Supplier Cybersecurity

Where to start

The Defense Industrial Base is facing new threats every day. The Department of Defense needs its supply chain to enhance its resiliency in the cybersecurity space. Bell is committed to securing our supply chain by providing information and tools to prepare our suppliers for growing cybersecurity requirements.

 

Download toolkit

Understanding the Requirements

The resources provided by Bell, such as the CMMC FAQ and Helpful Links, in conjunction with public resources, such as Project Spectrum, to educate your business about CMMC.

SSP and POAM Template

Use the templates provided as a guide to track and measure your progress with NIST SP 800-171 Rev. 1 and CMMC implementation.

Focus Groups

Small and Medium Businesses are invited to collaborate with the prime through discussions on their CMMC implementation progress.

Steps to cybersecurity maturity

Step 1: Understanding the Cybersecurity Maturity Model Certification (CMMC)

cmmc-step-1-levels

Short Answer:
The CMMC framework verifies the implementation of processes and practices associated with the achievement of a required cybersecurity maturity level. CMMC is designed to provide increased assurance to the DoD that a DIB contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level that corresponds with the risk.

 

Long Answer:
CMMC accounts for information flow down to its subcontractors in a multi-tier supply chain. A DIB contractor can achieve a specific CMMC level for its entire enterprise network or segment(s) or enclave(s), depending upon where the information to be protected is processed, stored, or transmitted.

 

The CMMC model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references. The CMMC levels and the associated sets of processes and practices are cumulative and build upon each other. The CMMC model encompasses the basic safeguarding requirements for FCI specified in FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, and the increased security requirements for CUI specified in NIST SP 800-171 Rev. 1 per DFARS clause 252.204-7012. Furthermore, the CMMC model includes an additional five processes and 61 practices across Levels 2-5 that demonstrate a progression of cybersecurity maturity.

Step 2: Evaluating the Need for Your Business to be CMMC Compliant

Ask yourself the following questions:

  1. Do I anticipate bidding for military work in the future?
    1. If Yes, you should anticipate being CMMC compliant in future contracts.
    2. If No, you are exempt from CMMC per DFARS 252.204-7021.
  2. Do I exclusively supply COTS (commercial off-the-shelf) items to Bell?
    1. If Yes, you are exempt from CMMC per DFARS 252.204-7021.
    2. If No, you should anticipate being CMMC compliant in future contracts.
  3. Do my departments that support part build (i.e. sales, engineering and design, quality) access ENOVIA or other Bell technical data?

 

Starting 2021, if you anticipate being awarded a contract that supports a military program, you will need at least a CMMC Level 1. By 2025, the CMMC requirement will be on all DoD Contracts. This certification is an entry to market requirement. Whether your business is a machine shop or a large OEM, you’ll need a cybersecurity certification. The level varies by what kind of data you access from the prime contractor.

 

Think of CMMC like a quality certification, and view the parallels below:

  AS9100 Rev D CMMC
Certification to do businesses with the DoD Yes Yes
Individual auditors Yes Yes
Renewable Certification Yes Yes
Goal of the Certification Create a standard for Quality Management Systems in the Aviation, Space and Defense (AS&D) industry Create a standard for cybersecurity practices and hygiene in the Defense Industrial Base (DIB).

We’ve made physical safety and quality a foundation in how we do business. Now it’s time to do the same with our supply base by adopting and standardizing cybersecurity practices to protect the information in the DIB. CMMC builds upon DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), which appears as a flow down in past DoD contracts.

 

I don’t do business directly with the DoD, why does this apply to me?

 

Since CMMC is a DFARS requirement, it is mandated to be flowed down to the supply chain. Whether you’re a 1st or 7th tier subcontractor, a CMMC level must be awarded for you in order to do business with the DoD at any level. The goal of CMMC is to mitigate risk of information theft at all levels.

Step 3: Accessing CMMC Resources

Bell has created a Cybersecurity Toolkit with resources to help our suppliers begin to understand CMMC. These resources can be found in the “Cybersecurity Toolkit” folder in your Sell2Bell Portal.

  • CMMC FAQs
  • Helpful Links
  • Requirements Interim Rule DFARS Case 2019-D041
  • NIST SP 800-171 Rev 1 Methodology and Assessment

 

These documents were created with information from several DoD resources and designed to be a one- stop shop for questions your organization may have regarding the NIST assessment and the CMMC certification.

 

Here are other free resources provided by different government agencies dedicated to cybersecurity education:

 

Project Spectrum: Created by the Office of Small Business Programs of the Department of Defense. The goal of Project Spectrum is to educate businesses about CMMC and how to be compliant. It includes training videos, webinars from DoD officials, online course, NIST Self-Assessment Tool, and more.

 

NIST Small Business Cybersecurity Corner: Created by the U.S. Department of Commerce. This site provides cybersecurity basics, guidance, solutions, and training to protect your information and manage your risks. Look into The National Initiative for Cybersecurity Education (NICE) framework to access provides free and low-cost online cybersecurity training.

