Cybersecurity Maturity Model Certification is here. Contractors and suppliers must be ready.
In Ohio’s Department of Defense manufacturer and contractor space, and those manufacturing on behalf of the government, Cybersecurity Maturity Model Certification (CMMC) within the National Institute of Standards and Technology (NIST) framework is top of mind.
Contractors and suppliers in this space are now required to be compliant with the recently revised NIST framework to achieve a Cybersecurity Maturity Model Certification. Affected companies should be having discussions with their managed service providers (MSP/MSSP) to learn what they need to do to become CMMC Level 1, Level 2 or Level 3 compliant.
“We’re starting to see more Defense Industrial Base (DIB) contractors, government contractors, and defense contractors flow down clauses requiring their organization to become CMMC Compliant to minimize their attack surface,” says Cristina Alati, a Cybersecurity Engineer at Blue Technologies, Inc.
Smart Business spoke with Alati about the new framework and what manufacturers must do to comply.
What does the compliance process look like?
The NIST and CMMC frameworks are unifying standards to a new certification model that will ensure that DoD contractors are properly protecting sensitive defense information. The DoD has implemented these standards of basic safeguarding requirements to improve the overall security posture of its supply chains.
The Cybersecurity Maturity Model Certification is not in the business of changing any existing cybersecurity requirements, but instead protecting FCI and CUI data to step up enforcement and security requirements already in effect.
Making the required changes, even for those companies that were following NIST framework already, could be a long drawn-out investment process for an organization. The time and effort needed to reach a certification level depends on the company’s existing infrastructure and its current level of compliance. Companies that have a strong existing cybersecurity posture likely won’t have as much to go through. Even a contractor that deals day to day with minimal FCI and/or CUI data will be required to be CMMC compliant.
Since the CMMC proposed rule began in December 2023, and was later updated in August 2024, it is expected that these standards will be enforced by March of 2025, so there’s more pressure to meet the standards and for MSP for guidance to reach these levels.
How does a company’s MSP factor into this?
Within the new flow-down clauses from the DIB, the newly proposed revisions require that the contractors’ MSPs also reach the same level of compliance in their environment to support the DoD contractors. So, not only do MSPs have to be just as secure as their highest-level client, but also be able to provide the support to contractors to get them to meet those requirements.
The right MSP should be able to provide support at all angles, 24/7 Security Operations Center monitoring, including policies and procedures, technical updates and configuration changes, installation of newer, more secure equipment, and more. That’s important because, to be deemed compliant, a CMMC Third Party Assessor (C3PAO) must assess the MSP and client environment, including all the company’s documentation and procedures. Once the assessor has determined that the MSP and the client meet the criteria, it will receive certification that they are CMMC compliant. Though the information is not yet finalized, there is a possibility that the company, once certified, could be subject to annual assessments to determine that the criteria continue to be met.
What happens if companies are not compliant?
Manufacturers that want to stay in the government and Department of Defense manufacturing space must comply with these standards or they cannot be awarded contracts. And the deadlines manufacturers must meet will only become more pressing. Becoming compliant is a slow process, so companies would benefit from acting sooner rather than later. ●
INSIGHTS Technology is brought to you by Blue Technologies, Inc.
