CMMC (Cybersecurity Maturity Model Certification) is an acronym I have been hearing about in the GSA world for well over a year, which for some reason did not make it onto the lips of the furniture people I know until a month or so ago. CMMC is already in version 2.0 and is being implemented by the Department of Defense.
I am not sure why CMMC has not already been introduced heavily into the furniture industry, as it is moving fast and furious. As my friend Matt Brady, President of New Day Office in Suffolk VA, shared with me “It is on bids. We don’t always read the fine print in every bid, but if you read the fine print, we are already seeing it.”
In this month’s article we explore what CMMC is and how this new cybersecurity certification applies to all furniture manufacturers and dealers holding DoD contracts.
As you may have guessed from the name, CMMC is focused on protecting two types of information 1) Federal Contract Information (FCI) and 2) Controlled Unclassified Information (CUI), which can be found in DoD contracts and information supporting work performed by non-DoD employees, including dealers, manufacturers, and designers to name a few.
Your first thought, as mine, may be that CAD drawings could be classified as CUI, and you would be correct! However, according to Matt Brady there are many categories of CUI found in DoD contracts, including addresses of buildings, personnel contact information, etc.
The United States has many enemies, and now DoD is taking steps to better enforce the cybersecurity standards in place to control and protect the flow of information required for Defense Industrial Base (DIB) contractors to perform on DoD contracts. CMMC is the framework DoD has developed to protect FCI and CUI.
From the DoD CMMC website https://dodcio.defense.gov/CMMC/About/
“The Cybersecurity Maturity Model Certification (CMMC) program is aligned to DoD’s information security requirements for DIB partners. It is designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.
The CMMC 2.0 program has three key features:
Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for requiring protection of information that is flowed down to subcontractors.
Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.”
To further understand CMMC and what it will look like for manufacturers and dealers who work with the DoD, I reached out with some questions to Sync21, a Cybersecurity Compliance managed services company based in Norfolk, VA https://sync21.com/. Sync21’s principles Carl Long and Greg Weber have been working with New Day Office and some other major government furniture contractors to start the CMMC certification process.
Michelle: Carl, thanks for your willingness to help me better understand this CMMC process. Do you know when the CMMC will be mandated to furniture companies?
Carl & Greg: If your company holds DoD contract(s) that contain DFARS 7012 clauses, then you may already be in breach if you haven’t started to address the Cybersecurity Compliance requirements found in those clauses. CMMC is essentially an enforcement mechanism for DFARS clauses, so the time to start is now. CMMC rulemaking is nearing completion as we speak, with initial 3rd party assessments potentially starting before the end of 2023.
Michelle: Do we know for sure that furniture plans, contact information etc is deemed critical to national security and would require more than Level 1 certification?
Carl & Greg: If you do not have a DoD contract, then you do not currently have FCI or CUI. If you do hold DoD contracts, the fine print of the contract should specify if there is any CUI and what specific types are involved. If you anticipate DoD contracts with CUI, then we recommend consulting the following websites to better understand the large breadth of CUI categories: National Archives CUI page: https://www.archives.gov/cui
The DoD CUI Registry: https://www.dodcui.mil/Home/DoD-CUI-Registry
You may not be awarded contracts if you are not ready to be CMMC compliant, and those that are ready may step in and win contracts instead. It is worth noting that DoD contracts without CUI are still considered to contain Federal Contract Information (FCI), which requires CMMC Level 1 compliance…this is not a trivial set of requirements for contractors with little or no cybersecurity infrastructure.
Michelle: Is this something that a dealer or manufacturer could do on their own? How hard is this?
Carl & Greg: Most dealers or manufacturers do not have the in-house subject matter expertise to prepare for a CMMC Assessment on their own, and we recommend that they hire Certified CMMC Professional (CCP) at a minimum. CMMC Level 2 certifications for most contractors will require expensive 3rd party assessments, so being better prepared will help control the associated costs.
It is also worth noting that CMMC Level 2 certifications will be Pass/Fail, and all NIST 800-171 controls will have to be satisfied.
Michelle: What would be the first step for someone interested in at least getting to Level 1?
Carl & Greg: We recommend a Level 1 Gap Analysis to compare your company’s cybersecurity posture to the CMMC Level 1 requirements.
Again, many thanks to Matt Brady with New Day and Carl Long & Greg Weber with Sync21 for helping me demystify this for Delve readers!! Stay tuned for more information on CMMC as the QPC meeting is May 10th in DC and hopefully BIFMA will be hosting a webinar on this topic soon.
ABOUT MICHELLE WARREN
Founder, President - Catalyst Consulting Group
Michelle Warren is President of Catalyst Consulting Group, a firm specializing in providing strategic solutions to the commercial furniture industry to enhance their sales, positioning, and distribution. With 25 years of industry experience on the dealer and manufacturer side of the industry, Michelle has been recognized as an innovator in selling to the Federal Government, State/Local Government, Higher Education and Cooperative Purchasing. Her expertise includes: sales strategies, strategic planning, 3-5 year road mapping, targeted marketing plans, distribution development, hiring reps, and training for reps and/or dealers. Michelle is known as a “serial networker” in the furniture industry and enjoys meeting people and making connections happen. If you’re interested in connecting - reach out at: Michelle@strategic-catalyst.com, connect on LinkedIn or visit www.strategic-catalyst.com to learn more about her work.
As seen in Delve | April 2023 V.37