The Intersection of CMMC and Small- to Mid-Sized CNC Job Shops

With a surge in spending driven largely by the war in Ukraine and production obligations for the F-35, the Department of Defense (DoD) awarded $470 billion in defense contracts last year, according to a published report by the government market intelligence platform HigherGov. Not only did this figure represent the largest-ever year-over-year dollar increase in spending (eclipsing the 2022 figure of $422 billion), but the number of companies receiving defense-related contracts also increased in 2023 — the first expansion of the defense industrial base in nearly 20 years.

The number of private companies handling controlled unclassified information (CUI) — more than 37,000 in 2023, according to the report — has been a longstanding concern of the DoD. Not only are the small- and mid-sized job shops subcontracted by primes like Lockheed Martin and Raytheon vulnerable to state-sponsored or criminal cyberattacks, but they also will soon face the prospect of being weeded out during the implementation of Cybersecurity Maturity Model Certification, or CMMC. As readers may know, CMMC is the auditing process for the cybersecurity framework identified in the National Institute of Standards and Technologies (NIST) 800-171 publication issued in 2015.

To discuss the status of CMMC, I reached out to Jacob Horne, chief security evangelist (his real job title) for Summit 7, a managed IT and security provider focused exclusively on helping DoD contractors meet their security and compliance requirements. From our conversation, here are the top five issues, misconceptions and facts about CMMC that small- and mid-sized job shop owners need to know about today:

1. The Distinction Between CMMC and the Cyber Requirements it Verifies

Horne: This is easily the biggest misconception I’ve seen since CMMC emerged circa 2019. CMMC is a DoD program that verifies if a contractor has fully implemented its contractual cybersecurity requirements. The DFARS (Defense Federal Acquisition Regulation Supplement) contract clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” has gone into all DoD contracts and solicitations since 2016. The DFARS 7012 clause obligates contractors and subcontractors to implement the 110 cybersecurity requirements in a document called NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” which has also remained virtually unchanged since it was published in 2015. The DoD created the CMMC program to verify implementation of these requirements via third-party assessments rather than continuing to accept self-attested compliance. Ultimately, CMMC isn’t making you do the requirements, it’s making sure you did the requirements. When people equate the verification program with requirements, they lead themselves to believe that they have much more time to get ready than they actually do.

2. The Relationship Between NIST Requirements and Verification Procedures

Horne: Even early adopters get in trouble here because they aren’t aware of the full scope of their requirements. Although NIST SP 800-171 has 110 cyber requirements, there are 320 questions (what NIST calls “determination statements”) that need to be answered for all the requirements to be considered “fully implemented.” These 320 questions are contained in 171’s cousin, SP 800-171A “Assessing Security Requirements for Controlled Unclassified Information.” If a requirement isn’t fully implemented (if it doesn’t have all its determination statements satisfied), then it is considered “unmet” and you won’t get credit in an assessment. The DoD has a very small number of controls that can be temporarily unmet and still allow a company to achieve CMMC certification. Bottom line: SP 800-171A is the real center of gravity and if your staff and/or external partners aren’t extremely familiar with it, you will likely be unsuccessful at achieving certification.

3. The CMMC Timeline

Horne: The original CMMC regulation was published in 2020. After a year of review in response to public comments, the DoD doubled down and went through the two-year process of reinforcing the regulation with another publication in December 2023. Now DoD is racing to finalize the CMMC program before the election and there are several reasons to believe they will do so. If they are successful, then your customers and competitors will begin relying on CMMC as a differentiator as soon as the end of 2024 — long before DoD decides any given contract will get the requirement over the course of their planned multi-year “phased roll-out.” For reference, it can take the average company (50–500 employees) anywhere from six to 18 months to go from average to assessment-ready. If you plot that out, many companies are nearly out of time and don’t even realize it.

4. The Critical Reliance on External Service Providers

Horne: Most companies with DoD cyber requirements don’t have the in-house staff to handle everything. IT and cyber skills are expensive and hard to find, and it’s no surprise that many companies use external service providers. It’s easy to see the critical role that these managed service providers (“MSPs”) provide if they have the keys to several (sometimes even hundreds) of DoD contractors. As a result, the CMMC regulation proposed in December 2023 will require external providers to achieve an equivalent CMMC certification to their clients. Full disclosure: I work for a managed IT and security service provider, but knowing what we know about the granularity of SP 800-171A, the problem should be obvious.

5. The Advantage of Having a Quality Management System

Horne: Companies with ISO 9001 or AS9100 quality systems have a huge advantage if they are willing to think creatively about the management core lurking inside their NIST requirements. Think of cybersecurity as a new special process: it’s expensive, specialized and something you probably don’t do in-house. You’re going to rely on external providers to take care of most of the questions in NIST SP 800-171A, but you’ll still be on the hook for managing that interface to your business. Some of the best cyber compliance managers I’ve worked with are quality managers who were simply given permission to look for overlapping requirements. The two worlds are not as far apart as you think even if the people writing cyber and quality standards don’t talk to one another.

Bonus: Cost and Funding

Horne: Every shop and situation are different, but CMMC compliance is going to cost more than you think and take longer than you expect. Worse, there is little-to-no funding available to help you — especially long-term. Remember: The CMMC program is different from the requirements assessed by CMMC. As a result, the CMMC program only estimates the cost of assessment, not implementation. While the government estimates that assessments can range from ~$30k–$50k+, implementation has never been estimated. In my experience the combination of implementation and assessment is a six-figure cost more often than not, even for smaller organizations.