CMMC Certification for Manufacturers - What You Need to Know

The Cybersecurity Maturity Model Certification or CMMC is a new security certification from the U.S. Department of Defense (DoD) that will come in September 2020. It will apply to all contractors and suppliers doing business with the DoD, whether in the US, Canada, or elsewhere.

The new requirement for CMMC certification has several implications. From now on, all companies that have current contracts or compete for new contracts with DoD will have to hold CMMC certification.

What are CMMC’s Objectives

It’s designed to help the DoD to ensure its contractors take reasonable and adequate cybersecurity measures to protect the information entrusted to them, including:

- Federal Contract Information (FCI)

- Controlled Unclassified Information (CUI)

What are the Immediate Impacts?

Starting in June 2020, DoD will gradually include CMMC requirements in its requests for information and tenders, eliminating manufacturers and contractors who have not taken steps to prepare for CMMC certification.

What is the scope of CMMC certification?

Your CMMC compliance must cover at least the portion of your network that collects, processes, stores, or transmits Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Is a company exempted if it complies with Canadian Department of Defence Requirements?

No. DoD has its own rules, and you must comply with the CMC to be eligible for DoD contracts.

What are the next steps?

If you are a DoD contractor or want to do business with the DoD, you need to begin the CMMC compliance process.

CMMC includes 171 practices from 17 areas of cybersecurity. These practices are divided into five levels of certification with associated levels of process maturity.

Level 1 / Basic (17 best practices): The best practices are documented when required
Level 2 / Intermediate (72 best practices): All relevant best practices are documented
Level 3 / Good (130 best practices): Relevant best practices are documented, reusable, and maintained
Level 4 / Proactive (156 best practices): Best practices are documented, reusable, and maintained. Activities are reviewed and measured.
Level 5 / Advanced / Progressive (171 best practices): Relevant best practices are documented, reusable, and maintained. Activities are reviewed and measured. The methodology becomes a standard implemented throughout the organization.

The 17 areas of cybersecurity covered by CMMC are:

Access control
Audit and accountability
User awareness and training
System configuration management
User identification and authentication
Responding to cybersecurity incidents
System maintenance
Protection of media and information storage media
Personnel safety
Physical security
Risk management
Safety assessment
Protection of systems and communications
System and information integrity

Information asset management
Recovery and backups
Situational awareness (operational security, security monitoring, and cyberthreat hunting)

CMMC and NIST 800-171. Are They Connected?

Yes, CMMC Level 2 to 5 includes NIST 800-171 requirements as well as additional requirements. If you are already NIST 800-171 compliant, you are well on your way to CMMC compliance.

Can StreamScan Help you with CMMC Compliance?

StreamScan specializes in cybersecurity for the manufacturing sector, and we already work with customers in the Defense/Military sector. We are accustomed to working with high cybersecurity standards such as NIST 800-171, CIS, NIST 800-53, etc.

Our cybersecurity experts are available to assist you in your CMMC compliance process.

The first step of our intervention is to perform a gap analysis to identify our current compliance level. This allows us to highlight your existing strengths and weaknesses and identify the practices required for CMMC compliance. With our support, your organization will be able to take all the steps necessary to attain CMMC certification.