New mandatory cybersecurity standards are poised to profoundly impact the over 300,000 manufacturers across the United States, including in West Michigan, that make up the country’s defense industrial base (DIB) supply chain.
On Jan. 31, the United States Department of Defense (DoD) released version 1.0 of what is called the Cybersecurity Maturity Model Certification (CMMC), which sets in place unified standards for cybersecurity that all members of the DIB must comply with in order to contract with the DoD.
“I have seen many regulatory requirements, this is the first time I’ve seen a regulation come down that is literally going to prevent people from doing business,” said Chad Paalman, CEO of NuWave Technology Partners LLC, an I.T. firm with offices in Grand Rapids, Kalamazoo and Lansing that specializes in CMMC compliance.
“This is going to get the attention of the C-suite …because if you can’t bid on work, and that means everything comes to a screeching halt because you don’t meet a certain certification”
The CMMC framework is comprised of five different tiered levels, which gauge the company’s maturity in regard to cybersecurity. Each level prescribes indicators of organizational maturity.
Level 1 for instance consists of measures that might be considered basic cybersecurity for small businesses, such as physical security and installing security updates for computers.
Existing contracts require businesses to implement NIST Special Publication 800-171. CMMC Level 3 includes these same requirements, enabling organizations who have already begun cybersecurity efforts to achieve CMMC certification more quickly.
While manufacturers belonging to the DIB are still responsible for implementing, monitoring and certifying the security of their I.T. systems, the government will also force the issue through third-party assessments.
The CMMC Accreditation Body will be training hundreds of third-party assessors. These assessors, working for or subcontracted by Certified Third Party Assessing Organizations, will travel around the country to provide CMMC assessments. This means manufacturers have to show proof of compliance to assessors and be certified by the CMMC accreditation body to qualify for defense contracts that carry a CMMC requirement.
The Defense Department plans to include CMMC requirements in new contract opportunities in the coming months. CMMC will be incorporated into all new contracts over the next five years. Subcontractors will likely hear about CMMC requirements through larger “prime” contractors doing business directly with agencies.
The effect of the new certification is profound, and an overwhelming number of manufacturers are lagging behind, experts say.
“The time to start thinking about preparation for CMMC is yesterday,” Paalman said. “I can tell you firsthand, since I support these companies’ networks, it is going to be an amazing amount of work for these companies and it’s not just the technical side — it’s the documentation of compliance, as well.”
Cost is a major sticking point, especially for an industry that notoriously does not invest in cybersecurity.
“My experience is that a lot of manufacturing companies do not have enough budget allocation for I.T. and cybersecurity,” Paalman said. “And that’s without CMMC.”
Another barrier is the absence of in-house experts who can tackle this daunting process. Even seasoned in-house I.T. professionals may likely find themselves unable to take on the complexities of CMMC compliance.
Sue Tellier, president of Grand Rapids-based supply chain management and logistics company JetCo Federal, described the new CMMC process as “profound” and “very underestimated.”
Tellier estimated that 80 percent of her company’s work is inside the defense industrial base, working as a prime government contractor and also alongside smaller manufacturers on government sales.
Two other Michigan-based manufacturers that supply the defense industry MiBiz contacted for this story declined to talk on the record about the CMMC compliance process.
Tellier said some prime contractors expect to lose a staggering 80 to 90 percent of the companies’ supply chain because companies will not be ready for the required CMMC level.
Meanwhile, JetCo Federal has taken the necessary steps. The company is NIST 800-171 compliant and Tellier estimated that it will be CMMC level 3 compliant by February.
“We’re taking it seriously and it’s a competitive advantage,” Tellier said. “If my competitors don’t take it seriously, it’s good for me but it’s not good for the defense industrial base, speaking as someone who cares about our nation and homeland security and knowing that our domestic supply chain is critical for that. I want people to pay more attention to it and take it seriously.”
While Tellier did sympathize with small businesses that might be gun shy about heavily investing to satisfy a set of standards that continue to shift and morph, she said the measures associated with achieving CMMC compliance create a better company.
“None of the things we have done has made our company worse,” Tellier said. “These are all steps that are making us more secure and have more honor and sensitivity in regard to our customer information.”
Paalman and Tellier agreed that the initial steps to CMMC compliance begin with business leaders deciding whether they want their companies to be a part of the defense industrial base. If companies already work with existing prime contractors, leadership must find out now what level of CMMC compliance they will need to continue the work.
From there, companies can benefit from working with a qualified I.T. consultant for a gap analysis and lay out a plan and budget that leads to CMMC compliance.
The urgency is driven in part by the fact that CMMC compliance can take months.
The new CMMC regulations come at an opportune time for Angela Hill and her Spring Lake-based Jadex Strategic Group, which supports the defense industrial base by working with clients to build out system configurations that equip defense vendors with a secure space.
Hill brings a unique perspective to the job with her global intelligence and counterterrorism experience. Hill served as a U.S. Navy military intelligence analyst and a federal contractor for tier 1 intelligence organizations like the Central Intelligence Agency, Defense Intelligence Agency and the National Geospatial-Intelligence Agency. Hill recently applied this expertise in the commercial space by forming Jadex earlier this year.
From her view, the new cybersecurity measures are a welcome addition.
“This new CMMC regulation is really ensuring that the government is protecting their information through their vendors,” Hill said. “Nation-state actors and their respective intelligence agencies actively target U.S. organizations and businesses to collect information for ongoing and future operations and work to covertly steal our nation’s national secrets, designs and emerging technologies. The new CMMC framework, at its core, is the government’s way of cracking down and saying you need to protect our relationship and the information we share with you.”
By Jayson Bussa, October 25, 2020, published on MiBiz