July 8, 2022
Mission critical security
Companies in the aerospace and defense industry are taking a closer look at ways technology can help them to adapt to changing demands, while still meeting strict regulation and security mandates. Cyber security is an area getting more attention as enterprises adjust business models and find cloud deployment offers many advantages.
In the U.S., there is a new Cybersecurity Maturity Model certification (CMMC) that continues to evolve as companies address where and how to store sensitive data. That, in turn, is leading companies to look at cloud as a way to increase security. Cloud providers are uniquely positioned to be security experts, staying vigilant to new threats and performing back-ups and disaster recovery.
Defense contractors face the very real threat of losing business if they are non-compliant with the CMMC standard set by the U.S. Department of Defense (DoD) for the DoD supply chain and its contractors. The goal of the CMMC compliance requirement is to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
This new umbrella standard includes requirements from NIST SP 800-171, the Federal Acquisition Requirements (FAR) document 52.204-21, and beyond. In the latest iteration, CMMC 2.0 (announced November 4, 2021), there are three levels of CMMC compliance. Each level requires more practices and controls than the previous. Most organizations will have to comply with either Level 1 or Level 2.
With CMMC, self-attestation is not an option, and contractors must be audited and certified before they can receive new contract awards. The Department of Defense (DoD) is working with the CMMC Accreditation Body, an independent third party that is responsible for operational aspects of the certification. These responsibilities include training third-party assessment organizations (C3PAOs) and licensing individual assessors.
To spur CMMC compliance, the final rule in 2020 added a new requirement calling for defense contractors to submit a NIST SP 800-171 self-assessment into the Supplier Performance Risk System (SPRS). While the numeric score, with a maximum of 110 possible points, is not used to evaluate suppliers, the self-assessment must be submitted before contract award.
Beyond meeting federal regulations, contractors who prioritize cybersecurity best practices can substantially differentiate themselves from competitors. Companies that delay certification may get caught in a backlog of assessments that cause business opportunities to pass them by. Prime contractors will be looking for certified subcontractors that can confidently incorporate suppliers and partners into their supply chains.
Prime contractors are sending out supplier surveys that are very similar to the SPRS request, asking for attestations of compliance or timelines for anticipated completion of all the security controls. Companies without a strategy in place risk losing their preferred supplier status. Getting ahead of CMMC mitigates the risk of cyberattacks not only on CUI, but also on the company’s intellectual property.
What you need to know
• CMMC applies to all subcontractors, regardless of their supply chain tier position
• Contractors must achieve 100% adherence before they can receive new contract awards
• Only certified assessors can provide CMMC validation
• Remediation plans or plan of action and milestones (POA&M) are not allowed
• Certification is valid for 3 years
• CMMC will not be applied retroactively to existing contracts
• Certification costs are an allowable, reimbursable cost
The three Cybersecurity Maturity Model Certification (CMMC) Levels
The CMMC 2.0 model is streamlined to three versus five levels. It eliminates CMMC 1.0 Levels 2 and 4, as those levels were originally intended as transition levels and not meant to be assessed requirements. It establishes three levels, each one more advanced than the last, based on the following:
Level 1 Foundational applies to contractors that neither receive, process, or create controlled unclassified information (CUI), nor handle high value assets (HVA). At this level, companies must perform self-assessments of their security protocols, and they must be monitored and confirmed by company leadership. This must happen annually and is aligned with the existing standard FAR 52.204-21.
Level 2 Advanced applies to contractors who receive, process, or create CUI but not HVA. There are two subsections, depending on how a company handles CUI classified as Critical National Security Information. Those who don’t create CUI can perform an annual self-assessment. Those who do require a third-party assessment must do so once every three years—these can be conducted by C3PAOs. This is aligned with the existing standard NIST SP 800-171.
Level 3 Expert applies to any contractor that handles HVA. Assessments at this level must be completed by the government, rather than a C3PAO. This is aligned with the existing standard NIST SP 800-172.
Infor CloudSuite Aerospace and Defense is a highly secure solution deployed in the cloud on the AWS platform. Manufacturers and distributors who seek to increase business agility and offer modern digital experiences can trust CloudSuite A&D to provide the functionality and security they need. It will drive operational efficiencies across the business and supply chain, enabling cost savings and improved productivity.
The solution increases resiliency and reliability by leveraging AWS’ high availability to protect against manufacturing or distribution disruptions.
Learn more about Infor solutions for A&D here.
About the author:
Edward Talerico is Infor's Sr. Director, Product Management for the aerospace and defense Industry