For the Defense Industrial Base, the release of the Cybersecurity Maturity Model Certification (CMMC) comes on the heels of previous compliance requirements: DFARS 7012 and NIST 800-171. CMMC requires many businesses, including Small-medium Sized manufacturers (SMMs) in the the Defense Industrial Base (DIB) to pass 3rd party assessments based on the level requirement stated in their contracts. Defense contractors will be evaluated based upon the implementation of actual technical controls in addition to their documentation and policies. These evaluations will lead to a level certification of 1 to 5 issued from the CMMC Accreditation Body (CMMC-AB), level 5 being the most secure. For a more detailed explanation of CMMC and the Accreditation Body click here.
OUSD A&S and the CMMC-Accreditation Body solidified their partnership, November 25, 2020, in signing a No-Cost contract to support this very important mission for our cybersecurity, information security, and thus national security.
For reference, according to the new DFARS 252.204-7021 clause released in the recent DFARS interim rule on September 30, 2020, the DoD estimates the total annual assessment cost for a small entity looking to achieve a CMMC Level 3 assessment will be $60,009. Since CMMC certifications will only be valid for three years, that would make the cost for an organization seeking certification (OSC) $60,009 every three years (these numbers are assuming that you have already met the NIST 800-171 standards). If your organization handles Controlled Unclassified Information (CUI), you will be required to meet the NIST 800-171 standards, plus the 20 additional technical controls stated in CMMC Level 3.
To implement all 130 practices associated with Level 3, the cost of preparation can easily double or triple the expenses above over a three year period. Thankfully, grant funding was allocated to address this challenge for small businesses. Section 1642 of the National Defense Authorization Act for Fiscal Year 2021 states:
Subject to the availability of appropriations, the Secretary of Defense, in consultation with the Director of the National Institute of Standards and Technology, may award financial assistance to a [MEP] Center for the purpose of providing cybersecurity services to small manufacturers.
In other words, the NIST Manufacturing Extension Partnership (MEP) Center - find your MEP - in your state can provide financial assistance to small to medium sized manufacturers in the Defense Industrial Base who are required to meet security and compliance regulations.
NIST and CMMC: Manufacturing Extension Partnership Program
Established by the National Institute of Standards and Technology (NIST) in 1988, the Manufacturing Extension Partnership program, or MEP, is a national network created to support US supply chain manufacturers with organizational growth, the creation/sustainment of jobs, the facilitation of dynamic manufacturing communities, and overall competitiveness on a national and global scale. Support through state partnerships, technology acceleration, manufacturing process improvement, technology acceleration, and cybersecurity services serve as the means for MEP Centers to help SMMs in the aerospace and defense industry succeed. Particularly, additional resources are provided to SMMs with financial constraints or market barriers, such as costly cybersecurity measures. MEPs are actively assisting businesses to implement security practices and policies for DFARS and CMMC compliance through internal and external experts.
How do MEP Centers Help With Security and Compliance?
As previously discussed, CMMC is a security and compliance regulation mandated by the DoD, and organizations supporting the DoD seeking certification with less than 500 employees may have a difficult time providing the resources necessary for a full NIST 800-171/CMMC technical implementation.
Implementing affordable cybersecurity services to SMMs is one of, if not the most, significant role of the NIST MEP Centers. According to the 2019 nist.gov annual report for MEPs, $140 million in total resources were provided to the NIST MEP program. Of that $140 million, $124.1 million was used for direct support of MEP Centers. The remaining $15.9 million was used for administrative and/or non-direct support.
Each U.S. state (as well as Puerto Rico) contains one NIST MEP center serving as a public-private partnership created through a cost-share model. After consulting with your respective MEP Center or regional affiliate (i.e. San Diego Regional Economic Development Corporation), they may prescribe a solution set and assume a portion of the service fees through the aforementioned federal grants. The contractor then shoulders the remaining cost of the project(s). All of this in an effort to keep the organizations protecting the US operational without major financial burden
Because MEP Centers are especially interested in the success of each support effort: cybersecurity-awareness training, technical implementations, assessments and policies, etc. Ultimately, MEP centers are most concerned about the cyber-posture of the SMM beyond compliance and works to eliminate vulnerabilities for an adversarial attack on the SMM's information systems.
Clearly, MEP Centers are creating better opportunities for SMMs seeking cybersecurity certifications so that the overall security posture of the United States is improved, and organizations in the aerospace and defense supply chain are given a fair opportunity to compete on contracts. This cost-sharing model allows smaller DoD contractors to meet mandatory compliance requirements, such as CMMC, and enable them to bid and be awarded contracts.
Next Steps for Small-Medium Sized Manufacturers
In order to connect with your local MEP Center, you'll need to reach out to get connected. Below is a list of territories with a form and description of the Center on each page.
- New Hampshire
- New Jersey
- New Mexico
- New York
- North Carolina
- North Dakota
- Rhode Island
- South Carolina
- South Dakota
- West Virginia
- (Puerto Rico)