• Home
  • Magazine
    • Current Issue
    • Past Issues
  • NWAN Live
  • Order Copies
  • Why NWAN?
    • Testimonials
    • Media Coverage
    • Newsletters
  • Advertise
    • I-90 Aerospace Conference
    • Request a Quote
    • Resource Guide Listing
    • Video Services
  • Contact
    • Submit an Event
    • Submit a Story
  • Subscribe Free

Get in Touch. 509 995 9958

dean@northwestaerospacenews.com
Northwest Aerospace NewsNorthwest Aerospace News
  • Home
  • Magazine
    • Current Issue
    • Past Issues
  • NWAN Live
  • Order Copies
  • Why NWAN?
    • Testimonials
    • Media Coverage
    • Newsletters
  • Advertise
    • I-90 Aerospace Conference
    • Request a Quote
    • Resource Guide Listing
    • Video Services
  • Contact
    • Submit an Event
    • Submit a Story
  • Subscribe Free

CMMC — Safeguarding Sensitive Data and Opening Opportunities in Defense and Beyond

Home » CMMC — Safeguarding Sensitive Data and Opening Opportunities in Defense and Beyond

CMMC — Safeguarding Sensitive Data and Opening Opportunities in Defense and Beyond

Blog

Aerospace and defense suppliers are no strangers to certifications that ensure high standards for quality and safety including AS9100, NADCAP, ISO9001, and ITAR. Thanks to an increasingly digitized world with formidable threats to sensitive data, cybersecurity safeguards and processes have become additional “must haves” for companies seeking to survive and thrive.

For those doing business with the Department of Defense (DoD), a new framework known as Cybersecurity Maturity Model Certification (CMMC) sets the standard for cybersecurity protocols. And, while CMMC is currently a directive for DoD contractors, the framework is likely to be used in some form by other federal agencies and will drive standards in key private sector industries, including aerospace, in the not-so-distant future.

Background

In 2016, the DoD amended the Defense Federal Acquisition Regulation Supplement (DFARS) to provide safeguards for Controlled Unclassified Information (CUI) shared with contractors in carrying out their work. Through this amendment, DFARS Clause 252.204-7012, contractors have been required to implement the security measures outlined in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) since January 1, 2018. Compliance with these measures is done by self-attestation, which has led to confusion, misinterpretation, and a low rate of compliance across the Defense Industrial Base (DIB).

CMMC

These compliance issues, along with a series of high profile breaches of information, led the DoD to begin developing the CMMC framework in 2019. This model builds on the standards included in NIST SP 800-171, but goes beyond checking compliance with a specified set of controls. CMMC also measures the overall maturity of a company’s cybersecurity plan to ensure that practices and processes are ingrained in the organization’s operations. Certification is to be completed by a third party auditor and eliminates the allowance for Plans of Action and Milestones (POAMs) in place of established controls.

Michael Meline, CEO of Idaho-based Cyber Self-Defense and one of the country’s first 100 CMMC Provisional Assessors and Registered Practitioners, is well-versed in CMMC and the primary difference between the existing DFARS requirements and the new framework.

“CMMC is a Maturity Model. Companies can’t expect to just check a box with this. Assessors will want organizations to prove that their cybersecurity plan is an integral part of their business. If a company is waiting for an official deadline to start putting systems in place, chances are they’ll fail because they won’t have the time they need.”

The first version of the CMMC was released in January of 2020, outlining five levels of certification that address every business in the DIB from the largest primes to the smallest subcontractors. The tiered structure ranges from Level 1 “Basic Cybersecurity Hygiene” to Level 5 “Advanced.” Each level has its own requirements and expectations and builds off of the previous level. The required level of certification for a contractor is aligned with the type and sensitivity of information to be protected and the range of potential threats within a given contract.

Level 1 provides basic cybersecurity safeguards for anyone doing business with the DoD, but those working with CUI will need to implement the “Moderate” safeguards outlined in Level 3 at a minimum. Most DoD contractors can expect to be required to achieve Level 3 certification.

Work continues on the framework including the development of Levels 4 and 5, but when the phased roll-out is complete, any contractor or subcontractor will have to have some level of CMMC in order to even bid on a DoD contract.

Accreditation

As of the time of printing this story, no CMMC assessments have been formally authorized, but the tools for doing so are currently being developed by the CMMC Accreditation Body in partnership with the DoD. The Accreditation Body is responsible for CMMC audits, accreditation and training of CMMC Provisional Assessors and third-party assessor organizations (C3PAOs). This organization is working to grow the number of authorized resources available to companies across the country and maintains a website, https://www.cmmcab.org, with a listing of approved resources and other official information related to CMMC.

Intermediate Reporting Requirements

While the CMMC process is being rolled out, an intermediary step in DFARS reporting was added in 2020. New rules require companies to report their compliance with DFARS/NIST SP 800-171 through the Supplier Performance Risk System (SPRS). The resulting SPRS score provides feedback about compliance and has increased the focus on the need to adhere to current NIST SP 800-171 standards in addition to preparing for CMMC.

