Is your manufacturing company prepared for new CMMC requirements from the U.S. Department of Defense (DoD)? This article provides an overview of the changes, the implications for manufacturing companies in Canada, and next steps to help companies stay compliant.
New cybersecurity requirements from the U.S. Department of Defense will have significant implications for Canadian manufacturers who hold existing contracts with the DoD or plan to bid on contracts in the future.
What are the changes?
The U.S. Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD (A&S)) has developed the Cybersecurity Maturity Model Certification (CMMC) framework in concert with the Department of Defense stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDCs), and the Defense Industrial Base (DIB) sector.
The CMMC framework is designed to provide increased assurance to the DoD that a DIB contractor can adequately protect:
- Federal contract information (FCI) – Information provided by or generated for the U.S. government under a contract and not intended for public release.
- Controlled unclassified information (CUI) – Information that requires protection consistent with laws, regulations, and government-wide policies.
The CMMC will be used to establish the minimum level of cybersecurity controls that must be implemented and the minimum level at which these controls must be managed in a DIB vendor's organization in order to work with the U.S. in matters related to defense.
What do the new CMMC requirements mean for Canadian manufacturers?
Defense exports to the U.S. constitute a significant portion of Canada's manufacturing and distribution revenue. The new requirements have the following implications:
- Beginning June 2020, CMMC requirements will be included as a part of requests for information, making uncertified members potentially ineligible to respond to or participate in bids.
- Organizations who intend to work with the DoD must make the entire network—or at least the part of network that processes, stores, and transmits FCI and CUI—compliant with the level of CMMC framework as mandated by DoD.
- Without a formally certified CMMC level of cybersecurity from a third-party assessor, Canadian manufacturers in the DIB sector will have challenges providing the appropriate assurance of protecting the CUI. This will increase the risk of being ineligible to participate in U.S. DoD deals.
What should manufacturers do next?
Existing and potential contractors should take steps now to ensure they are compliant with the CMMC framework, to mitigate the risk to their business.
The new framework outlines five levels of expected cyber hygiene (basic, intermediate, good, proactive and advanced/progressive) and process maturity (performed, documented, managed, reviewed, and optimizing) with each level outlining the expected cyber practices to be implemented.
Source credit: Image taken from Cybersecurity Maturity Model Certification (CMMC), Version 1.0. Copyright 2020 Carnegie Mellon University and The John Hopkins University Applied Physics Laboratory LLC.
The CMMC prescribes a total of 171 practices from 17 domains of cybersecurity spread across the five levels:.JPG.aspx?width=679&height=448)
.JPG)
Source credit: Image taken from Cybersecurity Maturity Model Certification (CMMC), Version 1.0. Copyright 2020 Carnegie Mellon University and The John Hopkins University Applied Physics Laboratory LLC.
Considering the short timeline of formal inclusion of CMMC requirements in U.S. requests for information, manufacturers should evaluate their readiness to comply with CMMC before being formally assessed by a certified assessor.
How can BDO help your company with CMMC compliance?
BDO's cybersecurity team can evaluate your manufacturing company's current state against the CMMC framework and help you take steps to reach a suitable level of maturity.
Our advisors are experienced professionals with a diverse range of backgrounds, including information security, information technology, operations, data privacy, and business advisory. We have extensive experience with cybersecurity frameworks and assessments, including ISO 27001, NIST CSF, NIST SP 800-53, PCI-DSS, and controls from the Canadian Centre for Cybersecurity.