This article appeared in the Sep/Oct 2023 issue of MiMfg Magazine. Read the full issue and find past issues online.

Today’s everchanging cybersecurity landscape has a large impact on manufacturers, as it would on any business with systems and data. The U.S. Department of Defense (DoD) has been focused on ensuring companies in the Defense Industrial Base (DIB) are protecting DoD information entrusted to them as contractually required since 2017 under DFARS 252.204-7012. A need to create more structure around compliance has resulted in the creation of the Cybersecurity Maturity Model Certification (CMMC), with a pending rule under DFARS 252.204-7021.

When an organization, manufacturer or other is a supplier to the DoD and has been provided information that is controlled but unclassified, the organization has a requirement to protect it using the controls in NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. CMMC is an assessment framework developed by the DoD that requires formal third-party assessment that these controls are in place. CMMC is designed to provide an increased assurance to the DoD that a DIB contractor can adequately protect Controlled Unclassified Information (CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain. CUI does not include classified information; CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

Essential Considerations to Compliance

Don’t Wait for the CMMC Final Rule

The DFARS clause requiring implementation of the NIST SP 800-171r2 controls has not changed. Continue to improve your security posture even if currently you are not yet subject to the DFARS clause but expect to be in the future.

Compliance is More Than IT

Meeting these requirements is not limited to information technology. Based on your business, identify which roles within your organization are impacted. Other departments may include facilities, engineering, production, legal, human resources, operations, etc. Consider awareness and/or overview training for individuals who will be involved in this effort.

Identify Your Gaps

Conduct an objective self-assessment utilizing the published assessment guide. This will enable you to identify the gaps to the assessment objectives. You can then prioritize and develop a plan of action and mile-stones to resolve them. Implementation of actions may occur in parallel, while others may require completion of predecessors. If you are concerned with objectivity during the assessment, consider engaging an outside resource with applicable knowledge/training.

Leverage a Managed Service Provider/ Cloud Service Provider (MSP or CSP)

If you use a managed service provider (MSP) or cloud service provider (CSP), request a Shared Responsibility Matrix (SRM) so you have a clear understanding what its responsibilities are, what your responsibilities are and what may be shared responsibilities. Determine if the service provider understands and knows how to support you with these requirements.

Identify a Dedicated Team

The requirements to protect business information (company, customer, supplier, etc.) and ensure compliance with multiple diverse contractual, regulatory and legislative requirements are growing in complexity. Establish a dedicated team with governance oversight authority and direct access to key leadership as well as departments to ensure progress towards implementing and/or improving a security framework and supporting controls.

About the Author

Tania Abella manages Radian’s CMMC program as its subject matter expert and Cyber AB RP. She may be reached at info@ radiancompliance.com.

Radian Compliance is an MMA Premium Associate Member and has been an MMA member company since December 2022. Visit online: radiancompliance.com.