New Cybersecurity Requirements for Manufacturers: CMMC and NIST 800-171
By George Chao, Manex Consulting
Are you concerned about keeping or getting new defense contract work?
Getting new defense contract work, or keeping what you have, requires a clear understanding of the requirements and the current defense contracting landscape. How will the Department of Defense’s (DoD) new cybersecurity requirements affect your business? Have you received a letter from your DoD contract officer or prime contractor asking you to complete your NIST 800-171 basic assessment and enter your score into the Supplier Performance Risk System (SPRS)?
As a small manufacturer, you may feel that you don’t have the resources or bandwidth to comply with DoD’s new cybersecurity requirements. Manex is helping manufacturers maintain or obtain defense contracts with the new cybersecurity requirements. Grant funding allows us to offer affordable solutions for Cybersecurity Maturity Model Certification (CMMC) and NIST 800-171.
Who needs CMMC & the NIST 800-171 basic assessment?
Why is it mandated in the Defense Federal Acquisition Regulation (DFAR)?
If your company has a contract that references federal contract information (FCI) or controlled unclassified information (CUI), you will be required to become certified to the Cybersecurity Maturity Model (CMMC). Contact your defense contract customer to determine if or when you will be required to implement CMMC.
What is the current requirement (as of November 30, 2020)?
DFARS 7012-24.7012 currently mandates all companies within the Defense Industrial Base (DIB) that handle, store, process, or transmit (CUI), to provide a current (within 3 years) NIST 800-171 basic assessment score. The same contract clause requires CMMC, to be rolled out to all 300,000 contractors in the DIB between 2021 and 2025.
The DFARS regulation is intended to safeguard CUI (information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended). It is either created by the government or created for the government.
CUI in manufacturing is often in the form of specifications and technical drawings, but can also include personnel data, military installation access data and dozens of other types.
Why is CMMC mandated?
The theft of intellectual property and sensitive information from all industrial sectors due to malicious cyber activity threatens economic security and national security. Each year, the U.S. experiences hundreds of billions of dollars in intellectual property theft.
What CMMC maturity level is your company?
There are five maturity levels based on the risk of information being shared. “Maturity” refers to the degree of implementation throughout your organization.
- Level 1 is required in FAR Clause 52.204-21. It is the lowest risk and protects FCI (any information in a contract not available to the public).
- Level 3 builds upon existing regulations DFARS 252.204-7012 for NIST-800-171 requirements.
Your company is Level 1 if you only get federal contract information or FCI (any information that is not available to the public such as delivery location, installation date, special access codes) – anything that could put the DoD at risk if a hacker received the information.
Your company is Level 3 if you get or create controlled unclassified information or CUI (information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended). It is either created by the government or created for the government.
CUI categories are defined in the Archives.gov site. There are 24 categories of content and 83 subcategories of content! Each category is defined as either CUI Basic or CUI Specified. Your government contract requirements may identify what information is CUI.
Manex helps manufacturing companies complete their NIST 800-171 basic assessment score, submit to SPRS and start their CMMC Level 1 & 3. Let us know how we can help.
About the Author:
George Chao is Manager of Advanced and Clean Tech Manufacturing for Manex and has over 10 years of business development experience in the cleantech/green tech and high tech manufacturing areas. He assists companies in finding capital resources and developing business strategies with a focus on the fields of bio, technology and renewable energy manufacturing. He can be reached at firstname.lastname@example.org.