NIST 800-171

Most SMBs Unprepared for CMMC 2.0, Risk Losing Contracts 

/ CYBERSECURITY, GUEST COLUMN, OP-ED

“The Cybersecurity Maturity Model Certification (CMMC) 2.0 aims to improve cybersecurity across the defense industrial base (DIB), but many small to mid-sized businesses (SMBs) struggle to meet the standards, putting them at risk of losing crucial contracts.” In this Cybersecurity Desk column, Joe Coleman, cybersecurity officer at Bluestreak Compliance, a division of Bluestreak | Bright AM™, raises the alarm if small to mid-sized heat treaters neglect compliance standards and guides companies through the minefield of cyber threats facing all SMBs.

Read more Cybersecurity Desk columns in previous Heat Treat Today’s issues here.

Despite an increasing cyber threat landscape, many small to mid-sized businesses (SMBs) in the Department of Defense (DoD) supply chain remain unprepared for compliance with NIST SP 800-171 R2 and CMMC 2.0. The Cybersecurity Maturity Model Certification (CMMC) 2.0 aims to improve cybersecurity across the defense industrial base (DIB), but many SMBs struggle to meet the standards, putting them at risk of losing crucial contracts. Surveys suggest that nearly 70% of SMBs are unready for the new requirements, and the real figure could be even higher due to some businesses inaccurately reporting compliance by inflating their assessment scores. 

Understanding CMMC 2.0 

Contact us with your Reader Feedback!

CMMC 2.0 simplifies the original five-tier framework into three levels: 

  • Level 1: Basic cyber hygiene for contractors handling Federal Contract Information (FCI). 
  • Level 2: Advanced practices for those working with Controlled Unclassified Information (CUI). 
  • Level 3: Stringent requirements for contractors involved in national security projects. 

Compliance is mandatory for any contractor bidding on DoD contracts, including those working indirectly for federal contractors and subcontractors. SMBs should anticipate customers clients inquiring to inquire about their compliance as these standards will soon impact their business relationships. Achieving compliance is a lengthy process, typically taking 12 to 18 months. 

Low Readiness and Risks 

The lack of readiness among SMBs threatens both business continuity and national security. Many smaller contractors lack the resources and expertise to meet CMMC 2.0’s standards. Given the defense sector’s reliance on a wide variety of contractors, this gap could create widespread repercussions. 

Financial Implications of Non-Compliance 

Irreversible consequences from waiting to comply

Compliance with CMMC 2.0 can be financially burdensome. Implementing measures such as multi-factor authentication, encryption and continuous monitoring can be costly, especially for businesses with limited resources. The lack of in-house cybersecurity expertise compounds this issue, requiring companies to hire or train specialized personnel, further increasing costs. 

Failing to comply with CMMC 2.0 could result in losing valuable DoD contracts, which can be a significant portion of SMB revenue. Such losses could lead to layoffs, revenue declines or even business closures. 

Challenges to Compliance 

Several challenges contribute to the widespread unpreparedness among SMBs: 

  • Unclear timelines: Uncertainty surrounding DoD’s compliance timelines complicates planning and prioritization for SMBs. 
  • Complexity of requirements: While CMMC 2.0 simplifies the original framework, its specific requirements remain difficult to interpret for many SMBs, particularly in identifying necessary security measures. 
  • Resource limitations: The cost of achieving and maintaining compliance strains smaller businesses, which often lack the budgets for the required technology and expertise. 
  • Lack of cybersecurity expertise: A shortage of qualified personnel poses a significant obstacle, as demand for cybersecurity professionals is high across industries. 

Government Support Initiatives 

To help SMBs, the DoD has introduced various programs, including training, grants and educational resources. A phased implementation timeline also provides additional preparation time. However, industry experts suggest that further support, such as tax credits or subsidies, could help SMBs offset the costs of compliance. Clearer guidance from the DoD would also be beneficial in helping businesses navigate the certification process. 

Path Forward for SMBs 

Click image to download a list of cybersecurity acronyms and definitions.

To secure future contracts, SMBs must prioritize cybersecurity. This involves conducting internal risk assessments, identifying vulnerabilities, and creating compliance plans. Partnering with cybersecurity experts or managed service providers can help SMBs develop cost-effective strategies. Additionally, leveraging government resources and adopting critical security measures early will better position SMBs for CMMC 2.0 certification. 

Conclusion 

The widespread lack of preparedness for CMMC 2.0 poses significant risks to both SMBs and the defense supply chain. As deadlines approach, proactive measures from both businesses and the government are necessary to close the readiness gap and ensure the continued participation of SMBs in the defense sector. 

