The Defense Industrial Base is facing new threats every day. The Department of Defense needs its supply chain to enhance its resiliency in the cybersecurity space. Bell is committed to securing our supply chain by providing information and tools to prepare our suppliers for growing cybersecurity requirements.
The resources provided by Bell, such as the CMMC FAQ and Helpful Links, in conjunction with public resources, such as Project Spectrum, to educate your business about CMMC.
Use the templates provided as a guide to track and measure your progress with NIST SP 800-171 Rev. 1 and CMMC implementation.
Small and Medium Businesses are invited to collaborate with the prime through discussions on their CMMC implementation progress.
The CMMC framework verifies the implementation of processes and practices associated with the achievement of a required cybersecurity maturity level. CMMC is designed to provide increased assurance to the DoD that a DIB contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level that corresponds with the risk.
CMMC accounts for information flow down to its subcontractors in a multi-tier supply chain. A DIB contractor can achieve a specific CMMC level for its entire enterprise network or segment(s) or enclave(s), depending upon where the information to be protected is processed, stored, or transmitted.
The CMMC model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references. The CMMC levels and the associated sets of processes and practices are cumulative and build upon each other. The CMMC model encompasses the basic safeguarding requirements for FCI specified in FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, and the increased security requirements for CUI specified in NIST SP 800-171 Rev. 1 per DFARS clause 252.204-7012. Furthermore, the CMMC model includes an additional five processes and 61 practices across Levels 2-5 that demonstrate a progression of cybersecurity maturity.
Ask yourself the following questions:
Starting 2021, if you anticipate being awarded a contract that supports a military program, you will need at least a CMMC Level 1. By 2025, the CMMC requirement will be on all DoD Contracts. This certification is an entry to market requirement. Whether your business is a machine shop or a large OEM, you’ll need a cybersecurity certification. The level varies by what kind of data you access from the prime contractor.
Think of CMMC like a quality certification, and view the parallels below:
|AS9100 Rev D||CMMC|
|Certification to do businesses with the DoD||Yes||Yes|
|Goal of the Certification||Create a standard for Quality Management Systems in the Aviation, Space and Defense (AS&D) industry||Create a standard for cybersecurity practices and hygiene in the Defense Industrial Base (DIB).|
We’ve made physical safety and quality a foundation in how we do business. Now it’s time to do the same with our supply base by adopting and standardizing cybersecurity practices to protect the information in the DIB. CMMC builds upon DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), which appears as a flow down in past DoD contracts.
I don’t do business directly with the DoD, why does this apply to me?
Since CMMC is a DFARS requirement, it is mandated to be flowed down to the supply chain. Whether you’re a 1st or 7th tier subcontractor, a CMMC level must be awarded for you in order to do business with the DoD at any level. The goal of CMMC is to mitigate risk of information theft at all levels.
Bell has created a Cybersecurity Toolkit with resources to help our suppliers begin to understand CMMC. These resources can be found in the “Cybersecurity Toolkit” folder in your Sell2Bell Portal.
These documents were created with information from several DoD resources and designed to be a one- stop shop for questions your organization may have regarding the NIST assessment and the CMMC certification.
Here are other free resources provided by different government agencies dedicated to cybersecurity education:
Project Spectrum: Created by the Office of Small Business Programs of the Department of Defense. The goal of Project Spectrum is to educate businesses about CMMC and how to be compliant. It includes training videos, webinars from DoD officials, online course, NIST Self-Assessment Tool, and more.
NIST Small Business Cybersecurity Corner: Created by the U.S. Department of Commerce. This site provides cybersecurity basics, guidance, solutions, and training to protect your information and manage your risks. Look into The National Initiative for Cybersecurity Education (NICE) framework to access provides free and low-cost online cybersecurity training.
ND-IASC CyberAssist: The DIB SCC Industry Task Force is identifying and posting links to helpful publicly available cybersecurity resources. The resources were selected both to help companies (i) meet DoD and other U.S. cybersecurity standards applicable to U.S. federal contractors (e.g., FAR Basic Safeguarding clause, DFARS Safeguarding CDI clause, CMMC); and (ii) otherwise improve their current cybersecurity protections.
BEWARE OF SCAMS: CMMC Accrediting Body (AB) is the only organization that can assign a CMMC Level to your business. As of February 2021, the CMMC AB has approved provisional assessors, but have not started the audits. A portal to sign up for your certification has not been released. Be vigilant and do not be misled by third-party entities who are publicly representing themselves as capable of providing a CMMC certification that will be accepted by the DoD. Bell Flight will release communication and instructions on how to sign up for your CMMC certification when available.
Before you get a CMMC certification by the CMMC Accrediting Body, you need to complete the NIST SP 800-171 Rev. 1 basic assessment and submit your results into the Supplier Performance Risk System (SPRS). The assessment is called out in the interim rule specified in DFARS Case 2019-D041:
|DFARS 252.204-7019||DFARS 252.204-7020|
|Requires offerors to ensure the results of any applicable current Assessments are posted in SPRS.||Requires a contractor to provide the Government with access to its facilities, systems, and personnel when it is necessary for DoD to conduct or renew a higher-level Assessment.|
The clauses above do not duplicate, overlap, or conflict with any other Federal rules. Rather these rules validate and verify contractor compliance with the existing cybersecurity requirements in FAR clause 52.204-21 and DFARS clause 252.204-7012 and ensures that the entire DIB sector has the appropriate cybersecurity processes and practices in place to properly protect FCI and CUI during performance of DoD contracts.
As the NIST framework has matured, there are free resources for your business to complete the audit:
NOTE: Performing the basic assessment does not make your company compliant. This assessment methodology measures a company’s compliance to the 110 controls of NIST SP 800-171 Rev 1. A NIST compliance score could be zero, a negative score, or a perfect score being 110
NOTE: The CMMC framework requires contractors to flow down the appropriate certification requirements to subcontractors throughout the entire supply chain. DIB companies that do not process, store, or transmit CUI, must obtain a CMMC Level 1 certification. DIB companies that process, store, or transmit CUI must achieve a CMMC Level 3 or higher, depending on the sensitivity of the information associated with a program or technology being developed. The DoD will specify the required CMMC level in Requests For Information (RFIs) and Requests for Proposals (RFPs). Bell suggests that suppliers proactively create CMMC goals and gap analysis between their possible target levels.
Implementing and complying to growing cybersecurity regulation is a challenge. If you would like to sign up for a cybersecurity focus group to share your experience and questions, please email firstname.lastname@example.org.
Topics of Discussion include: