If you’ve heard rumblings about a new certification your shop will need to work on federal defense contracts, don’t panic. Thanks to our affinity partner Core Business Solutions, NTMA has all the information you need to know regarding Cybersecurity Maturity Model Certification (CMMC).
CMMC is the Department of Defense’s solution for keeping sensitive information protected from cyberattacks at the hands of foreign adversaries. The certification establishes a unified standard that will be verified by independent third parties to ensure appropriate levels of cybersecurity across the defense industrial base.
How Will CMMC Certification Affect Modern Machine Shops?
Any Department of Defense (DOD) suppliers or subcontractors that handle sensitive information will need to have the appropriate level of CMMC certification by 2026—and that includes many modern machine shops. Shops will need this certification in place so that they can continue to bid on DOD contracts.
The DOD is in the process of training auditors who will be tasked with awarding certifications. Assessments could begin as early as the end of 2021, and certifications will be valid for up to 3 years after they are awarded.
There are 5 levels of CMMC certification, each one more rigorous than the last. If your shop works with federal contract information (FCI), you will need a level 1 or 2 certification. Shops that work with controlled unclassified information (CUI) will need a level 3 certification. Levels 4 and 5 will likely be reserved for service providers to the government that handle highly classified data.
How Modern Machine Shops Can Prepare for CMMC Certification
Becoming CMMC certified is a lengthy process, so shops that are likely to need certification may want to start preparing soon. In general, highly motivated shops can expect to achieve a level 1 certification in 2-3 months and a level 3 certification in 6-9 months. This process can take longer or shorter depending on the shop.
Here are the steps you’ll need to take to become CMMC certified:
1. Requirements and assessments
Certification will require different procedures and practices dependent on the type of information your shop works with. Practices are technical activities required per each CMMC compliance level.
Level 1 certification requires 17 security practices, level 2 requires 72 practices, and level 3 requires 130 practices. Once you know the level of certification your shop requires, you can assess where you are, where you need to be, how long it will take to get there, and how to budget accordingly.
The practices required to achieve a level 1 certification cover areas like employee policies; network connections and firewalls; media and device protection; wifi settings; device maintenance and antivirus; user accounts and passwords; and visitors and secure facility access.
Level 2 certification includes all the same practices from level 1, plus additional practices. It appears that most small machine shops will need level 1 or 3 certification, and level 2 certification will serve as a stepping stone between them.
Most level 3 practices are repeats of the requirements for NIST 800-171 certification. These requirements are broken down into 40% organizational controls that are handled by company management and 60% technical controls that are handled by an IT department.
2. Implementation and remediation
Once you’ve identified the procedures and practices you need to achieve a certain level of CMMC certification, your shop can begin upgrading technology and training staff to comply with the new standards.
3. Third-party assessment and certification
The final step is for a third-party to assess your preparedness for certification. At this stage, your shop may be asked to correct any practices or standards it doesn’t yet meet. Once all standards are met, you’ll be awarded your certification.
If you have any specific questions about the certification process, the Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification page is a great resource to consult. It includes a helpful FAQ with the most updated information regarding CMMC certification.
Planning Ahead for CMMC Certification
Becoming CMMC certified does require an investment of time and money. Small shops will need to budget accordingly for the cost of employee training, IT system upgrades, third-party assessors, and potentially a consultant like Core Business Solutions to guide them through the certification process.
If your shop handles FCI or CUI, it’s a good idea to start planning for your certification as soon as possible. Planning ahead is key to ensuring that you use only the resources necessary to attain certification.
You can stay ahead of the curve with your NTMA membership! Join today to connect with other shops that are also going through the CMMC certification process.
For more information, check out the full webinar from Core Business Solutions, presented by John Christley, VP and Chief Information Security Officer.