When I began my career in manufacturing, the ISO 9000 standard was relatively new. I became an internal auditor given I had experience in QC and had extra time. By the mid 1990’s ISO 9000 had moved into the broader manufacturing market as a competitive advantage. By the mid 2000’s it was a necessity in many manufacturing sectors. I believe CMMC compliance is on the same path that quality certifications were on back then.
ISO 9000 and other quality standards exist to protect the customers of manufacturing companies. In most cases, those are other manufacturing companies. In recent years and understanding of this as “The Supply Chain” has become clear to the average person. Back in those days, the idea that a “general” manufacturer was going to be dictated to by their customers regarding a quality standard was novel and it was serious.
We are on the verge of a similar wave of compliance requirements related to cyber security. Cyber Security for advanced manufacturing is already here. Defense contractors or anyone who needs controlled goods certification are required to comply in the near future. Just like quality standards when they became more strict and better managed, you’ll be out of business if you fail to meet requirements.
What is CMMC Cyber Security
CMMC is short for Cybersecurity Maturity Model Certification and defines a set of standards that businesses must follow to comply. It is being adopted so that defense industrial contractors (mostly manufacturing companies) are able to certify their control of “Controlled Unclassified Information” or CUI.
It serves as secondary purpose of helping protect the supply chain against disruption caused by manufacturing cyber crime and cyber attacks against manufacturing.
The National Institute of Standards and Technology (NIST) is a US government agency that’s leading the way in defining best practices for cyber security. In fact, the Sabre Limited Managed Service offering is modeled around elements of the NIST protocols.
NIST 800 (specifically NIST SP 800 171 rev 2) is very similar to the ISO 9001/QS 9000/AS 9100 quality standards that manufacturing companies need to comply with depending on their customer.
The Three levels of CMMC Compliance
CMMC compliance includes 3 levels within the standard. Depending on what you manufacture and who your customers are, you are probably going to be asked to confirm compliance to one of those levels. For the federal governments of Canada and the USA, the CMMC compliance is to provide cyber security protection of Controlled Unclassified Information (CUI) as defined by the controlled goods programs in both countries.
Level 1 – Cyber Security for Manufacturing
Level 1 CMMC compliance will be for less complex manufacturing with a lower risk of disruption or data loss. This level of compliance requires implementation and adherence with 14 core practices with 59 objectives from the NIST 800 protocol. It is fairly easy to achieve if you have a small IT team internally including someone dedicated to patching and monitoring, and not a helpdesk person. Most professional managed service providers today would help you comply with this level as part of their standard offering.
Level 2 – Cyber Security for Advanced Manufacturing
Small or medium manufacturing companies that supply the defense industry are being asked to comply with CMMC level 2. The roll out is happening gradually but it is inevitable that you need to support all requirements within a year. The compliance deadline has been extended to allow for the certification bodies to be selected.
CMMC Level 2 requires 110 practices with 320 objectives be implemented by the business. This is substantially more complex than Level 1.
Sabre provides CMMC consulting services for customers pursuing this level of certification. Implementing Level 2 of CMMC is daunting. You should expect this to be a multi-year process in any normal sized manufacturing company.
Level 3 – Federal Critical Contract Cyber Security
It is very unlikely that a small or medium manufacturing company would be asked to manage this level of CMMC compliance. It imposes even stricter practices in cases where highly sensitive controlled unclassified information is managed by the contractor.
Broader Needs of Cyber Security for Advanced Manufacturing
It is my opinion that it’s a matter of time before automotive tier 1 and assemblers will require CMMC compliance (or some alternative standard that is essentially the same). These businesses are part of national critical infrastructure and as such are targets of state sponsored cyber attacks.
The Canadian government Centre for Cybersecurity has defined critical infrastructure as a target of foreign agents, and manufacturing as a key part of critical infrastructure. The interconnection and fragility of the supply chain was revealed during the pandemic.
The disruption of the supply chain is becoming more important than the lost revenue and annoyance of ransomware. As companies deploy Manufacturing 4.0 technologies and complete digital transformation efforts, cyber crime has a more serious impact on the business.
Summary of NIST Requirements at the Highest Level
This article is not intended to be a full walkthrough of CMMC compliance requirements for manufacturing nor even NIST 800. It is a brief summary. We’ve also released our own Cyber Security Essentials eBook that is more detailed on the NIST 800 framework while trying to remain “high level.”
