Cybersecurity Maturity Model Certification or CMMC is the Cybersecurity requirement for all Department of Defense (DoD) contractors (AKA suppliers). This new requirement will be fully implemented by 2025 and InterConnect is well on its way to being ready for certification this year.
I am sure we all agree that cybersecurity is important if not vital to everyone. We all have various security software on our computers, lock up our computers, use secure banking websites and watch what we click on, in those crazy emails that come to us. How much more vital is cybersecurity for a defense supplier handling military weapons data?
Prior to CMMC being introduced, back in 2016, cybersecurity standards for DoD contractors were dictated by FAR clause 52.204-21 which outlined 15 basic safeguarding requirements. This was followed by the DFARS clause 252.204-7012 which directs compliance using NIST SP 800-171. All DoD contractors had to be following NIST SP 800-171 by year end 2017. Since that time, we have been using DFARS and NIST as our guides since CMMC did not come on the scene until Version 1.0 in 2020.
The CMMC Accreditation body formed in 2019 but this new standard is still not achievable due to lack of trained assessors. The roll out of CMMC is a whole separate discussion for another time. One key difference with CMMC is that compliance is no longer determined via self-attestation. With NIST SP 800-171 one could simply say that their company is compliant. Did you know that there are 110 security requirements, yet no audit to determine compliance? With CMMC an assessor must evaluate and award (or not award) the certification. InterConnect Wiring is actually glad that this is a requirement because the safety of our country is of utmost importance to us. Additionally, we have spent a great deal of time, money, and resources since 2016 becoming and staying NIST compliant. Now that we are moving over to CMMC compliance, an assessment for certification will be welcomed by our team. It is a difficult, expensive certification, but completely necessary, even for a small business.
Another difference with CMMC over the previous cybersecurity compliance standards is that CMMC is a maturity model and uses Levels to strictly define an Organization Seeking Certification’s (OSC) level of maturation. The levels are one through five with levels 4 and 5 expected to be 1% to 5% of all DoD contractors. Most contractors are expected to target Level 3. If you make cushions for a military aircraft, you are most likely Level 1 as these are organizations not handling Controlled Unclassified Information (CUI) yet the federal government wants to protect their contract information. The CMMC Advisory Board (CMMCAB) defines Level 2 as a transition level going to Level 3.
As for manufacturing wiring harnesses and cockpit panels for the fighter jets, bombers, utility, and attack helicopters that we support, CMMC Level 3 certification will most likely be in the near future for InterConnect Wiring. If you want to learn more about CMMC in the aerospace industry, give us a call at 817.377.9473 and we can help with any questions you may have. You can also go to The Official DOD Home Page. Hope this information helps you and your organization protect yourselves and our country and reduce risk against cyber threats.