In 2018, the US government required that any company that interfaced with the Defense Industrial Base (DIB) must begin to follow more stringent cybersecurity protocols. At first, they didn’t enforce it. Now, they will be.
If your business needs the Cybersecurity Maturity Model Certification (CMMC), you might not know where to start.Let this be your starting place.
The majority of breaches come from people taking inappropriate actions (email phishing, giving information to someone you think you can trust, etc.). If you get an email asking for information or it requires you to click a link—and you’re not 100% positive that it’s legitimate—ask someone else.
Hackers are even researching on LinkedIn. They know who you are and what you do. In the last week, Jason received two emails from the Presidents of two different cutting tool manufacturers he’d never spoken to before.
They both wanted to connect about a business proposal. They seemed legitimate. Instead, it was bad actors were presenting themselvesas these businessmen. They are customizing their attacks, and it’s scary.
Another great tool is the CMMC accreditation body,The Cyber AB. They offer numerous resources and tools on their website. These are all great starting places. Now, let’s dive into CMMC.
The basics of CMMC
Certain industries/people only need level I certification (17 controls to follow). Others need to reach level II certification, with 120 controls. Level III is the next step up, which fewer companies need to adhere to. Level II is the most relevant to machine shops. Anyone in the supply chain making parts for the governmenthas to beLevel II certified.
These companies are getting Controlled Technical Information (CTI) and using it to create parts. Controlled Unclassified Information (CUI) is what is being handled with CMMC. It also includes anything that machine shops generate themselves (workholding plans, how you’re machining parts, etc.).
To get started, you have to complete a Suppliers Performance Risk System (SPRS) application, which is a system that scores you on your cybersecurity maturity level. Currently, there are 200,000 companies in the DIB and there are currently only hundreds of auditors.
Can companies fake it ‘til they make it?
Companies that hold certifications don’t always meet the requirements well. They manage to show auditors the data they want to see to pass their audits. It does happen. Some people who are certified would fail if every corner of their business was audited. Some people might try to do the same with CMMC.
But if you aren’t doing all of the things you should do, you’re less secure. It makes you vulnerable to attacks. You’re better off investing time and money to make it an ongoing part of your culture and processes.
Let’s be clear: This isn’t just checking a few boxes. Everyone logs into their phone or computer. You just need to do it in a specific way with a specific security mechanism that is exponentially more secure.
It’s no longer a question of if something will happen—it’s when it will happen and how bad will it be. Everything you’re doing is to make it not very often and not very bad. The odds of you running a business for 20+ years without a single security incident is basically zero.
Who should get the CMMC?
If a company doesn't plan on doing work for an entity that requires CMMC, should they still get the certification? Paul points out that there are ways to incorporate security into your business without going down the full CMMC path. It doesn't have to be for everyone. Plus, there’s a cost to consider to get certified.
But many of the tools that they’re requiring you to put into place are good tools that can save you from ransomware attacks and limit your exposure when a security incident happens. A simple example would be turning on two-factor authentication for every software that you use. It’s a simple setting in CRM systems and ERPs that can make a huge difference.
There are small devices that cost as low as $30 that you can put on a keychain that can support two-factor authentication (physical hardware key).
The potential cost of the certification
Paul wants to save small manufacturers from bringing in a cybersecurity consultant. It could cost you $100,000 or more to implement suggestions. It often doesn’t end there. You may be dependent on things outside of your control.
A flood of security companies have swooped in to get manufacturing companies to sign up for their services and it’s incredibly expensive. Paul’s goal is to knock that $100,000 bill down to $10,000–$20,000 because they can check off many boxes. There will be less to do with consultants or third-party firms.
How will CMMC work with different softwares/systems?
Anywhere information is stored or viewed needs the right controls in place. What’s your footprint of controlled information? The more you can minimize the footprint, the cheaper and easier it will be to implement.
ProShop has clients who if their computers were stolen, they still wouldn’t have a breach of information. They don’t have CUI stored locally on shop computers. It’s all on the ProShop cloud. The way they do file management and storage and complies with CMMC (security groups for employees, two-factor authentication, and nothing digitally stored that’s controlled/classified).
How ProShop can help you accelerate adoption
If you’re looking for new technology and it will house key information, ask them for their shared responsibility matrix. It will help you discover how much you have to take on versus how much the technology you’re purchasing will take on on your behalf.
ProShop would share all of the requirements of CMMC and outline how ProShop helps and what the shop is responsible for. If you are serving the government at any level, the choices will be clear. Your technologyhas tosupport the minimum requirements.
Learn even more about CMMC inepisode #362of the MakingChips podcast!
What's keeping you up at night?
Keep in touch
Subscribe to our Podcast and Newsletter to stay in the loop!
Connect with MakingChips
Want to reach out to our team? Fill out the form below.