A Comprehensive Cybersecurity Strategy for Defense Manufacturing: DOD, CMMC, and NIST Cybersecurity Framework 

Defense manufacturing involves a complex supply chain comprising tiers of global contract manufacturers that introduce cybersecurity risks. The U.S. Department of Defense’s (DOD) industrial base is made up of 220,000 companies. The size and scope of the supply chain leave confidential information and intellectual property open to exploitation and compromise without proper digital protection.

The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of regulations DOD contractors and subcontractors must follow. One crucial aspect of DFARs is cybersecurity. Contractors and subcontractors must implement security controls specified in NIST special publication 800-171 and must report cyber incidents to the DOD. NIST 800-171 comprises 110 controls divided into 14 control families. It was developed specifically to provide guidance to the DFAR cybersecurity clause.

The DOD may soon be requiring its industrial base, including contract manufacturers, to achieve Cybersecurity Maturity Model Certification (CMMC), which sets the minimum cybersecurity requirements for companies. It is designed to enforce the protection of sensitive unclassified information that the DOD shares with its contractors and subcontractors. Currently, this certification is not mandatory.

The U.S. Department of Commerce, National Institute of Standards and Technology (NIST) Cyber Security Framework is used to provide a comprehensive approach to cybersecurity. The Framework is voluntary guidance based on existing standards, guidelines, and practices to help companies, not only those involved in defense work, understand and manage their cybersecurity risk. The Framework can help companies identify and prioritize their cybersecurity efforts, which in turn support efforts for achieving CMMC certification.

CMMC Overview

CMMC V1.0 was released in January 2020. The certification requires third-party assessments of contractors’ compliance with certain mandatory practices, procedures, and capabilities, demonstrating they have the proper controls to protect sensitive data, notably Controlled Unclassified Information (CUI). It was designed in response to significant compromises of sensitive defense information located on contractors’ information systems.

CMMC is based on both DFARS and NIST 800-171 and includes all 110 controls and more. The certification process was developed because some contractors claimed to comply with NIST 800-171 but did not. CMMC is a model that is currently being developed as a replacement for the existing NIST 800-171 requirements.

The DOD announced significant changes to CMMC in November 2021 after an internal review. These changes are still going through the rulemaking process, during which time industry feedback is accepted, reviewed, and considered. Currently, CMMC V2.0 is proposed to be condensed into three levels: foundational, advanced, and expert, as opposed to the five levels which were part of the original version. It is important for industry partners to monitor the continual development of the CMMC standard to correctly identify the level of accreditation that will be needed and to best prepare for the implementation of the updated controls once the rules are finalized.

According to the DOD, “The interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). The Department does not intend to approve inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process. Once CMMC 2.0 is codified through rulemaking, the Department will require companies to adhere to the revised CMMC framework according to requirements set forth in regulation.”

History of the Framework

The President signed Executive Order 13636 on February 12, 2013. Its purpose was to protect the Nation’s critical infrastructure from cyber threats. The Order directed NIST’s director to lead the development of a framework to reduce these cyber risks that incorporated existing voluntary consensus standards and industry best practices. It also stressed that the Framework provided “a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.”

Throughout 2013 a series of workshops and drafts of preliminary Frameworks were conducted and released. The workshops were held in strategic locations around the U.S. to promote attendance by as many interested members of industry and academia as possible. They were also live-streamed and recorded. NIST also used a Request for Information (RFI) and Request for Comment (RFC) to identify existing cybersecurity standards, guidelines, frameworks, and best practices; determine where high-priority gaps existed; and develop action plans to address the gaps. One year later, in February 2014, Framework V1.0 was published.

The Framework is considered a living document that will continue to be updated and improved. In 2018, it was updated to V1.1 and is currently in the process of updating to V2.0 to keep pace with the evolving cybersecurity landscape.

Understanding the Framework

The Framework is voluntary, and because it offers a flexible structure, companies are free to customize it to maximize its value for their company. Its flexibility and adaptability make it ideal for various organizations, from small to large multinational companies. The Framework comprises three parts: the Core, the Implementation Tiers, and the Profiles.

The Core provides a set of desired cybersecurity activities and outcomes using easy-to-understand language. It helps companies manage and reduce cybersecurity risk in a way that compliments their existing processes. It is divided into five sections: identify, protect, detect, respond, and recover.

The Implementation Tiers help companies understand how they view cybersecurity risk and the processes they have in place to manage risk. The tiers guide them to consider how robust their program needs to be for their company. It is often used as a communication tool for discussion around risk acceptance levels, mission priority, and budget. The tiers are partial (tier 1), risk informed (tier 2), repeatable (tier 3), and adaptive (tier 4). The tiers demonstrate how integrated cybersecurity risk decisions are into broader risk decisions and to what degree the company shares and receives cybersecurity info from external parties.

The Profiles help organizations establish a roadmap for reducing cybersecurity risk that aligns well with their business needs. Profiles are used to identify gaps and prioritize opportunities for improving cyber security.

While the Framework is not specifically for defense contract manufacturers, it provides a structured methodology to ensure that the appropriate cybersecurity protections are in place to protect sensitive information and minimize network risks.

Noble Plastics Cybersecurity Compliance

At Noble Plastics, we are on the leading edge of modernizing manufacturing, so we understand the critical nature of protecting our assets, intellectual property, and confidential information.

The U.S. Department of Defense recognizes us as an ITAR-registered provider of defense manufacturing and military injection molding services for government contractors. We have built out our cybersecurity model on the NIST 800-171 framework and partnered with an experienced DoD contractor to help us implement and audit our NIST 800-171 controls. We continue to monitor the development of the CMMC model so that we can effectively implement any changes once CMMC becomes the required standard.

Our quality certifications and extensive experience in this sector positions us to securely deliver the parts you need when you need them while considering your bottom line.

Contact us to learn more or to get started with your defense project.