It is up to the manufacturing companies and their sub-contractors to be the first line of defense to protect CUI. These days, nothing is more important.
Manufacturers, subcontractors and their subcontractors who work with the Department of Defense (DoD) (in some capacity), that have access to controlled unclassified information (CUI), will soon have stringent new cybersecurity standards with which to comply to ensure their information is protected. These new requirements put in place by the U.S. Department of Defense are known as Cybersecurity Maturity Model Certification (CMMC) and will take effect as of September 1st of this year. CMMC certification may also be a requirement for participation in some DoD Request for Information and Request for Proposal as well.
The DoD released a custom CMMC framework on January 31, 2020, based on various existing cybersecurity standards and leading practices, including National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. CMMC was implemented by the DoD to enhance the protection of controlled unclassified information (CUI) within the supply chain,” according to the department’s website. The DoD has stated the goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels—after all, many of the suppliers to major manufacturers who fall under CMMC requirements are small businesses.
The CMMC framework maps cybersecurity practices and processes to defined maturity levels ranging from one (basic) to five (advanced), where each level contains specific practices and processes necessary to mitigate increasing degrees of cyber risk. Once the CMMC takes effect in September, the department will assign all solicitations a maturity level that companies must be able to meet/achieve if they wish to bid on it. To achieve certification, a business must pass an independent audit conducted by a DoD approved third-party auditor that determines the level of maturity achieved.
The CMMC requirements include 17 provisions known as “security domains” within each of the five maturity levels, all of which need to be met by subcontractors and potential bidders. The department has indicated that failure to comply with the requirements of a particular maturity level will render the contractor unable to bid on new solicitations and/or removal of their current contract.
The CMMC program was created in response to a series of high-profile breaches of DoD information, which led to the department reevaluating its current security controls and adopting enhanced ones. According to the Center for Strategic and International Studies (CSIS), in partnership with McAfee, as much as $600 billion, nearly 1% of global GDP, may be lost to cybercrime each year. Clearly this is an area that needs to be made a priority.
Manufacturers who hold contracts with the DoD and have access to or maintain CUI need to begin working towards compliance of CMMC requirements immediately, if they haven’t already. To prepare for CMMC, manufacturers should inventory all existing DoD work being conducted at the company and determine existing cybersecurity requirements for that work. In addition, manufacturers should inventory all systems at the company that collect, store and process data related to DoD related contracts. Ensuring full compliance with CMMC can be a time-consuming process, but will be a necessary and worthwhile effort when considering the vital information that is being protected. Manufacturers who are preparing for full compliance can also conduct self-assessments to make sure they are able to achieve the required maturity level.
The bottom line with CMMC is the need for greater cybersecurity awareness and security protocols in place to prevent cyber criminals from gaining access to vital DoD related information. It is up to the manufacturing companies and their sub-contractors to be the first line of defense to protect CUI. These days, nothing is more important.
Disclaimer: Any written tax content, comments, or advice contained in this article is limited to the matters specifically set forth herein. Such content, comments, or advice may be based on tax statutes, regulations, and administrative and judicial interpretations thereof and we have no obligation to update any content, comments or advice for retroactive or prospective changes to such authorities. This communication is not intended to address the potential application of penalties and interest, for which the taxpayer is responsible, that may be imposed for non-compliance with tax law.