Cybersecurity Maturity Model Certification (CMMC) Compliance
Levison Enterprises is working towards its designation as Cybersecurity Maturity Model Certification (CMMC) Level 3 compliant. This credential recognizes what our customers already know. Department of Defense (DoD) contractors can trust in Levison Enterprises’ ability to safeguard government data for cybersecurity compliance requirements that we store or transmit.
Table of Contents
- What Types of Manufacturers Does the DoD Work With?
- Who in the Supply Chain Needs to Have the CMMC Compliance?
- What is CMMC?
- Difference Between NIST800-171 and CMMC
- Five Levels of CMMC
- What is Controlled Unclassified Information?
- What is the Difference Between CUI and FCI?
- Why Electronic Contact Manufacturers are Concerned About Protecting CUI
- Why is CMMC Important?
- Benefits of CMMC Compliance
- CMMC at Levison Enterprises
What Types of Manufacturers Does the DoD Work With?
The defense industry is one area in which US manufacturing is steadily growing. The annual contract value for military defense contractors is typically in excess of $500 billion, with a large portion of that going to small and large businesses alike.
The DoD relies heavily on the Defense Industrial Base (DIB) which is made up of private companies and other entities. These companies provide the goods and services that allow the DoD to run safely and efficiently. Public-sector facilities, private-sector companies, organizations, educational institutions, and government-owned facilities are all included in the DIB.
Small and medium-sized businesses to some of the world’s largest corporations are among the DIB entities that work with the DoD as prime contractors and subcontractors. These organizations indirectly work together to provide the DoD with a wide array of products and services. These range from complex and highly specialized equipment to commercial products, like semiconductors and computers.
Who in the Supply Chain Needs to have CMMC Compliance?
The DoD has implemented cybersecurity controls for both contractors and subcontractors through CMMC. The CMMC level that must be achieved and maintained, as well as the data that must be protected, will be specified in a company’s contract. To qualify for government contracts, most contracts will require a compliance between Level 1 and Level 3. The DoD estimates that the implementation of CMMC standards will affect 300,000 businesses.
When aerospace and defense electronic manufacturers have additional customers outside of the DoD, the entire organization will not be required to comply with CMMC. Limiting compliance to just the parts of an electronic manufacturers network and organization that deal with FCI and CUI will actually help you save money on the audit.
1. Federal Contract Information (FCI)
Information provided by or generated for the Government under a contract to develop or deliver a product or service to the Government that is not intended for public release.
2. Controlled Unclassified Information (CUI)
Information that requires safekeeping or dissemination controls under and consistent with applicable laws, regulations, and government-wide policies.
In order to achieve CMMC compliance, organizations must demonstrate basic constructs of the CMMC Standard. Applicants must show they are:
Employs staff trained in basic CMMC methodology.
Registered Practitioner Staffed
Offers non-certified consultative services.
CMMC Assessment preparation.
Bound by a professional code of conduct.
Independent third-party auditors known as Certified Third-Party Assessor Organizations provide certificates (C3PAOs). The CMMC Accreditation Body of the Department of Defense will train and certify C3PAOs.
Difference Between NIST 800-171 and CMMC
The vast majority of government electronic contractors are quite familiar with NIST. NIST SP800-171 is a codification of the requirements that any non-Federal computer system must meet in order to store, process, or transmit Controlled Unclassified Information (CUI.) The new CMMC requirements take NIST a step farther.
There are key differences between NIST and CMMC. Suppliers must be inspected by assessors, which is one of the most significant changes made by the CMMC. NIST 800-171 allowed self-certification.
The traditional emphasis on access control, audits, configuration management, media, and personnel security are maintained by CMMC. However, the DoD is becoming increasingly concerned about the nature and speed of cyber threats. As a result, CMMC has developed a set of practices centered on situational awareness, cyber threat alerts, and cyber threat intelligence.
Five Levels of CMMC
CMMC builds on and replaces NIST 800-171. Its framework is a security standard composed of five maturity levels that measure a company’s cybersecurity efforts to protect controlled unclassified information. These maturity models are a collection of best practices that evolve from lower levels of adoption or “maturity” to higher levels of aptitude and compliance, depending on how closely a company follows them.
17 practices are required for the basic safeguarding requirements. Antivirus software must be used, and any media containing FCI must be sanitized or destroyed before being disposed of or reused.
Because these standards are already in place for federal contractors, a company seeking Level 1 compliance will usually only need to obtain the compliance with a third-party assessor.
Policy and documentation of practice are required to develop mature capabilities and achieve process Level 2. NIST 800-171 practices are required, along with 7 new practices, including an audit log review, event detection/reporting, analyzing triaging events, incident response, and regular data backup. Policies should include account access levels, incident responses, and other mid-level cyber hygiene measures as examples of best practices.
Documented data is an important part of achieving Level 2 process maturity. Evaluators will also expect the organization to have a policy that covers all aspects of its operations.