About the Author

Joe Coleman
Cyber Security Officer
Bluestreak Consulting
Source: Bluestreak Consulting

Joe Coleman is the cybersecurity officer at Bluestreak Compliance, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager and an early additive manufacturing (AM) pioneer. Joe presented at the Furnaces North America (FNA 2024) convention on DFARS, NIST 800-171, and CMMC 2.0.

For more information: Contact Joe at joe.coleman@go-throughput.com.

Find Heat Treating Products And Services When You Search On Heat Treat Buyers Guide.Com

Most SMBs Unprepared for CMMC 2.0, Risk Losing Contracts  Read More »

Cybersecurity Desk: CMMC vs. NIST SP 800-171: Understanding the Differences

/ CYBERSECURITY, OP-ED

In Department of Defense (DoD) compliance, many acronyms and standards define how businesses manage processes to stay compliant. In this Cybersecurity Desk column, which was first released in Heat Treat Today’s September 2024 People of Heat Treat print edition. In it, Joe Coleman, cybersecurity officer at Bluestreak Compliance, a division of Bluestreak | Bright AM™, discusses the similarities and differences between the Cybersecurity Maturity Model Certification (CMMC) 2.0 and NIST Special Publication 800-171 Rev. 2.

What Is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) evaluates the maturity of an organization’s cybersecurity program. Developed by the DoD, it aims to equip over 300,000 Defense Industrial Base (DIB) contractors with robust defenses against cyber threats. Once formally published, CMMC 2.0 will be a mandated framework for private contractors and subcontractors seeking government contracts.

CMMC’s comprehensive approach includes NIST SP 800-171, NIST SP 800-172, and the Cybersecurity Framework (CSF), incorporating industry-leading practices. It ensures the effective implementation of critical controls and safeguards the integrity of the supply chain. CMMC 2.0 compliance certification has three levels:

  • Level 1: Foundational: For companies handling Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI).
  • Level 2: Advanced: For companies that store, process, or transmit CUI.
  • Level 3: Expert: For companies implementing highly advanced cybersecurity practices.

It will be referred to as DFARS 242.204-7021 when integrated into government-awarded contracts.

Source: Department of Defense

What Is NIST SP 800-171?

NIST SP 800-171 is the National Institute of Standards and Technology Special Publication 800-171 Rev. 2. It outlines security standards for non-federal organizations that handle CUI, ensuring they maintain strong cybersecurity practices. Compliance is mandatory for DoD primes, contractors, and supply chain service providers.

NIST 800-171 specifies five core cybersecurity areas: identify, protect, detect, respond, and recover. These areas serve as a framework to protect CUI and mitigate cyber risks. The standard comprises 110 security controls within 14 control families, leading to 320 control or assessment objectives. Compliance is measured on a 110-point scale, with a possible range from -203 to 110. An initial negative score is not uncommon.

Even for organizations with some cyber/IT security measures, retaining a qualified DFARS/NIST 800-171 consultant or a CMMC Registered Practitioner (RP) or CMMC Registered Practitioner Advanced (RPA) is highly recommended to guide you through the process.

Similarities Between NIST SP 800-171 and CMMC

Both CMMC and NIST SP 800-171 aim to strengthen information security and protect sensitive data, ensuring the confidentiality, integrity, and availability of organizational information assets. Here are some of the key similarities:

  • Control Alignment: CMMC 2.0 Level 2 aligns with NIST SP 800-171 Rev. 2’s 110 controls.
  • Focus: Both frameworks emphasize protecting data confidentiality, integrity, and availability.
  • Role Definitions: They describe roles within an organization’s cybersecurity program and interactions among those roles.
  • Asset Identification: Both require identifying assets and vulnerabilities and creating a risk management plan.
  • Cybersecurity Program Development: Organizations must develop a program with policies, procedures, and standards.
  • Risk Management: Both require identifying, assessing, prioritizing, and responding to risks, though CMMC is more comprehensive.

Differences Between NIST SP 800-171 and CMMC

While both frameworks enhance cybersecurity, they have distinct features:

  • Compliance Requirement: DFARS 252.204-7012 mandates NIST SP 800-171 compliance; DFARS 252.204-7021 mandates CMMC certification for handling CUI.
  • Assessment: NIST SP 800-171 compliance is self-assessed, while CMMC requires an independent third-party assessment.
  • Levels: CMMC has three certification levels, each more stringent than NIST SP 800-171 alone.
  • Scope: CMMC integrates additional NIST SP 800-172 practices and industry standards beyond NIST SP 800-171.

Conclusion

Click image to download a list of cybersecurity acronyms and definitions.

Understanding the differences between CMMC 2.0 and NIST SP 800-171 Rev. 2 is crucial for organizations enhancing their cybersecurity posture. Both frameworks are essential for assessing maturity in governance, risk management, incident response, data protection, and technology assurance. Adopting these frameworks ensures proactive adaptation to evolving threats and compliance with regulatory standards.