Our cybersecurity for manufacturing eBook breaks down 18 areas called “Controls” that are a subset of the CMMC requirements. Just taking those requirements from our eBook we can create some summary requirements to help a business IT team or ownership understand what minimum requirements are.
Here are some major areas that are rarely implemented by the IT team at a customer.
- Inventory Management of IT Assets: This includes software, hardware etc. There are a variety of products on the market that can assess and document your inventory “Automatically.” CMMC compliance requires you to maintain this inventory in real time.
- Data Protection: Most companies backup their data, but they don’t identify, classify or dispose of data. NIST and CMMC compliance require procedures (not technology) in place. There are 3rd party applications that can help enforce data protection rules and compliance.
- Continuous Vulnerability Management: This level of NIST is focused on “Vulnerability Testing” and remediating those vulnerabilities. Virtually no small inhouse IT team has the time or energy to do this regularly. This is almost always outsourced, even by larger professional IT teams and also automated by software that conducts these activities.
- Preventive Maintenance: Most of the time this involves patching, auditing patch status, remediating issues detected by the vulnerability management etc. Again, most internal IT teams are reactive, not pro-active. They don’t have the resources to do preventive maintenance regularly.
- Audit Log Management: Audit logs are generated by all computer equipment. Your IT team needs to be regularly reviewing, analyzing and retaining these logs. Most small IT departments only look at logs to debug reactively. There are a number of products available that actively manage this process for an IT department.
- Network Infrastructure Management: This is similar to the preventive maintenance and audit log maintenance in that most IT departments are worried about the “squeaky wheels” of end user problems and don’t get around to proper system management, especially with documentation of the system changes and current state.
- Network Monitoring and Defense: Again with that proactive monitoring. This step involves collecting network traffic flow logs, setting activity alters and reviewing and managing those. This is often done with a SIEM – which is a highly specialized technology that few small manufacturing IT professionals can manage.
- Security Awareness and Skills Training: Your IT team are not generally good trainers. Your users are not usually very receptive to being told by IT they need to sit in a meeting to learn about cyber crime. This needs to be an HR activity, and vendors who specialize in this (usually remotely delivered with video and online tracked training) used.
- Application Software Security: Maybe your inhouse IT team can confirm they are patching the computer’s operating systems regularly, but few inhouse IT teams are patching software from 3rd party vendors. Everything from your CAD software to Adobe Acrobat to Java needs to have any security patches installed as they are released. And they are released all the time. Keeping on top of it is very hard to do.
- Incident Response: Internal IT teams are usually designed to execute project work and to handle helpdesk requests from users. They are reactive. When a cyber incident happens they will try and react. Incident response is a plan that needs to pre-exist just like an evacuation plan or natural disaster plan. Designated staff and processes for communication, reporting, tracking and controlling the incident need to be in place.
- Penetration Testing: Manufacturing businesses definitely require external penetration testing of environments. Cyber security for advanced manufacturing requires more intense internal penetration testing. Both types will be a part of the external audit and certification process. It makes sense to conduct these internal and external prior to attempting CMMC certification.
Many of these elements are supported by the Sabre Co-Managed IT services products that we sell, as well as our full managed services preventive maintenance packages for companies that don’t want to have a deep IT bench internally.
CMMC as a Competitive Advantage
It is my professional opinion that CMMC certification will provide manufacturers with a competitive advantage in the future. As more companies adopt CMMC, those that have already achieved certification will have an advantage over those that have not.
CMMC certification demonstrates that a company takes cybersecurity seriously. It means they’ve implemented measures to protect its operations and the supply chain. How this certification will work, who will conduct it and how much it costs is still up in the air. My memories of ISO 9000 in the 90’s was very similar.
Benefits of CMMC for the Business
ISO 9000 was sometimes seen as a burden for the business. It was a “pain” to document systems, create quality manuals and ensure the repeatability of the process. In reality, the business ultimately benefitted from much better controls.
CMMC compliance is going to dramatically increase your own cyber security. Even if you just do the easiest 20% it will make a huge difference to your cyber safety as a business.
Achieving CMMC compliance is crucial for manufacturing companies to secure sensitive government contracts and protect themselves from cyber threats. It requires a comprehensive and ongoing effort to ensure the confidentiality, integrity, and availability of sensitive information.
If you are a manufacturing company looking to achieve CMMC compliance, it is essential to work with experienced professionals who understand the regulations and can guide you through the process. To learn more about how Sabre Limited can assist you in achieving CMMC compliance and securing your business, please schedule a meeting with our team today.