Our Journey to CMMC Certification: How We Protect Your CUI
Effective 2024, companies providing manufacturing services for the US Department of Defense (DoD) will be required to maintain a new certification called CMMC (Cybersecurity Maturity Model Certification), proving they meet rigorous cybersecurity standards.
As one of the country’s top defense and aerospace machine shops, Focused on Machining is working hard to achieve CMMC certification.
Although we already follow well-established procedures to protect customer information, the journey to becoming CMMC certified will ensure all sensitive information that comes through our shop is secure to the highest standards of compliance.
What Is CMMC?
According to the US Department of Defense:
“The Cybersecurity Maturity Model Certification (CMMC) program is aligned to DoD’s information security requirements for Defense Industrial Base (DIB) partners. It is designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.”
The DoD introduced the initial vision for the CMMC program in 2020 and has spent the past few years refining it. The latest version, CMMC 2.0, has three compliance levels:
Level 1: 15 requirements
Level 2: 110 requirements aligned to NIST SP 800-171
Level 3: 110 requirements based on NIST SP 800-171 & 800-172
Focused on Machining is working to achieve Level 2 certification, as Level 3 is necessary for only the most sensitive aerospace and defense projects.
How Our Defense and Aerospace Machine Shop Is Preparing for CMMC Certification
While CMMC certification is specific to aerospace and defense manufacturing, customers in all industries will benefit from working with a CMMC-certified shop. Essentially, customers can be fully confident that these shops will keep their data safe and secure.
Obtaining CMMC certification is a long and strenuous process—one that can take up to 18 months. But rest assured, we already have many measures in place to help us meet this requirement. Here are several of them:
1. Secure quoting and order entry
During the quoting stage of a project, we use our ITAR-compliant quoting platform, Paperless Parts, to designate ITAR parts, which ensures a high level of protection for CUI (Controlled Unclassified Information), including prints and models.
ProShop, the ERP system we use for order entry, also has ITAR designations. All Focused on Machining employees are ITAR-compliant and can access the information in the system. However, if ever we were to have an employee who isn’t yet ITAR-compliant, the ERP system would prevent them from accessing ITAR files.
2. Employee training and development
We train employees on all best practices and requirements for protecting sensitive information. Employees who have email addresses are trained on how to recognize and avoid phishing scams. All employees are taught how to identify CUI in a print and model and what measures to take to keep that information secure.
3. Restricted and limited access
Justin Quinn, our president, is the only person in our defense and aerospace machine shop permitted to print a copy of a print. We’re also working toward disabling USB slots on computers to ensure employees can’t download data from their computers. Additional multi-factor authentication practices prevent employees from accessing information remotely.
4. Building security
Physical security is just as critical as digital security. We keep our building highly secure, requiring each visitor to come in through the front office and sign in. During the summer, when we open our garage bay to let the air in, we have a gate we close so someone can’t just walk in unless admitted.
5. Vendor engagement
As a general rule, we send vendors just enough information for them to get the job done right. That means none of our vendors are receiving access to customers’ complete prints or models. It can be a tricky balance getting them the right information without disclosing too much, but we’re willing to put in that extra work for our customers.
Some of our vendors are also working to become CMMC certified, and as we move forward, we’ll prioritize working with these vendors.
What's Ahead for Focused on Machining
We began preparing for CMMC certification in March 2023, and while the process is long and involved, we are dedicated to achieving Level 2 certification and confident that we’ll make it happen.
We’ll continue to provide updates throughout the process so all our customers understand the transformative impact that becoming CMMC certified will have on our operations.