Prep For CMMC 2.0

The first step toward protecting your manufacturing operations from cyberattacks is to perform an assessment that determines the maturity of your cybersecurity program.

By Laura Elan, MxD

While the timeframe for the final rules for the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) 2.0 is not yet set in stone, the advice from experts is clear: Don’t wait to begin securing your factory against cyber attackers. We recognize that there has been ambiguity, but if you are a manufacturer who hasn’t started on cybersecurity readiness, start now. 

CMMC is a requirement for government contractors but is the “standard” to which all manufacturers should aspire to assure maximum possible cybersecurity. When it launched CMMC 2.0 in November 2021, the Pentagon said it could take as long as two years for rulemaking to be completed. That lulled some manufacturers with DoD contracts into thinking they had plenty of time. Experts agree that kind of thinking can put a company way behind and leave it vulnerable to cyberattacks.

A study of 300 DoD contractors from Merrill Research, Pleasanton, CA (merrillresearch.com), released in November 2022, showed that the vast majority had not adequately protected themselves against cyberattacks. For example, 80% lacked a vulnerability-management solution and 79% lacked a comprehensive multi-factor authentication system. The DoD is now aiming to add CMMC requirements to its contracts by May 2023.

To prepare for CMMC 2.0, manufacturers should first determine their current level of cybersecurity maturity. There are plenty of tools available to do such self-assessments, including a free CMMC playbook that you can download at mxdusa.org/cmmcplaybook. Remember that self-assessments take more time than companies usually anticipate. 

Self-assessments also require attention to detail. For example, to meet a requirement that employees have cybersecurity training, it’s not enough to say, “Yes, we train people.” You should be able to provide specific information on the types and frequency of training being done, such as good password management and identification and protection of sensitive information.

If training isn’t where it needs to be, companies could create a roadmap, or a plan of action and milestones (POA&M), a new feature in CMMC 2.0. These action plans let contractors demonstrate that they are working on compliance instead of having achieved it. There are going to be cybersecurity requirements that won’t be negotiable, but training could be one CMMC 2.0 area where such action plans may be allowed.

Getting an early start also affords manufacturers the time they need to build the cross-functional teams required for a robust cybersecurity plan. This isn’t a job just for IT. 

For instance, CMMC 2.0 rules may require a company to demonstrate that the people it’s made responsible for cybersecurity have specific experience, background, and education. Those background checks and hiring initiatives are likely a job for the human-resources department. 

Companies may have to guarantee that their procurement process assesses the maturity of any software, hardware, or firmware being used for cybersecurity. Also, firms shouldn’t forget to have executives on the team, as they are key to putting policies in place and driving long-term support.

The most important step is to start now. EP