer will verify that a score has been uploaded to the SPRS.
DFARS 252.204-7020 Clause: NIST 800-171 DoD Assessment Requirements
Along with the 252.204-7012 and 7019 clauses, the 7020 clause is approved for use in all DoD contracts. This new clause requires that contractors provide the government with access to its facilities, systems, and personnel when it is necessary for the DoD to conduct or renew a higher-level Assessment. The higher level Assessments are the Medium and High Assessments. The self assessment conducted as part of the 7019 clause is called a Basic Assessment.
Photo Source: Bluestreak Consulting™
A Medium Assessment is conducted by DoD personnel and will include a review of your System Security Plan (SSP) and how each of the requirements are met and to identify any language that may not adequately address the security requirements.
A High Assessment is conducted by DoD personnel onsite at the contractor’s location and will leverage the full NIST SP 800-171A (Assessing Security Requirements for Controlled Unclassified Information) to determine if the implementation meets the requirements by reviewing evidence and/or demonstration such as recent scanning results, system inventories, baseline configurations and demonstration of multi-factor authentication and/or two-factor authentication.
Along with that, this rule also requires that contractors flow down their requirements from 7019 to their subcontractors and suppliers. Just as the DoD may choose not to award a contract due to noncompliance, you may not be able to use a subcontractor or supplier due to their noncompliance.
DFARS 252.204-7021 Clause: Cybersecurity Maturity Model Certification (CMMC) Requirements
Heat treaters willing to move forward with these cybersecurity initiatives by the DoD will have an overwhelming impact on the DoD supply chain and your business. If many heat treaters in the U.S. choose to not embrace the mandatory requirements, the DoD and DoD contractors will award contracts solely to the few heat treaters who do choose to become compliant. Poor cybersecurity practices can result in hacking, loss of company data and critical customer data, and attacks by malware, viruses, and ransomware. All of this can result in major damage to the business and loss of customers, not to mention being liable for all losses and paying significant fines.
Complying with DFARS 7012 and NIST 800-171 is a requirement for all DoD contractors, subcontractors, vendors, and suppliers. The DoD has now begun confirming that contractors and subcontractors are compliant before awarding additional contracts. Navigating NIST 800-171 and DFARS is a complex and challenging — but necessary — step in this process.
This DFARS clause establishes CMMC into the federal regulatory framework. This requires that CMMC is to be included in all contracts, tasks or orders, and solicitations, with very few exceptions. The level of CMMC that is required will be determined by the DoD and added into the Request for Proposal. Contractors must maintain the appropriate CMMC level for the duration of any contract and the requirements must be trickled down to your subcontractors and suppliers. The CMMC certification is required at the time of contract award.
Watch For the Next Cybersecurity Desk Installment
My next article, number four in the series, will be: “General Cybersecurity Best Practices and What You Should and Should Not Do.
About the Author:
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer.'; Contact Joe at joe.coleman@go-throughput.com.
Find heat treating products and services when you search on Heat Treat Buyers Guide.com
Cybersecurity: it's important for more than just keeping checking accounts safe. Banks, government agencies, and online data bases all require strict cybersecurity. But what about heat treaters? What are cybersecurity requirements for heat treaters, and how can they become compliant?
Today's Technical Tuesday is a Cybersecurity Desk feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column series will have its debut in Heat Treat Today'sSeptember 2022 Trade Showprint edition.
Do You Need To Be Compliant?
If you are a heat treater who provides services to a Department of Defense (DoD) contractor or downstream DoD requests, you are affected by this topic and need to read on to get more details. In some cases, you may have already been asked about compliance by some of your customers. In this article and in future articles, we will provide the answers to the most
frequent questions regarding how heat treaters can become and stay in compliance to cybersecurity specs and even improve compliance in cybersecurity health.
Discussions around DFARS compliance, NIST 800-171 implementation, and cybersecurity within federal defense contracting are becoming increasingly prevalent by the day. Although it seems like the conversation is only recently gaining steam, the DFARS mandate has been around longer than people realize.
The DoD is requiring all contractors, subcontractors, and suppliers to be DFARS 252.204-7012 and NIST 800-171 compliant. Don’t take a chance on losing current DoD contracts and losing future business because of noncompliance. Compliance is non-negotiable for heat treaters within the DoD supply chain.
