Senior Consultant, Information Security Services
United StatesContact Robert
Welcome to the Smithers Information Security Services CMMC resource page for manufacturers. This is a one-stop shop for everything you will need to know as we approach NIST/CMMC going into effect. First and foremost, what is CMMC? Our CMMC page offers a lot of detailed information that will answer that question for you.
Do I need NIST/CMMC?
The next question, once CMMC has been defined, is whether your company needs to comply with NIST/CMMC. The answer to this question is all based on CUI, or Controlled Unclassified Information. CUI is information that needs to be properly protected. It is up to the federal government to tell you if you will be receiving CUI, but it may not always be clear what CUI you are going to be getting. Labeling of CUI is a notoriously serious problem. If your contract with the government or with a prime contractor includes the DFARS 204.252-7012 clause, you are expected to be compliant with NIST SP 800-171.
For more information, the article Do you need NIST 800-171 or CMMC may be helpful for you. If you still have questions, don’t hesitate to contact us.
As you scroll down the page you will see a resources section as well an FAQs section. You can also download the FAQs here.
The following are good resources to depend upon for more information about NIST/CMMC or the industry at large.
CyberAB is the accreditation body for CMMC. One of the most valuable resources on the CyberAB website is the marketplace, which allows companies to review all potential assessors or C3PAOs. You can also find monthly town halls and other information.
The NIST Computer Security Resource Center is an outstanding website for a myriad of reasons. You can find up-to-date information regarding NIST 800-171 and other standards, which is the highest priority. However, they also host an informative cybersecurity blog, and there are multiple other resources available on the site as well.
The Department of Defense CIO page, as one might expect, has a lot of information about CMMC, although you will not find sneak peeks or ideas of when CMMC is going to go into effect. One of the best sections to look at here is the FAQs page.
Understanding Controlled Unclassified Information (CUI) is one of the most difficult parts of the NIST/CMMC landscape. This CUI category list from the National Archives will not necessarily give you all of the information you need for your specific organization, but it provides a valuable and reliable reference.
Summit7 provides a wealth of information on their YouTube channel, including fresh content every week via the Sum IT Up podcast with Jacob Horne and Jason Sproesser. Keeping up-to-date on what is being talked about in the industry is easier when you follow this channel.
Is data that comes out of my ERP CUI?
Unfortunately, the answer is that it depends. Did your organization load or create CUI in the ERP? If the answer is no, the likelihood is most organizations will find that their ERP may contain Federal Contract Information (FCI) (FAR 52.204-21). This is information specific to a DoD contract that is not meant for public release as it may contain specifics about the contract deliverables, timeline, and specifics of funding. It is recommended to not contaminate an ERP with CUI as the entire ERP, its hosting company, and all your employees could be considered in scope for your CMMC assessment.
Does the ERP have to be FEDRAMP-compliant?
Once again, the answer depends on your company’s specific situation. If the ERP is used to process, store, or transmit CUI and it is hosted in the cloud it must meet FedRAMP moderate security baseline equivalency (DFARS 252.204-7012.b.2.ii.D). If the ERP is hosted locally with no cloud presence, then the ERP is required to meet all the controls of NIST SP 800-171.
What tools can I use to help me on my compliance journey?
There are numerous GRC tools to help companies with meeting the NIST SP 800-171 controls. The tool should ideally contain the following:
- All NIST SP 800-171 controls as well as the objective statements of NIST SP 800-171a
- Storage for policies and evidence
- Linkage between controls and objectives to the policies and evidence files
- Automatically creates the system security plan (SSP) and the plan of actions and milestones (POAM)
- An auditor module is desirable
Smithers has partnered with Future Feed (futurefeed.co) to provide CMMC clients with reduced pricing and a potential reduction in audit duration.
What is a “specialized asset”?
Specialized Assets include government property; Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices; operational technology; systems configured based entirely on government requirements and used to support a contract; and test equipment. (CMMC Assessment Guide – Level 2, Version 2.0).
What would an “out of scope” asset be in a manufacturing plant? Or, how can you narrow it down?
Out-of-scope are assets that cannot or are not used to process, store, or transmit CUI data. The asset must be physically or logically separate from CUI assets or access to an external network. An out-of-scope asset could be a CNC machine, assembly robot, or other such asset. The easiest way to narrow down the scope is to ensure the types of machines/devices are not connected to any external networks or networks used for CUI. Air gapping is the most common method of separating these machines. (CMMC Assessment Guide – Level 2, Version 2.0).
Is encrypted CUI still CUI?
CUI remains CUI regardless of encryption. Encryption is a control mechanism to help protect CUI when being transmitted or stored. It reduces the potential for unauthorized release if the data is lost in transit or stolen.
Are our employee phones in scope for an assessment?
If the employee’s phone is used to process, store, or transmit CUI it may be considered in scope depending on how the data is handled on the mobile device, especially if the data is accessed using the phone’s native application. The use of a mobile device management container or virtual desktop infrastructure may provide the physical and logic separation needed to keep these mobile devices out-of-scope for the assessment.
Does my MSP have to be assessed when I get assessed? What about my CSP?If the MSP has access to any of the CUI assets, then yes, they too must be assessed as part of your organization’s assessment. MSPs typically will provide management of numerous controls as part of your NIST/CMMC compliance both organically and shared with your organization. Since these controls are required to meet CMMC, the MSP will be involved in the assessment. If the MSP hosts CUI data or the MSP personnel have access to CUI, then again, the MSP is part of the assessment.
What questions would you add to this list? Contact Robert to ask your questions and you may see them here!