Aerospace and defense suppliers are no strangers to certifications that ensure high standards for quality and safety including AS9100, NADCAP, ISO9001, and ITAR. Thanks to an increasingly digitized world with formidable threats to sensitive data, cybersecurity safeguards and processes have become additional “must haves” for companies seeking to survive and thrive.
For those doing business with the Department of Defense (DoD), a new framework known as Cybersecurity Maturity Model Certification (CMMC) sets the standard for cybersecurity protocols. And, while CMMC is currently a directive for DoD contractors, the framework is likely to be used in some form by other federal agencies and will drive standards in key private sector industries, including aerospace, in the not-so-distant future.
In 2016, the DoD amended the Defense Federal Acquisition Regulation Supplement (DFARS) to provide safeguards for Controlled Unclassified Information (CUI) shared with contractors in carrying out their work. Through this amendment, DFARS Clause 252.204-7012, contractors have been required to implement the security measures outlined in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) since January 1, 2018. Compliance with these measures is done by self-attestation, which has led to confusion, misinterpretation, and a low rate of compliance across the Defense Industrial Base (DIB).
These compliance issues, along with a series of high profile breaches of information, led the DoD to begin developing the CMMC framework in 2019. This model builds on the standards included in NIST SP 800-171, but goes beyond checking compliance with a specified set of controls. CMMC also measures the overall maturity of a company’s cybersecurity plan to ensure that practices and processes are ingrained in the organization’s operations. Certification is to be completed by a third party auditor and eliminates the allowance for Plans of Action and Milestones (POAMs) in place of established controls.
Michael Meline, CEO of Idaho-based Cyber Self-Defense and one of the country’s first 100 CMMC Provisional Assessors and Registered Practitioners, is well-versed in CMMC and the primary difference between the existing DFARS requirements and the new framework.
“CMMC is a Maturity Model. Companies can’t expect to just check a box with this. Assessors will want organizations to prove that their cybersecurity plan is an integral part of their business. If a company is waiting for an official deadline to start putting systems in place, chances are they’ll fail because they won’t have the time they need.”
The first version of the CMMC was released in January of 2020, outlining five levels of certification that address every business in the DIB from the largest primes to the smallest subcontractors. The tiered structure ranges from Level 1 “Basic Cybersecurity Hygiene” to Level 5 “Advanced.” Each level has its own requirements and expectations and builds off of the previous level. The required level of certification for a contractor is aligned with the type and sensitivity of information to be protected and the range of potential threats within a given contract.
Level 1 provides basic cybersecurity safeguards for anyone doing business with the DoD, but those working with CUI will need to implement the “Moderate” safeguards outlined in Level 3 at a minimum. Most DoD contractors can expect to be required to achieve Level 3 certification.
Work continues on the framework including the development of Levels 4 and 5, but when the phased roll-out is complete, any contractor or subcontractor will have to have some level of CMMC in order to even bid on a DoD contract.
As of the time of printing this story, no CMMC assessments have been formally authorized, but the tools for doing so are currently being developed by the CMMC Accreditation Body in partnership with the DoD. The Accreditation Body is responsible for CMMC audits, accreditation and training of CMMC Provisional Assessors and third-party assessor organizations (C3PAOs). This organization is working to grow the number of authorized resources available to companies across the country and maintains a website, https://www.cmmcab.org, with a listing of approved resources and other official information related to CMMC.
Intermediate Reporting Requirements
While the CMMC process is being rolled out, an intermediary step in DFARS reporting was added in 2020. New rules require companies to report their compliance with DFARS/NIST SP 800-171 through the Supplier Performance Risk System (SPRS). The resulting SPRS score provides feedback about compliance and has increased the focus on the need to adhere to current NIST SP 800-171 standards in addition to preparing for CMMC.
By self-attestation through the SPRS and contract agreements, companies are declaring that they are currently in full compliance with the required controls. Should they not truly be in compliance, they are at risk of being sued by the federal government under the False Claims Act, which carries a penalty of three times the value of the contract and $11,000+ per claim.
Meline and Alex Stanton, Managing Partner at cybersecurity company ExBabylon, report that many of the companies they work with fall short of meeting the NIST SP 800-171 standards and they advise company leaders to ask questions of their team about their system security plan rather than assuming all is well. Stanton says that leadership needs to be actively involved with cybersecurity planning,
“This isn’t an IT problem. It’s a business strategy that requires top down decision making and the massive collaboration of an internal team, often with the assistance of outside expertise to effectively address.”
In tackling the required cybersecurity controls, the experts recommend that current DoD contractors confirm NIST SP 800-171 compliance or address issues immediately while simultaneously initiating a soft CMMC readiness program. This includes conducting an analysis of the people, processes and technology associated with a company’s cybersecurity plan and identifying gaps. From there, companies can develop a road map and assign a cost to filling each gap.
Companies already in full NIST compliance are well-positioned to address the additional requirements for Level 3 CMMC. Those considering doing business with the DoD for the first time in the next two years should focus their attention on preparing for Level 3 CMMC.
While many contractors are concerned about the costs associated with achieving CMMC, DoD has stated that these costs should not be prohibitive and have determined that the cost of certification will be considered an allowable, reimbursable cost.
Beyond Defense Contracting
While CMMC is presently required only for suppliers working with the DoD, the standard is paving the way for other sectors. Major aerospace OEM’s including GE, Boeing, Northrup Grumman, Raytheon, and Lockheed Martin have developed their own dedicated data security requirements for suppliers. As CMMC rolls out, Stanton says companies may well adopt that single set of standards throughout their entire supply chain.
“I firmly believe that we’ll see the commercial aerospace world stop bifurcating between their defense and commercial supply chains. Once you start seeing CMMC audits happening, you will probably see the Boeings of the world start saying to all of their suppliers ‘Let me see your CMMC certification’.”
Companies seeking a competitive advantage in the commercial aerospace industry would, thus, be wise to start positioning themselves in accordance with CMMC guidelines now.
Meline believes that CMMC provides a model for basic cybersecurity that all companies should consider adopting,
“As a company, Level 3 CMMC is going to give you a business benefit. You reduce the risk of losing your competitive advantage or going out of business due to a cyber event. You put yourself in a position to win contracts and build your business, but it’s also the right thing to do to protect your customers and that makes good sense.”
To learn more about CMMC and find authorized resources to assist your business, visit https://www.cmmcab.org. For those in Eastern Washington and North Idaho, click here to sign up for a CMMC Roundtable event to be held on October 28th in Post Falls, Idaho. Company leaders and key staff members are invited to attend and interact directly with regional cybersecurity experts.
Michael Lee Meline Jr.
President and CEO
Cyber Self-Defense, LLC
ExBabylon Professional IT Solutions