 

ND-IASC CyberAssist: The DIB SCC Industry Task Force is identifying and posting links to helpful publicly available cybersecurity resources. The resources were selected both to help companies (i) meet DoD and other U.S. cybersecurity standards applicable to U.S. federal contractors (e.g., FAR Basic Safeguarding clause, DFARS Safeguarding CDI clause, CMMC); and (ii) otherwise improve their current cybersecurity protections.

 

BEWARE OF SCAMS: CMMC Accrediting Body (AB) is the only organization that can assign a CMMC Level to your business. As of February 2021, the CMMC AB has approved provisional assessors, but have not started the audits. A portal to sign up for your certification has not been released. Be vigilant and do not be misled by third-party entities who are publicly representing themselves as capable of providing a CMMC certification that will be accepted by the DoD. Bell Flight will release communication and instructions on how to sign up for your CMMC certification when available.

Step 4: Perform a NIST SP 800-171 R1 Assessment

Before you get a CMMC certification by the CMMC Accrediting Body, you need to complete the NIST SP 800-171 Rev. 1 basic assessment and submit your results into the Supplier Performance Risk System (SPRS). The assessment is called out in the interim rule specified in DFARS Case 2019-D041:

 

DFARS 252.204-7019 DFARS 252.204-7020
Requires offerors to ensure the results of any applicable current Assessments are posted in SPRS. Requires a contractor to provide the Government with access to its facilities, systems, and personnel when it is necessary for DoD to conduct or renew a higher-level Assessment.

The clauses above do not duplicate, overlap, or conflict with any other Federal rules. Rather these rules validate and verify contractor compliance with the existing cybersecurity requirements in FAR clause 52.204-21 and DFARS clause 252.204-7012 and ensures that the entire DIB sector has the appropriate cybersecurity processes and practices in place to properly protect FCI and CUI during performance of DoD contracts.

 

As the NIST framework has matured, there are free resources for your business to complete the audit:

  • Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 rev 1 Security Requirements: Review the step-by-step guide to assessing a small manufacturer’s information systems against the security requirements in NIST SP 800-171 Rev 1. Click here to access or see the Bell Cyber Toolkit.
  • NIST SP 800-171 rev 1 DoD Assessment Methodology Version 1.2.1: Provides a standard methodology that enables a strategic assessment of a contractor’s implementation of NIST SP 800-171 Rev 1. Click here to access or see the Bell Cyber Toolkit.

 

NOTE: Performing the basic assessment does not make your company compliant. This assessment methodology measures a company’s compliance to the 110 controls of NIST SP 800-171 Rev 1. A NIST compliance score could be zero, a negative score, or a perfect score being 110

 

nist-cybersecurity-framework
Step 5: Crafting a CMMC Game Plan
  1. Identify your stakeholders
    1. Who will lead the CMMC initiative for the business?
    2. Who will be affected by this new requirement?
    3. Who will help interpret and implement changes that this requirement will bring in the business?
    4. Who will approve additional personnel/equipment needed to be CMMC compliant?
    5. Ex: Legal, Compliance, IT, Cybersecurity, Engineering, Procurement, Contracts
  2. Quantify Resources and Personnel
    1. Should the business hire consultants or does the business have the resources and expertise to do a self-evaluation and implementation?
    2. How many man hours will be needed to be compliant?
    3. How much will I spend on software, hardware, or firmware purchases and upgrades to be compliant?
  3. Determining the Right CMMC Level for your Business
    1. Who should help gauge my data sharing environment?
    2. Do I handle CUI or do I anticipate handling CUI in the future?
    3. How much data and what type of data from the prime do I access?
    4. How much data from the prime am I flowing down?

 

NOTE: The CMMC framework requires contractors to flow down the appropriate certification requirements to subcontractors throughout the entire supply chain. DIB companies that do not process, store, or transmit CUI, must obtain a CMMC Level 1 certification. DIB companies that process, store, or transmit CUI must achieve a CMMC Level 3 or higher, depending on the sensitivity of the information associated with a program or technology being developed. The DoD will specify the required CMMC level in Requests For Information (RFIs) and Requests for Proposals (RFPs). Bell suggests that suppliers proactively create CMMC goals and gap analysis between their possible target levels.

 

Implementing and complying to growing cybersecurity regulation is a challenge. If you would like to sign up for a cybersecurity focus group to share your experience and questions, please email scmcyberrisk@bellflight.com.

 

Topics of Discussion include:

  • NIST SP 800-171 Rev 1 and SPRS
  • CMMC goal and timeline for your business
  • Roadblocks/Hurdles
  • Data Marking

More resources

View frequently asked questions and helpful resources.
    Select your document
    • FAQs
    • Helpful Links
    • Toolkit
    This site uses cookies to provide you with a great user experience. By visiting Bellflight.com, you accept our use of cookies.