Now Is the Time to Go for Compliance with CMMC

People in the upper tiers of the Department of Defense’s (DoD) supply chain are fully aware of the Cybersecurity Maturity Model Certification (CMMC) required by its suppliers starting in 2021, with rolling deadlines over the next few years.

Julia Boswell

The CMMC is an assemblage of information and computer security controls, with additional requirements—namely NIST SP 800-171; NIST SP 800-53; and the CIS (Center for Internet Security) Controls. While suppliers have been required to be NIST800-171-compliant since early 2018, the self-verification process wasn’t robust enough to ensure the security of the Defense Industrial Base (DiB); a company could cite that it was compliant but it did not have to get audited and certified. As nation state, corporate and criminal hacks became more sophisticated and pervasive, the DoD decided to move away from self-attestation towards a verifiable certification process, and to that end, developed the new, comprehensive CMMC standard.

There are five levels of CMMC compliance. What a supplier provides, or where it fits in the supply chain, dictates the level of certification required by the DoD. For example, military aircraft engine OEMs may need to have a Level 5 certification, but a job shop providing fasteners for that engine may only need to have a Level 3 certification. As the DoD’s initial focus has been top-tier suppliers, the OEMs and Tier One suppliers are well on the road toward CMMC compliance. However, as the focus shifts onto their subcontractors’ cybersecurity posture, businesses will have to start preparing to meet the level of certification required of them.

ProShop ERP conducted an informal survey among our followers this year and discovered that almost half of the people who responded did not know about CMMC.

One of the first steps a defense parts supplier can take is to assign an interested staff member to understand the requirements of CMMC as it pertains to their business. Then, a gap assessment that captures the current state of an organization’s security architecture will help inform the implementation of the CMMC controls.

As a developer of a comprehensive ERP platform, or “digital ecosystem,” we are…