Behind Schedule Preparing for CMMC? You Are Not Alone.
The Department of Defense appears to be on track to begin a phased rollout of its Cybersecurity Maturity Model Certification assessment program by early 2025. What does that mean for defense contract manufacturers and suppliers?
If you make parts for the defense industry and have not started preparing for the Cybersecurity Maturity Model Certification (CMMC) assessment program, the message is this: You are behind schedule, but don’t panic. Start preparing now.
CMMC is a program aligned with the Department of Defense’s cybersecurity requirements for its contractors and subcontractors that was created to stop controlled unclassified information (CUI) from falling into the wrong hands. Publication of the official CMMC rules may happen as early as this fall, and it is believed that compliance requirements will begin in early 2025.
To help spread the word about CMMC, I spoke with three people who have direct experience preparing for it: Jayme Rahz, CEO of Midway Swiss Turn; Kelsey Heikoop, co-founder and CEO of ProShop ERP; and Scott Sawyer, co-founder and CTO of Paperless Parts. Midway Swiss Turn is a family- and veteran-owned contract manufacturer and job shop that has been preparing for CMMC since 2021, while the other two companies offer different services to help shops prepare for CMMC.
Modern Machine Shop: Give us some background about CMMC and talk about why it is so important for shops to prepare for it.
Kelsey Heikoop: One of the main things to know about CMMC is that there are different levels. Most people in the manufacturing space are going to run up against Level 2. Level 1 is pretty easy to hit, but Level 2 is significant. I don't want to freak people out, but Level 2 takes a much more serious, comprehensive approach to understanding your business than people may realize.
Scott Sawyer: The analogy I always use is, in the past, these kinds of regulations have been like a speed-limit sign on the highway that hasn't been enforced. Everyone knows this and just speeds past the sign. But with CMMC requirements for data — the blueprints, the 3D models, everything — now what's happening is the Department of Defense is finally saying, “No more. We are going to enforce these regulations and protect this data.”
Jayme Rahz: We didn’t know exactly which parts we were making were going to fall under CUI, but our defense work was too important for us to gamble on. It was kind of like a kick to the gut for a minute when we learned about CMMC, so we refocused. We had to decide whether or not to maintain our government contracts. We made the choice to go ahead and proceed with it.
Modern: What is the risk for shops if they drag their feet on working toward compliance?
Rahz: There are way too many shops out there that don't know anything about (CMMC), and that's going to be a problem, not just for those shops, but for us as an industry.
Sawyer: Within the defense contractor world, this will probably shake out a lot of vendors from the supply chain, and that is likely going to disproportionately impact a lot of smaller shops if they don’t prepare now.
Heikoop: My worry is that shops will end up in situations where they spend a lot of money to build the same data architecture that everybody else in the industry will need, and there will be a massive shift of wealth from manufacturing companies to cybersecurity firms.
Modern: What advice do you have for shops who want to maintain their defense contracts but haven’t started preparing for CMMC?
Heikoop: I would recommend starting with Cyber AB. They are an independent accreditation body and offer massively helpful resources to get started. Break down the process so that each individual piece is manageable. List all of the computers you have, all of the software you use — the simple stuff. There are a lot of tools you can get from your local IT company.
Rahz: Start now. Get in touch with your local PTAC (Procurement Technical Assistance Center). They should have an abundance of resources to help you break into that world.
Modern: For anyone reading this who may indeed be freaked out, what would you say to ease their anxiety?
Sawyer: If you're making the investment so that you can do defense work, it's going to give you a competitive edge. It also sets you up to kind of breeze through some other cybersecurity standards, right? So if you decide to become ISO 27001 certified, once you've done CMMC, that becomes a pretty short putt for you.
Heikoop: I always tell people, look, you had to meet accounting standards, right? And you may not have been an expert, but you figured it out. People who own and run job shops are smart people. These are people who solve really challenging problems for a living.
Rahz: I was actually pretty surprised at how many basic cybersecurity requirements there were. Some of them we already were doing and some of them we weren't, and what I learned was like, boy, that's such an easy way for somebody to take advantage of us, you know? Just this one little thing we didn’t have locked down. I was surprised at how many things that we really had left ourselves open to. But standardizing our security — how do we collect data and what we do with that data — has actually made us a more efficient shop.
Sawyer: CMMC is kind of the cost of doing business today. The way I always think about it is that we're on the same team. We're all figuring this out together.
Read Next
Cybersecurity Becomes a CNC Machining Prerequisite
Management software and information technology partner services prove their worth amid the rollout of defense industry requirements.
Read More
Cybersecurity Process Maturity Demands a Plan
Plans may fail, but planning has intrinsic value for building sustainable, adaptable data defenses.
Read More