By Edward Talerico, Senior Product Director, Infor LN Industry CloudSuites
With the world focused on Russian attacks on Ukraine, cybersecurity has never been a more important national security issue. For both companies and governments, protecting intellectual property is more imperative than ever, especially as systems continue to migrate to the cloud.
Aerospace and defense contractors now face the very real threat of losing business in the United States if they are noncompliant with the Cybersecurity Maturity Model Certification (CMMC) recently imposed by the U.S. Department of Defense.
The Department of Defense (DoD) instituted CMMC 2.0 to protect the defense industrial base from increasingly frequent and complex cyberattacks, thus safeguarding national security information. To work with the U.S. government or prime contractors, A&D companies must demonstrate the highest level of security to eliminate vulnerabilities. The DoD stated in a press release, “by incorporating cybersecurity standards into acquisition programs, CMMC provides the department assurance that contractors and subcontractors are meeting DoD’s cybersecurity requirements.”
All companies conducting business with the DoD must be certified by a third party, which will conduct cybersecurity audits to ensure they are CMMC compliant. The CMMC guidelines are designed to identify vulnerabilities in a contractor’s IT infrastructure. If a contractor does not pass the audit, it can be an extremely devastating blow because that contractor will not be allowed to bid on new defense work.
Since the U.S. government cannot offshore contract work, and since those who want to perform the audits must be trained and certified to become a Certified CMMC Professional (CCP), finding an approved certification company can be difficult and expensive. The scarcity also creates intense competition among aspiring contractors to find someone to complete the audit. The key to assuring CMMC compliance is to work with a software provider that has already passed the CMP audit. While this can be a costly investment for cloud software providers, it allows contractors to work more effectively with the DoD while maintaining the highest security standards.
The bigger challenge, however, is that contractors don’t know which software providers have already completed the rigorous audit process and are thus CMMC compliant. Once contractors are aware of CMMC-compliant software providers, finding third-party providers to perform audits will be much faster. Furthermore, working with a software supplier that already has the attestation of compliance will put a contractor a step ahead of the competition that must spend time locating and securing one of the limited audit firms available.
Manufacturers should start their CMMC certification journey by visiting the CMMC-AB Marketplace to find an accredited CMMC professional. This professional can guide your organization through the process. They will run pre-assessment audits to identify vulnerabilities and areas where a manufacturer may not be following CMMC standards.
So, what exactly does the CMMC identify as vulnerabilities? Some typically flagged examples include:
- Elaborate systems to collaborate with suppliers developed using modern internet technology
- ERP solutions used to communicate across facilities using internet-based solutions for commercial use
- Outdated operating systems and database updates
- Open connections that allow customers to view delivery dates and configurations
For a comprehensive list of vulnerabilities and their remedies, visit the CMMC website.
These types of vulnerabilities put data in harm’s way from a security perspective, as threats can take advantage of internet capabilities. The DoD must ensure that the intellectual property essential to our national defense is safe, secure, and closed to advanced persistent threats (APTs). In the new digital world where conflicts will be fought from a board room, the risks of security breaches are heightened to new levels.
Being CMMC compliant is not optional. Each request for proposal (RFP) will include the specific CMMS levels that must be in place, and each RFP must clearly state these same levels. Companies that do not address and achieve CMMS certification cannot win a DoD contract.
Overall, CMMC is part of a larger national security strategy focused on protecting the country’s population from life-threatening vulnerabilities, physical and virtual. When contractors partner with software companies that are already CMMC compliant, it saves time and money across the board, lowers the risk of failed audits, and ultimately leads to an impactful collaboration with the DoD to serve the country.