About the Author:

Joe Coleman
Cyber Security Officer
Bluestreak Consulting
Source: Bluestreak Consulting

Joe Coleman is the cybersecurity officer at Bluestreak Compliance, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Joe presented at the Furnaces North America (FNA 2024) convention on DFARS, NIST 800-171, and CMMC 2.0.

For more information: Contact Joe at joe.coleman@go-throughput.com.

Find heat treating products and services when you search on Heat Treat Buyers Guide.Com

Cybersecurity Desk: CMMC vs. NIST SP 800-171: Understanding the Differences Read More »

Cybersecurity Desk: What Should Heat Treaters Be Doing NOW?

/ CYBERSECURITY, FEATURED NEWS, MANUFACTURING HEAT TREAT, OP-ED
op-ed

This seventh article in the series from the Cybersecurity Desk  helps you determine if CMMC applies to your business, learn about what changes were made to CMMC 1.0., know what you should be doing NOW to prepare for CMMC 2.0., and more.

Today’s read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today’s May 2023 Focus on Sustainable Heat Treat Technologies print edition.

Introduction

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

Along with determining if CMMC (Cybersecurity Maturity Model Certification) applies to your business, this 7th article in the series from Heat Treat Today’s Cybersecurity Desk will give you a better understanding of what the certification is all about and the requirements to become certified. Also, we will cover the changes that were made to CMMC 1.0, the current status of CMMC’s proposed rule, and what you should be doing NOW to prepare for when the CMMC 2.0 rule is finally released.

What Is Changing in CMMC 2.0

In November 2021, the Department of Defense (DoD) announced a major update to the CMMC program. To safeguard sensitive national security information, the DoD launched CMMC 2.0, a comprehensive framework to protect the Defense Industrial Base’s (DIB’s) sensitive unclassified information from frequent and increasingly complex cyberattacks. Manufacturers or suppliers that handle sensitive or Controlled Unclassified Information (CUI) in any way or those within the DIB need to pay attention. CMMC 2.0 condenses the original 5 CMMC maturity levels into 3 levels, eliminating levels 2 and 4, and removing CMMC unique practices and all maturity processes. They have also revised the number of controls required for each of the three new levels. Level 1 includes 17 controls, Level 2 has 110 controls, and the total number of controls in Level 3 is still to be determined. There are also several other changes made that somewhat relax the requirements from CMMC 1.0.

Who Does CMMC Impact?

Manufacturers in the DIB are going to be held accountable to safeguard sensitive information and must comply with CMMC 2.0. Any contractor, subcontractor, supplier, or manufacturer that provides parts or services to the DoD or anyone within the DIB (no matter how minuscule) will need to comply with one of the three levels of CMMC compliance.

What Should Heat Treaters Be Doing Now?

Although CMMC 2.0 is still in the rulemaking phase, the new CMMC proposed rule is expected to be released sometime in mid-2023. This will give some much needed clarity on how to move forward and will help streamline the implementation of CMMC. Warnings will be issued to the DIB through DoD primes and will be passed down through the supply chain. Manufacturers that do not comply will be at risk of losing contracts.

If you (or your clients) are doing work for any DoD primes (or NASA), such as Raytheon, Lockheed Martin, McDonnell Douglas, Northrup Grumman, or L3Harris (and many more), then this applies to your business. If you are unsure, check the fine print in your contracts, and/or ask your clients about their requirements.

If you handle CUI in any way, you need to be at a CMMC Level 2 or Level 3. The most common level is Level 2. If you don’t handle CUI in any way, but you do handle FCI (Federal Contract Information), you will need to be certified at a Level 1.

On average, it can take a company of up to 100 employees between 12 to 18 months for NIST 800-171 (CMMC Level 2) implementation. Meaning, even though CMMC 2.0 is not completed yet, don’t wait until it is. You’re already a year behind if you haven’t started your NIST 800-171 implementations and you want to be ready for when the CMMC 2.0 rule is released

CMMC certification requires government oversight whereas NIST 800-171 compliance can be self-attested. You should always hire a qualified CMMC consultant to ensure that you’re “audit-ready” for your certification audit.

What’s the Difference Between FCI and CUI?

FCI is information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service. CUI and FCI share important similarities and a particularly important distinction. Both CUI and FCI include information created or collected by or for the government, as well as information received from the government. However, while FCI is any information that is “not intended for public release,” CUI is information that requires safeguarding and may also be subject to dissemination controls. In short: All CUI in possession of a government contractor is FCI, but not all FCI is CUI.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.

Find heat treating products and services when you search on Heat Treat Buyers Guide.com

Cybersecurity Desk: What Should Heat Treaters Be Doing NOW? Read More »

Skip to content