By self-attestation through the SPRS and contract agreements, companies are declaring that they are currently in full compliance with the required controls. Should they not truly be in compliance, they are at risk of being sued by the federal government under the False Claims Act, which carries a penalty of three times the value of the contract and $11,000+ per claim.

Action Steps

Meline and Alex Stanton, Managing Partner at cybersecurity company ExBabylon, report that many of the companies they work with fall short of meeting the NIST SP 800-171 standards and they advise company leaders to ask questions of their team about their system security plan rather than assuming all is well. Stanton says that leadership needs to be actively involved with cybersecurity planning,

“This isn’t an IT problem. It’s a business strategy that requires top down decision making and the massive collaboration of an internal team, often with the assistance of outside expertise to effectively address.”

In tackling the required cybersecurity controls, the experts recommend that current DoD contractors confirm NIST SP 800-171 compliance or address issues immediately while simultaneously initiating a soft CMMC readiness program. This includes conducting an analysis of the people, processes and technology associated with a company’s cybersecurity plan and identifying gaps. From there, companies can develop a road map and assign a cost to filling each gap.

Companies already in full NIST compliance are well-positioned to address the additional requirements for Level 3 CMMC. Those considering doing business with the DoD for the first time in the next two years should focus their attention on preparing for Level 3 CMMC.

While many contractors are concerned about the costs associated with achieving CMMC, DoD has stated that these costs should not be prohibitive and have determined that the cost of certification will be considered an allowable, reimbursable cost.

Beyond Defense Contracting

While CMMC is presently required only for suppliers working with the DoD, the standard is paving the way for other sectors. Major aerospace OEM’s including GE, Boeing, Northrup Grumman, Raytheon, and Lockheed Martin have developed their own dedicated data security requirements for suppliers. As CMMC rolls out, Stanton says companies may well adopt that single set of standards throughout their entire supply chain.


“I firmly believe that we’ll see the commercial aerospace world stop bifurcating between their defense and commercial supply chains. Once you start seeing CMMC audits happening, you will probably see the Boeings of the world start saying to all of their suppliers ‘Let me see your CMMC certification’.”

Companies seeking a competitive advantage in the commercial aerospace industry would, thus, be wise to start positioning themselves in accordance with CMMC guidelines now.

Meline believes that CMMC provides a model for basic cybersecurity that all companies should consider adopting,

“As a company, Level 3 CMMC is going to give you a business benefit. You reduce the risk of losing your competitive advantage or going out of business due to a cyber event. You put yourself in a position to win contracts and build your business, but it’s also the right thing to do to protect your customers and that makes good sense.”

To learn more about CMMC and find authorized resources to assist your business, visit https://www.cmmcab.org. For those in Eastern Washington and North Idaho, click here to sign up for a CMMC Roundtable event to be held on October 28th in Post Falls, Idaho. Company leaders and key staff members are invited to attend and interact directly with regional cybersecurity experts.

Michael Lee Meline Jr.

President and CEO

Cyber Self-Defense, LLC

(208) 277-8857

mike@cyberselfdefense.com

http://www.cyberselfdefense.com

Alex Stanton

Managing Partner

ExBabylon Professional IT Solutions

(509) 671-0439   

alex@exbabylon.com     

http://www.exbabylon.com

Tags: AerospaceCybersecurityNorthwest
Share
0

Advertisement

Advertisment
Advertisment
Advertisment
Advertisment

Past Issues

  • March 2023
  • January 2023
  • December 2022
  • November 2022
  • September 2022
  • July 2022
  • May 2022
  • April 2022
  • March 2022
  • January 2022
  • November 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • March 2021
  • January 2021
  • November 2020
  • September 2020
  • July 2020
  • May 2020
  • March 2020
  • January 2020
  • November 2019
  • September 2019
  • July 2019
  • May 2019
  • March 2019
  • January 2019
  • December 2018
  • October 2018
  • August 2018
  • June 2018
  • April 2018
  • February 2018

Follow Us

Let Us Help You Reach Your Business Goals. Request a Quote

About us

Northwest Aerospace News Magazine will seek to identify through association with the numerous aerospace networks and associations in the Northwest region, leading companies that support the aerospace manufacturing industry.

GET IN TOUCH

  • Dean Cameron
  • Northwest Aerospace News
  • 203 N. Washington St. Spokane, WA. 99201
  • 509-995-9958
  • dean@northwestaerospacenews.com
  • northwestaerospacenews.com

Get Social

Recent Articles

  • ScanEagle: A Made-In-Washington Product Protecting Our National Borders and Land
  • The Biological Component of Aircraft Manufacturing
  • Exclusive News From Boeing The 21st Century Space Race
  • Aerocet Finds a Smooth Landing

Past Issues

issue 22 front page

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

© 2023 · Northwest Aerospace News - Magazine

  • Home
  • Contact
  • Subscribe Free
Prev Next