GATEKEEPER BLOG

CMMC framework solution for DoD manufacturers

Don’t lose your Federal Defense Contract – the CMMC Framework.

CMMC Compliance for Defense Contractors.

Manufacturing companies must meet specific compliance requirements for all defense contracts. Cybersecurity has become a national priority. Due to this, a new standard has been adopted for information security in the defense industry. The Cybersecurity Maturity Model Certification (CMMC framework) is designed to protect sensitive information across the defense industrial base. Whether you’re doing business directly with the Department of Defense (DoD) or through a contractor, CMMC compliance needs to be verified before you can win or hold onto a DoD contract.

What is the CMMC framework?

The DoD introduced CMMC in 2020, with this new standard designed to boost security, protect sensitive information, and enhance supply chain visibility. The CMMC is an assessment framework and assessor certification program published by the National Institute of Standards and Technology (NIST). This CMMC framework model was designed to increase trust levels and compliance standards throughout the U.S. defense industry.

New CMMC framework requirements were announced in November 2021, with the existing standard streamlined to support more accountability. Companies bidding for defense contracts need to satisfy the revised model by the end of the 2023 fiscal year. CMMC 2.0 simplifies the framework from five certifications to three, with existing naming conventions also revised. Level 1 will affect all companies working under a federal contract, with levels 2 and 3 affecting all companies dealing with controlled unclassified information (CUI).

CMMC levels and examples.

There are now three levels within CMMC: Foundational or 1, Advanced or 2, and Expert or 3. The Foundational level is far less rigorous than the other two, with 14 practices and 59 objectives met through an annual self-assessment. The Advanced level has 110 practices and 320 objectives, most of which are enforced via triennial third-party assessments. The Expert level involves 110+ practices and 320+ objectives. Level 3 practices and objectives are enforced via triennial government-led assessments.

  • CMMC Level 1 deals with safeguarded federal contract information (FCI).
  • CMMC Level 2 deals with the protection of controlled unclassified information (CUI).
  • CMMC Level 3 deals with the enhanced protection of controlled unclassified information (CUI).

FCI is non-public information generated for the government under the terms of a contract. Therefore, it includes data exchanged during proposals, requests, and awards, along with all information used to maintain a contract. Examples include performance reports, process documents, email exchanges and more.

CUI is non-classified information that requires safeguarding / dissemination controls. Examples include employee information, research and engineering data, and computer code. Level 3 controls have additional requirements regarding active monitoring and ongoing security management. This CMMC level focuses on planning, sourcing, and reviewing security policies and procedures.

How the CMMC Framework affects the manufacturing sector.

CMMC regulations apply to all manufacturing companies that build products designed or customized for a DoD project. From prime contractors producing custom parts to machine shops making off-the-shelf products, compliance is relevant for all manufacturing entities. Manufacturing companies will have their practices evaluated in one of the following areas, before winning the contract:

  • If your company processes, stores, or handles federal contract information (FCI) on its unclassified network, it must perform a CMMC Level 1 self-assessment.
  • If your company processes, stores, or transmits controlled unclassified information (CUI) on its unclassified network, it must have a Level 2 assessment conducted by a third party.
  • Level 3 is the same as level 2, but it involves extra resources and additional reviews. In fact, security solutions and monitoring controls must be inspected by a government-led assessment.

Cybersecurity presents numerous challenges, from data integrity and authentication policies to training regimes and threat detection systems. Overcoming these issues can be extremely beneficial, however, with manufacturing companies able to win valuable contracts with the DoD or its many contractors. Therefore, if you need help implementing cybersecurity or understanding compliance expectations, we are here to help. Please contact your IT team for more information.

Capterra Best Value for Authentication Jun-20
Capterra Ease of Use for Authentication Jun-20

See GateKeeper proximity access control in action.

Take a self-guided tour of how you can evolve from passwords. Then you're really saving time with automation.