By Brad Moore, Director of Sales Engineering, bradm@badgeralloys.com
Over the last decade, the increase in ransomware, phishing attacks and cyberattacks by foreign governments has led to the development of Cybersecurity Maturity Model Certification (CMMC). CMMC outlines the cybersecurity framework that was developed to protect the information created and shared within the Defense Industrial Base (DIB). The certificate program outlines the hardware, software, and other controls required to safeguard sensitive electronic information in relation to Department of Defense (DoD) contracts.
One of three levels of the certificate will be required for all future contracts with the DoD and potentially all government contracts. Any company doing business with the DIB will have to be compliant. There is also a chance that the private sector adapts these same requirements, making the need for compliance much greater. Businesses should take these requirements seriously and be proactive about their implementation.
Currently, manufacturing, healthcare and finance are among the most targeted sectors. To minimize the risk of future cyberattacks and protect sensitive information, companies will need to implement the cybersecurity best practices described in CMMC.
Three-level Certificate Series
The original CMMC was a five-level certificate series and has since been revised as CMMC 2.0 into a three-level system. Level 1 is a foundational level requiring an annual self-assessment against 17 practices. Many of the practices required as part of the Level 1 certification are already being performed by most organizations.
Level 2 includes 110 compliance items through NIST SP 800-171, which was originally created to protect Controlled Unclassified Information (CIU). The 110 practices are more specific and controlling than those outlined in Level 1. Depending on the type of contract being awarded and the information contained within it, Level 2 could require an outside audit by a third party every three years.
Level 3 is considered the expert level and will be required for the highest security contracts. It expands Level 2 even further with the addition of NIST SP 800-172, an 84-page addendum that indicates a required government assessment every three years.
Impact on Businesses
One of the main purposes of CMMC is to secure networks and disallow unauthorized access. With additional required safeguards, this will make remote work more complicated. Multifactor authentication will become the norm, devices with mobile or removeable storage will have to be encrypted, mobile device access will need to be controlled, and the adaption of Industry 4.0 will become more difficult. In order to keep networks secure, businesses may need to separate the Industry 4.0 devices on their own wireless network, much like a guest network.
CMMC compliance will be expensive and costs will increase with each level of certification. Currently, the final version of CMMC 2.0 has not been released and no contracts requiring CMMC 2.0 certification will be released until after the final version of the rule is published.
What this Means to Our Customers
As a sub-tier supplier to the Navy, Badger Alloys will be required to obtain our CMMC. We welcome the challenge and have already put many of the requirements in place. By being proactive with this certification process, Badger Alloys will be on the forefront of cybersecurity best practices.
Brad Moore, Director of Sales Engineering, recently presented on CMMC at the Steel Founders’ Society of America’s technical conference. To discuss the implications of CMMC on your business, please contact Brad at bradm@badgeralloys.com or 414/258-8200.