THE CLOCK IS TICKING FOR DEFENSE MANUFACTURERS

PARTNERSHIPS LIKE NJMEP AND WITHUM ARE CRITICAL RESOURCES FOR NEW JERSEY MANUFACTURERS

WHAT IS CMMC 2.0?

The release of the Cybersecurity Maturity Model Certification Proposed Rule (CMMC 2.0) marked a significant milestone for stakeholders invested in cybersecurity compliance within the Department of Defense (DoD) supply chain. This development underscored the ongoing commitment to fortifying cybersecurity standards across defense contractors and subcontractors, ensuring the safeguarding of government data during the execution of government contracts. In recent years, strategic adversaries have exploited vulnerabilities within the DoD supply chain, compromising U.S. businesses’ intellectual property and eroding confidence in the security of products and services delivered to the DoD. The CMMC program was conceived as a proactive measure to verify that defense contractors and subcontractors have implemented the prescribed cybersecurity standards under NIST 800-171, which encompasses the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) throughout the contract lifecycle. 

THE CLOCK IS TICKING

Adherence to CMMC standards is imperative for manufacturers operating within the DoD supply chain to maintain current government contracts and eligibility within prime contractor supply chains. Failure to meet these requirements by calendar year (CY) 2025 could result in disqualification from bidding on DoD contracts and jeopardize future awards or options years on existing contracts.

Industry partnerships between organizations like the New Jersey Manufacturing Extension Program (NJMEP)—New Jersey’s training and consulting firm dedicated to driving manufacturing forward in the state—and Withum—a people-centric advisory and accounting firm—are critically important to combating regulatory challenges like CMMC compliance. By combining forces and pooling our resources, we can ensure that manufacturers in New Jersey have access to the latest information, tools, and resources necessary to adapt and thrive in this changing cybersecurity landscape.

PROCRASTINATION CANNOT BE AN OPTION

Industry experts, analysts, and advisors are all tolling the bell for CMMC compliance. In the past, the government has shifted the deadlines and pushed back remediation requirements, but experts are saying that won’t be the case for CMMC 2.0—warning that real steps need to be taken sooner than later.

“The government is saying CMMC is going to land in CY 2025,” says Jason Spezzano, Executive Cybersecurity Advisor at Withum, “Given the current rulemaking timelines and recent rulemaking updates I would say that I agree. It takes anywhere from 12 to 18 months to get prepared, and this does not account for prime contractors potentially asking subcontractors to ask where you are in advance. So, if organizations have not done much up to this point, you’ve got to start now.”

With the phased rollout of CMMC, organizations must lay the groundwork for CMMC compliance. Planning and implementation requires detailed execution as organizations work through asset classification, assessment boundaries and service provider relationships within their environments.

AVOID THE BACKLOG

How will this affect New Jersey Manufacturers? Spezzano says this is a unique situation. For manufacturers, who often have older equipment and processes, meeting CMMC 2.0 compliance may take longer due to unexpected hurdles businesses might face.

“I would focus on foundational things,” says Spezzano, “Map your dataflows and what processes stores or transmits FCI or CUI; identify your assets using the CMMC scoping guide; understand your CMMC assessment scoping boundary—make sure you keep that as small as possible. Once you understand those things, you can review options that are most feasible for your environment.”

To facilitate this process, organizations should comprehensively assess their current contract requirements, data flows, and information systems to identify gaps and prioritize remediation efforts. Developing and reviewing System Security Plans (SSPs) and Plan of Action and Milestones (POA&Ms) are critical steps in addressing cybersecurity vulnerabilities and ensuring readiness for CMMC assessment. Spezzano notes that the SSP is the organization’s chance to tell its story and provide evidence to an assessor on how they are meeting the control requirements.

Another critical area that Spezzano says will affect the timelines for certification is the potential impending backlog. As manufacturers come to terms with the reality of the situation and the looming CY 2025 deadline, businesses will begin to reach out to cyber remediation specialists and assessors to help facilitate CMMC compliance—something he says will cause a backlog of assessments, further increasing the timeline for getting CMMC compliant. In addition, prime contractors may back up the timeline within their supply chain to ensure they are prepared first.

WHY DOES YOUR BUSINESS NEED CMMC?

As organizations embark on the journey towards CMMC compliance, proactive measures and strategic investments in cybersecurity infrastructure will be instrumental in safeguarding personal, business, and government data, and upholding the integrity of the defense supply chain. By taking proactive steps today to embrace NIST standards and CMMC compliance, companies like yours can strengthen their cybersecurity posture and demonstrate their commitment to national security and defense readiness.

“The foundation of this is understanding your contract requirements and what data you have and where it goes,” says Withum’s Spezzano, “Understanding what the contract requires, what data you have, where it goes, and who receives it is the foundation for scoping of CMMC”

DON’T NAVIGATE THE PATH TO COMPLIANCE ALONE

The release of CMMC 2.0 represents a pivotal moment in fortifying cybersecurity standards within the DoD supply chain. As strategic adversaries continue to exploit vulnerabilities, adherence to CMMC standards becomes imperative for defense contractors and subcontractors. Manufacturers must prioritize compliance to avoid disqualification from DoD contracts and future contract awards. It’s critical to start the journey towards CMMC compliance to prevent potential backlogs and ensure readiness for the CY 2025 deadline.

In the dynamic cybersecurity landscape, the collaboration between industry partners like Withum and NJMEP helps ensure the manufacturing industry has access to all the expertise, tools, and resources possible to make the transition to CMMC compliance as easy and cost-effective as possible. Our expansive cybersecurity solutions are tailored to protect your data, systems, and operations. In times like these, where your business is up against the clock, you need to lean on industry experts like Withum and NJMEP to help you navigate these time-sensitive changes. Get started today with our no cost assessment and we’ll help you identify where your vulnerabilities are.