Machine Shops: Keep CMMC on Your Radar

Is Cybersecurity Maturity Model Certification (CMMC) on your radar? It better be if you want to keep or win future U.S. Department of Defense (DOD) work.

In an October 11, 2024, press release, the DOD reiterated that the purpose of CMMC is to verify that defense contractors are compliant with existing protections for federal contract information (FCI) and controlled unclassified information (CUI), and are protecting that information at a level commensurate with the risk from cybersecurity threats, including advanced persistent threats. On that date, the final program rule for the CMMC program was released for public inspection on federalregister.gov. The press release goes on to say:

This rule streamlines and simplifies the process for small- and medium-sized businesses by reducing the number of assessment levels from the five in the original program to three under the new program.

This final rule aligns the program with the cybersecurity requirements described in Federal Acquisition Regulation part 52.204-21 and National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 Rev 2 and -172. It also clearly identifies the 24 NIST SP 800-172 requirements mandated for CMMC Level 3 certification.

With the publication of this updated 32 CFR rule, DOD will allow businesses to self-assess their compliance when appropriate. Basic protection of FCI will require self-assessment at CMMC Level 1. General protection of CUI will require either third-party assessment or self-assessment at CMMC Level 2. A higher level of protection against risk from advanced persistent threats will be required for some CUI. This enhanced protection will require a Defense Industrial Base Cybersecurity Assessment Center led assessment at CMMC Level 3.

I’ve been beating the CMMC drum for a while and will continue to do so. What follows are descriptions of articles Production Machining has published on this topic that could be helpful for shops in the process of achieving — or perhaps even unaware of — CMMC. Visit gbm.media/cmmcinfo to find links to all of these plus additional articles about cybersecurity in general.

A Small CNC Machine Shop’s Journey to CMMC

Achieving CMMC takes time and money. In this article, Jayme Rahz, CEO of Midway Swiss Turn in Wooster, Ohio, describes some of the challenges the machine shop has faced and lessons it has learned on its CMMC voyage.

“We realized that if we wanted to continue to work on some of the government projects that we were already engaged with, but also possibly boost our work for the government, CMMC was going to be a really important step for us to take,” Rahz explains. “We also recognized that a lot of small companies such as ours might not make the effort to achieve CMMC, so the certification would give us a competitive advantage. However, we soon found out that working to achieve CMMC is expensive and time consuming, and resembles putting an ISO program into place. It’s an overwhelming thing for a very small shop to do, but we’re doing it.”

The Cost of CMMC for Small Manufacturing Businesses

Allison Giddens, co-president of Win-Tech, a machine shop in Kennesaw, Georgia, penned this article offering examples of costs and challenges unique to small business manufacturers operating in the Defense Industrial Base (DIB) relative to CMMC. She notes that manufacturers such as Win-Tech can have various types of equipment on their shop floors — some new, some decades old yet tried and true. And manufacturers in the DIB often have long-established business processes for an industry that has stressed importance on quality, price and lead time, but not cybersecurity. In this article, Giddens touches on required expertise, resource constraints, lack of leverage in negotiating license fees and hidden shopfloor costs.

Fielding Manufacturers’ FAQs about CMMC

Robert McVay is senior consultant-information security services for Smithers, a provider of testing, consulting, information and compliance services. The company fields many questions relative to CMMC, and he shares answers to eight of those in the article. Here are three, each with brief answers that he fleshes out further in the online article.

Is data that comes out of my ERP CUI? This depends on whether your organization loaded or created controlled unclassified information in the ERP system.

What tools can I use to help me on my compliance journey? There are numerous Governance, Risk and Compliance (GRC) tools to assist companies with meeting the NIST SP 800-171 controls.

What would an “out-of-scope” asset be in a manufacturing plant? Out-of-scope assets cannot or are not used to process, store or transmit CUI data. The asset must be physically or logically separate from CUI assets or access to an external network.

Evaluating Your CMMC Options

There are various ways machine shops that serve the military/defense industry can achieve CMMC. Damon Hacker, president, CEO and founder of Vestige Digital Investigations offers a few to consider. These include:

So, what are your options and which makes most sense for your organization? It’s first important to understand that only about 50% of the requirements of CMMC are true “technology” requirements. Roughly 25% of the requirements are “administrative” (think policies) and the rest are “operational.” When you understand that, you can start to understand why no silver bullet can address it all. In short, here he suggests a shop’s most viable options:

• Do it yourself
• Work with an outside IT company
• Hire a cybersecurity company
• Engage a Registered Practitioner Organization (RPO) which is part of the CMMC ecosystem
• Bring in a Third Party Assessing Organization (C3PAO) in a consultative approach
• Engage with a CMMC solution practitioner that specializes in cybersecurity, compliance and CMMC (RPO or C3PAO).

What’s Your CMMC Story?

I intend to continue my CMMC drum-beating in content for Production Machining, and would be interested in hearing your experiences and highlighting them in an upcoming story. Send me an email at dkorn@productionmachining.com and perhaps we can chat about it.