The Cybersecurity Maturity Model Certification—or CMMC. If you're somewhat new to the aerospace manufacturing, you likely find yourself wondering what something like that has to do with engineering and manufacturing. After all, what does cybersecurity have to do with aerospace? If you don't know what CMMC compliance is, you may want to make it a priority because the US Department of Defense (DoD) will soon make it a requirement for any defense contractor who currently is or wants to work with the DoD. In this post, we will seek to answer this question as we investigate CMMC compliance.
So, what is CMMC? It is a unified standard for implementing cybersecurity across the defense industrial base (DIB), which currently includes over 300,000 companies in the supply chain. These CMMC standards are the DoD's response to significant compromises of sensitive information located in their contractors' information systems. In other words, the government want to make sure data isn't vulnerable due to suboptimal standards on the part of vendors and contractors.
In the past, contractors were responsible for implementing, monitoring, and certifying the security standards of their own disparate systems. CMMC was drafted with input from University Affiliated Research Centers, Federally Funded Research and Development Centers, and the industry itself. While under the new standards, contractors are still responsible for implementing the cybersecurity standards. The CMMC adds the requirement for third-party assessments of contractors' compliance with practices, procedures, and capability to adapt to ever-evolving threats.
The DoD framework outlines five levels of certification. Each level builds upon the ones below it: level 3 certification, for example, includes the requirements for both levels 1 and 2. Below is a brief explanation of each level:
Level 1 demonstrates "Basic Cyber Hygiene." The minimal standard for every DoD contractor. Contractors who wish to pass an audit at this level must implement 17 controls of NIST 800-171 Rev1 (which we short-hand as "Rev1").
Level 2 demonstrates "Intermediate Cyber Hygiene." Here, DoD contractors implement another 48 controls of the National Institute of Standards and Technology (NIST) Rev1 in addition to 7 "Other" controls.
Level 3 demonstrates "Good Cyber Hygiene." To achieve this level, the final 45 rules of NIST Rev1 plus 13 other controls must be met.
The Department of Defense will soon require CMMC Compliance to keep cybercriminals at bay.
Level 4 demonstrates "Proactive" cybersecurity. In addition to satisfying NIST Rev1, contractors must also satisfy 11 controls of NIST 800-171 Rev2 (short-handed as "Rev2") as well as 15 "other" controls.
Finally, Level 5, which demonstrates "Advanced / Progressive" cybersecurity. To achieve the highest level, DoD contractors must implement the final controls of NIST Rev2 plus 11 "other" controls.
Additionally, to achieve each certification level, contractors and vendors must meet requirements for practices and processes associated with their level across 43 different capabilities spanning 17 capability domains.
CMMC will soon be a minimum requirement to be eligible for DoD contract awards, but contractors should never view their cybersecurity compliance as an accomplished mission once a certification is earned. The Department of Defense has emphasized that CMMC is a starting point for transforming contractors' internal cybersecurity culture and that the industry must focus on preparing their systems to be agile in a constantly evolving world of cyber threats.