CMMC Certification for Manufacturers - What You Need to Know
The Cybersecurity Maturity Model Certification or CMMC is a new security certification from the U.S. Department of Defense (DoD) that will come in September 2020. It will apply to all contractors and suppliers doing business with the DoD, whether in the US, Canada, or elsewhere.
The new requirement for CMMC certification has several implications. From now on, all companies that have current contracts or compete for new contracts with DoD will have to hold CMMC certification.
What are CMMC’s Objectives
It’s designed to help the DoD to ensure its contractors take reasonable and adequate cybersecurity measures to protect the information entrusted to them, including:
- Federal Contract Information (FCI)
- Controlled Unclassified Information (CUI)
What are the Immediate Impacts?
Starting in June 2020, DoD will gradually include CMMC requirements in its requests for information and tenders, eliminating manufacturers and contractors who have not taken steps to prepare for CMMC certification.
What is the scope of CMMC certification?
Your CMMC compliance must cover at least the portion of your network that collects, processes, stores, or transmits Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Is a company exempted if it complies with Canadian Department of Defence Requirements?
No. DoD has its own rules, and you must comply with the CMC to be eligible for DoD contracts.
What are the next steps?
If you are a DoD contractor or want to do business with the DoD, you need to begin the CMMC compliance process.
CMMC includes 171 practices from 17 areas of cybersecurity. These practices are divided into five levels of certification with associated levels of process maturity.
- Level 1 / Basic (17 best practices): The best practices are documented when required
- Level 2 / Intermediate (72 best practices): All relevant best practices are documented
- Level 3 / Good (130 best practices): Relevant best practices are documented, reusable, and maintained
- Level 4 / Proactive (156 best practices): Best practices are documented, reusable, and maintained. Activities are reviewed and measured.
- Level 5 / Advanced / Progressive (171 best practices): Relevant best practices are documented, reusable, and maintained. Activities are reviewed and measured. The methodology becomes a standard implemented throughout the organization.
The 17 areas of cybersecurity covered by CMMC are:
- Access control
- Audit and accountability
- User awareness and training
- System configuration management
- User identification and authentication
- Responding to cybersecurity incidents
- System maintenance
- Protection of media and information storage media
- Personnel safety
- Physical security
- Risk management
- Safety assessment
- Protection of systems and communications
- System and information integrity
- Information asset management
- Recovery and backups
- Situational awareness (operational security, security monitoring, and cyberthreat hunting)
CMMC and NIST 800-171. Are They Connected?
Yes, CMMC Level 2 to 5 includes NIST 800-171 requirements as well as additional requirements. If you are already NIST 800-171 compliant, you are well on your way to CMMC compliance.
Can StreamScan Help you with CMMC Compliance?
StreamScan specializes in cybersecurity for the manufacturing sector, and we already work with customers in the Defense/Military sector. We are accustomed to working with high cybersecurity standards such as NIST 800-171, CIS, NIST 800-53, etc.
Our cybersecurity experts are available to assist you in your CMMC compliance process.
The first step of our intervention is to perform a gap analysis to identify our current compliance level. This allows us to highlight your existing strengths and weaknesses and identify the practices required for CMMC compliance. With our support, your organization will be able to take all the steps necessary to attain CMMC certification.
Contact us if you’d like to discuss your CMMC compliance process.