SW North America, CNC Machines and Automation
Published

Fielding Manufacturers’ FAQs about CMMC

Here are answers to frequently asked questions we as a provider of testing, consulting, information and compliance services receive about Cybersecurity Maturity Model Certification.

Share

Manufacturers that are part of the U.S. Defense Industrial Base (DIB) share many common questions about Cybersecurity Maturity Model Certification (CMMC). Source: iStock

Smithers receives many questions from manufacturers that are part of the U.S. Defense Industrial Base (DIB) about Cybersecurity Maturity Model Certification (CMMC) and NIST compliance. Many of these relate to the impending CMMC 2.0 release. Here are answers to several of those FAQs, which I believe will be helpful for machine shops that have embarked on the journey to CMMC:

Is data that comes out of my ERP CUI? This depends on whether your organization loaded or created controlled unclassified information (CUI) in the ERP system. If not, then the likelihood is most organizations will find that their ERP might contain Federal Contract Information (FCI) per FAR 52.204-21. This is information specific to a DOD contract that is not meant for public release as it might contain specifics about the contract deliverables, timeline and funding. It is recommended to not contaminate an ERP with CUI as the entire ERP, its hosting company and all your employees could be considered in scope for your CMMC assessment.

Does the ERP have to be FEDRAMP-compliant? If your ERP is used to process, store or transmit CUI and it is hosted in the cloud, it must meet Federal Risk and Authorization Management Program (FEDRAMP) moderate security baseline equivalency (DFARS 252.204-7012.b.2.ii.D). If the ERP is hosted locally with no cloud presence, then the ERP is required to meet all the controls of NIST SP 800-171.

What tools can I use to help me on my compliance journey? There are numerous Governance, Risk and Compliance (GRC) tools to assist companies with meeting the NIST SP 800-171 controls, although they should ideally contain the following:

  • All NIST SP 800-171 controls as well as the objective statements of NIST SP 800-171a.
  • Storage for policies and evidence.
  • Linkage between controls and objectives to the policies and evidence files.
  • Automatic creation of the system security plan (SSP) and the plan of actions and milestones (POAM).
  • An auditor module.

What are “specialized assets?” These include government property; Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices; operational technology; systems configured based entirely on government requirements and used to support a contract; and test equipment (CMMC Assessment Guide — Level 2, Version 2.0).

What would an “out-of-scope” asset be in a manufacturing plant? Out-of-scope assets cannot or are not used to process, store or transmit CUI data. The asset must be physically or logically separate from CUI assets or access to an external network. An out-of-scope asset could be a CNC machine, assembly robot or other such asset. The easiest way to narrow down the scope is to ensure the types of machines/devices are not connected to any external networks or networks used for CUI. Air gapping is the most common method of separating these machines (CMMC Assessment Guide — Level 2, Version 2.0).

Is encrypted CUI still CUI? CUI remains CUI regardless of encryption. Encryption is a control mechanism to help protect CUI when being transmitted or stored. It reduces the potential for unauthorized release if the data is lost in transit or stolen.

Are employee phones in scope for an assessment? If an employee’s phone is used to process, store or transmit CUI, it might be considered in scope depending on how the data is handled on the mobile device (especially if the data is accessed using the phone’s native application). The use of a mobile device management container or virtual desktop infrastructure might provide the physical and logic separation needed to keep these mobile devices out-of-scope for the assessment.

Does my MSP have to be assessed when I get assessed? If the managed service provider (MSP) has access to any of the CUI assets, then they must be assessed as part of your organization’s assessment. MSPs typically will provide management of numerous controls as part of your NIST/CMMC compliance both organically and shared with your organization. Since these controls are required to meet CMMC, the MSP will be involved in the assessment. If the MSP hosts CUI data or the MSP personnel have access to CUI, then again, the MSP is part of the assessment.

Click here to find more CMMC resources from Smithers.

About the Author

Robert McVay

Robert McVay

Robert McVay is senior consultant — information security services for Smithers.

Campro USA
SW North America, CNC Machines and Automation
YCM Alliance
World Machine Tool Survey
Kyocera
Horn USA
Star swiss-type automatic lathes
manufacturer of machine tools

Read Next

Fielding Manufacturers’ FAQs about CMMC

Here are answers to frequently asked questions we as a provider of testing, consulting, information and compliance services receive about Cybersecurity Maturity Model Certification.

Read More
Automation

Predicting the ROI of Robotic Automation

Various methodologies paired with online tools can help small to mid-sized manufacturers determine how to predict and calculate the potential economic benefits of robotic equipment for their specific needs.

Read More
Shop Management Software

Avoid the 7 Deadly Sins of Manufacturing

Identifying and preventing these manufacturing sins will reduce or eliminate unnecessary waste, improve efficiency and productivity as well as protect profitability and cash flow.

Read More
SW North America, CNC Machines and Automation