Heat treaters implementing effective cybersecurity practices are facing particularly challenging circumstances because there are more devices (including mobile devices) than people, and attackers are becoming more innovative. Cybersecurity is the practice of protecting systems, data, networks, and programs from digital attacks (web/cloud based). These cyberattacks usually seek to access, change, or destroy sensitive information; extort money from users; or interrupt normal business processes. Therefore, the government is pushing cybersecurity more than ever before. All of us need to be sure critical data and systems are protected and secured.
Here are several eye-opening statistics of how cybercrime affected SMBs (small to mid-sized businesses) from 2021:
Cyberattacks increased by nearly 300% since the beginning of the pandemic
58% of cyberattack victims are small and mid-sized businesses
60% of small companies go out of business within 6 months after a major security breach
55% of ransomware attacks involve companies with fewer than 100 employees
95% of cybersecurity breaches are a result of human error
What Is DFARS 252.204-7012?
DFARS 252.204-7012 is a DoD regulation that has become increasingly important for defense contractors and suppliers.
Originally implemented in 2016, DFARS 252.204-7012 requires safeguarding and “adequate security” of Covered Defense — which also includes CUI (Controlled Unclassified Information) — by implementing the guidelines found in NIST SP 800-171.
DFARS 252.204-7012 further requires contractors to follow certain procedures in the event of a cyber incident, report the incident to the government, and provide access to systems.
What Is NIST SP 800-171?
NIST SP 800-171 is a NIST (National Institute of Standards and Technology) Special Publication that provides recommended requirements for protecting the confidentiality of CUI in non-federal organizations or businesses. Defense contractors must implement the recommended 110 control requirements contained in NIST 800-171 to demonstrate their provision of adequate security to protect the Covered Defense Information (CDI) included in their defense contracts, as required by DFARS 252.204-7012. If a manufacturer is part of a DoD, General Services Administration (GSA), NASA, or other federal or state agencies’ supply chain, the implementation of the security requirements included in NIST SP 800-171 is a must.
The deadline to be fully compliant with NIST 800-171 was December 31, 2017. But it’s not too late.
Photo Source: Bluestreak Consulting™
Even if a heat treater is not a DoD contractor or in the DoD supply chain, NIST 800-171 is a great "best practice" standard for any organization to improve overall cybersecurity health. This will help in obtaining future orders because customers will know critical data is secure. Explaining NIST 800-171 in depth, and each of the specific control areas, is beyond the scope of this article, so, be on the lookout for a future article on this specific topic later in this series of articles.
Consequences of Failing To Comply With DFARS 7012 and NIST 800-171
Heat treaters willing to move forward with these cybersecurity initiatives by the DoD will have an overwhelming impact on the DoD supply chain and your business. If many heat treaters in the U.S. choose to not embrace the mandatory requirements, the DoD and DoD contractors will award contracts solely to the few heat treaters who do choose to become compliant. Poor cybersecurity practices can result in hacking, loss of company data and critical customer data, and attacks by malware, viruses, and ransomware. All of this can result in major damage to the business and loss of customers, not to mention being liable for all losses and paying significant fines.
Complying with DFARS 7012 and NIST 800-171 is a requirement for all DoD contractors, subcontractors, vendors, and suppliers. The DoD has now begun confirming that contractors and subcontractors are compliant before awarding additional contracts. Navigating NIST 800-171 and DFARS is a complex and challenging — but necessary — step in this process.
Watch for Future Articles in Heat TreatToday Covering the Following Topics:
DFARS 252.204-7012 and NIST SP 800-171 Explained for Heat Treaters
DFARS Interim Rule Explained (DFARS 252-204-7019, 7020, and 7021)
General Cybersecurity Best Practices and What You Should and Should Not Do
Performing Your Basic & Your Final NIST 800-171 Assessments
Submitting Your Assessment Score(s) to the SPRS (Supplier Performance Risk System)
CMMC 2.0: The New Changes and How To Become Certified
How To Safely and Securely Work From Home and Work Remotely
If You're Not Using 2FA or MFA, Your Data and Your Customer’s Data Is Not Secure
. . . and many more cybersecurity topics curated for heat treaters
Can You Afford Compliance? Funding and Cost Sharing for Heat Treaters
With the huge push for cybersecurity by the government, cost sharing and funding sources have been identified that may cover a substantial percentage of the costs associated with these critical cybersecurity projects.
About the Author:
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Joe will be speaking at the Furnaces North America (FNA 2022) convention, presenting on DFARS, NIST 800-171, and CMMC 2.0. Contact Joe at joe.coleman@go-throughput.com.
Find heat treating products and services when you search on Heat Treat Buyers Guide.com
