This content was published prior to the merger of equals between BKD and DHG on June 1, 2022. See all FORsights for the most up-to-date articles, webinars, and videos.
CMMC Compliance Requirements for Manufacturers with Defense Contracts
According to a recent report, manufacturing is one of the most targeted industries by ransomware cybercriminals. The average ransomware demand in 2021 was more than half a million dollars, with many manufacturers choosing to pay the ransom rather than risk shutting down operations, bad press and reputation damage1.
Manufacturers doing business with the federal government have an additional responsibility to protect sensitive federal information from our nation's adversaries. In November of 2021, the Department of Defense (DoD) updated the Cybersecurity Maturity Model Certification (CMMC) to enhance cyber protection requirements for government contractors and subcontractors. The minimum requirements will require either a self-assessment or an assessment by an accredited third-party assessor firm. You may read an overview of the CMMC program and DoD's recent change here.
What does that mean for your manufacturing business? It means you should review your security policies now and determine how you are going to meet the requirements – or risk losing business to competitors. Certification will soon be integrated into the Federal Defense Acquisition Rule Supplement (DFARS), making CMMC certification mandatory for prime or subcontractors with DoD.
The following questions can help you better understand your current level of cybersecurity preparedness, where you want to be, and the scope of what is needed to fulfill your requirements.
- Does our team receive or transmit Controlled Unclassified Information as part of our work with the federal government or prime contractors?
- Have we established a cybersecurity program to govern the protection of our sensitive information?
- Have we established a System Security Plan (SSP)?
- Have we identified gaps or areas of focus to improve cybersecurity protections or CMMC assessment?
Why Now?
While CMMC is a new requirement, the expectation for defense contractors to secure Controlled Unclassified Information has been the expectation since 2016 via the DFARS rule. CMMC is designed to enforce these protections and validate that contractors are meeting a minimum set of security criteria. As cybersecurity threats evolve, so will the protection requirements, so your investment in meeting these requirements will require a review of your budget strategy as well.
How DHG can help
DHG has assisted multiple manufacturers with cybersecurity and CMMC readiness consulting, and our team understands cybersecurity and compliance challenges unique to complex manufacturing operations. Manufacturers often struggle with defining the scope of their IT environment, sufficiently documenting cybersecurity policies and procedures, and maintaining ongoing oversight of their cybersecurity program.
In early 2022, DHG became the first top 20 public accounting and advisory firm to be accredited as an Authorized CMMC 3rd Party Assessor Organization (C3PAO) by the CMMC Accreditation Body. This designation represents DHG's experience and insight in helping manufacturers and government contractors prepare for CMMC certification and we welcome the opportunity to assist you with creating a framework for your organization and provide a comprehensive, independent third-party assessment of your requirements.
1https://www.datto.com/resourcedownloads/Datto2019_StateOfTheChannel_RansomwareReport.pdf
