Fielding Manufacturers’ FAQs about CMMC

Smithers receives many questions from manufacturers that are part of the U.S. Defense Industrial Base (DIB) about Cybersecurity Maturity Model Certification (CMMC) and NIST compliance. Many of these relate to the impending CMMC 2.0 release. Here are answers to several of those FAQs, which I believe will be helpful for machine shops that have embarked on the journey to CMMC:

Is data that comes out of my ERP CUI? This depends on whether your organization loaded or created controlled unclassified information (CUI) in the ERP system. If not, then the likelihood is most organizations will find that their ERP might contain Federal Contract Information (FCI) per FAR 52.204-21. This is information specific to a DOD contract that is not meant for public release as it might contain specifics about the contract deliverables, timeline and funding. It is recommended to not contaminate an ERP with CUI as the entire ERP, its hosting company and all your employees could be considered in scope for your CMMC assessment.

Does the ERP have to be FEDRAMP-compliant? If your ERP is used to process, store or transmit CUI and it is hosted in the cloud, it must meet Federal Risk and Authorization Management Program (FEDRAMP) moderate security baseline equivalency (DFARS 252.204-7012.b.2.ii.D). If the ERP is hosted locally with no cloud presence, then the ERP is required to meet all the controls of NIST SP 800-171.

What tools can I use to help me on my compliance journey? There are numerous Governance, Risk and Compliance (GRC) tools to assist companies with meeting the NIST SP 800-171 controls, although they should ideally contain the following:

• All NIST SP 800-171 controls as well as the objective statements of NIST SP 800-171a.
• Storage for policies and evidence.
• Linkage between controls and objectives to the policies and evidence files.
• Automatic creation of the system security plan (SSP) and the plan of actions and milestones (POAM).
• An auditor module.

What are “specialized assets?” These include government property; Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices; operational technology; systems configured based entirely on government requirements and used to support a contract; and test equipment (CMMC Assessment Guide — Level 2, Version 2.0).

What would an “out-of-scope” asset be in a manufacturing plant? Out-of-scope assets cannot or are not used to process, store or transmit CUI data. The asset must be physically or logically separate from CUI assets or access to an external network. An out-of-scope asset could be a CNC machine, assembly robot or other such asset. The easiest way to narrow down the scope is to ensure the types of machines/devices are not connected to any external networks or networks used for CUI. Air gapping is the most common method of separating these machines (CMMC Assessment Guide — Level 2, Version 2.0).

Is encrypted CUI still CUI? CUI remains CUI regardless of encryption. Encryption is a control mechanism to help protect CUI when being transmitted or stored. It reduces the potential for unauthorized release if the data is lost in transit or stolen.

Are employee phones in scope for an assessment? If an employee’s phone is used to process, store or transmit CUI, it might be considered in scope depending on how the data is handled on the mobile device (especially if the data is accessed using the phone’s native application). The use of a mobile device management container or virtual desktop infrastructure might provide the physical and logic separation needed to keep these mobile devices out-of-scope for the assessment.

Does my MSP have to be assessed when I get assessed? If the managed service provider (MSP) has access to any of the CUI assets, then they must be assessed as part of your organization’s assessment. MSPs typically will provide management of numerous controls as part of your NIST/CMMC compliance both organically and shared with your organization. Since these controls are required to meet CMMC, the MSP will be involved in the assessment. If the MSP hosts CUI data or the MSP personnel have access to CUI, then again, the MSP is part of the assessment.

Click here to find more CMMC resources from Smithers.