A Level 3 CMMC compliance signifies that an organization has attained the “Managed” process maturity designation. A plan is required to demonstrate management of practice implementation activities to address missions, goals, project plans, resourcing, and required training.
There are a total of 130 good cyber practices at the third level, including all the practices from NIST SP 800-171 Rev 1 and 20 others.
Proactive practices are used at Level 4 to improve detection and response capabilities. Practices are reviewed and measured for effectiveness. In addition, correct actions when necessary and communication to higher level management on a recurring basis are required.
There are a total of 156 practices at this level. 26 of the practices enhance detection and response capabilities.
At Level 4, an organization is better prepared to respond to cybersecurity incidents and to prevent them from happening in the first place.
Reaching Level 5 means a company has attained process standardization and optimization. There are 171 practices at this level. 15 are new practices that increase the depth and sophistication of cybersecurity capabilities.
At Level 5, a company has reached “Advanced/Progressive” cybersecurity practices. This means a company has a standardized, documented approach to process optimization that spans the entire organization at this highest compliance level.
What is Controlled Unclassified Information?
Controlled unclassified information (CUI) refers to certain types of information produced or accessed by the United States government. CUI is not considered classified information, but still must be safeguarded or disseminated in accordance with applicable laws, regulations, and government-wide policies.
Patent applications, technical defense information, and DOD critical infrastructure security information are all examples of CUI.
CUI is targeted by cybercriminals because it is subject to fewer controls than classified information. The loss of aggregated CUI is one of the most serious threats to national security.
What is the Difference Between CUI and FCI?
In addition to protecting CUI, CMMC is also designed to safeguard Federal Contract Information (FCI.) FCI refers to information provided by or generated for the government under contract that is not intended for public release, as well as enhanced security for controlled unclassified data generated during contracted activities.
All CUI is considered FCI. But not all FCI is CUI. Examples of FCI would be emails, policies, contract performance reports, organizational charts, and process documentation.
FCI is considered less sensitive and requires less cybersecurity protection, but it is just as important.
Why Electronic Contract Manufacturers are Concerned about Protecting CUI
Cybersecurity breaches—unauthorized access to networks, applications, data, and other systems—are a global concern. But they can have even bigger ramifications for your business, specifically loss of contracts and the sizable profits that come with them.
CUI can be used for malicious purposes such as technical, economic, political, or military agendas by the threat actor. Many of the attacks are retaliatory in nature, as a result of sanctions, or are targeted at industrial espionage.
A CMMC electronic contract manufacturer is more resilient to cyber-attacks from both outside and inside your organization. CUI will be strongly protected from other countries, as well as a rogue employee. Businesses that attain and support CMMC compliance have proven their willingness and ability to protect sensitive data, making them a valuable electronic contract manufacturing partner.
Benefits of CMMC
Following a series of high-profile data breaches in 2019 and 2020, the CMMC has taken on more significance for DoD vendors and contractors. The key benefit of CMMC compliance for firms is the improvement in their cyber security procedures while also improving the protection of controlled unclassified information (CUI) and intellectual property inside the US DIB’s supply chain.
Other advantages of CMMC compliance include:
- Preparing for and avoiding cyber-attacks.
- Recovering from a cyber-attack without incurring financial penalties.
- Using a collaborative risk management approach to assist contractors in reducing their risk from a specific set of cyber threats.
- Adopting best practices at five levels of maturity, ranging from basic cyber hygiene to advanced or progressive cyber hygiene.
Of course, the biggest benefit of CMMC is the ability to compete for lucrative DoD contracts.
The DoD spent 63 percent of the $507 billion allocated to the federal government’s contractual obligations in fiscal year 2017. Defense contracting has a lot to offer, and it’s not just about electronic manufacturing. Federal contracts put money on the line for any company that provides software or services to the defense sector.
With obtaining CMMC compliance becoming a requirement for all government contracts in the near future, working with a CMMC certified electronic contract manufacturer ensures your organization’s place in the valuable defense supply chain. It opens doors to opportunities with other DoD contractors and subcontractors, as well as the DoD itself.
CMMC at Levison Enterprises
Levison Enterprises is an electronic contract manufacturer (ECM) that is committed to quality. A large majority of CMMC requirements were already a part of our best practices. We have always been a company committed to the security of all of our contracts.
Much of our focus is on document control. We have comprehensive Data Flow Diagrams (DFDs) in place to identify where Controlled Unclassified Information (CUI) is stored and processed. We also maintain documentation relating to when, where, and how CUI controls are applied.
Levison Enterprises is doing our part to reduce the risks and potential impacts of cybersecurity on DoD contractors. Once Levison Enterprises obtains their CMMC security compliance, Levison Enterprises will be positioned as a leader in electronic manufacturing solutions and services meant to eliminate theft of intellectual property and sensitive information for our government defense partners and, ultimately, our customers.