CMMC for Aerospace and Defense companies: We help you determine where you’re at in CMMC. And bring you all the way to “Assessment Ready” with flexible consulting services and today’s best CMMC technology solutions.
Are You a COTS Supplier?
Don’t assume CMMC 2.0 requirements apply just because you received one of the many compliance form letters sent out by your prime customers. The DoD created exceptions, and one is for “COTS” products. If you qualify for COTS we’ll help you pursue a COTS exemption and avoid an unnecessary CMMC 2.0 Level 2 compliance program.
However, if you are not COTS, we provide affordable consulting services to help you achieve CMMC compliance. And please check out our requirements flowchart below to determine how NIST 800-171 and CMMC 2.0 apply to you.
COTS, CUI, or FCI Determination Flowchart
CMMC For Aerospace & Defense
Background
$600 billion dollars or about 1% of global gross domestic product is lost each year through cyber theft. Moreover our foreign adversaries know that information and technology are key cornerstones of military strength. And stealing from a sub-tier supplier is far easier than stealing from a larger prime contractor.
source: defense.gov
Because fewer controls exist with CUI as compared to classified information, CUI is the path of least resistance for our foreign enemies. The loss of CUI is one of the most significant risks to national security. Theft of CUI puts our men and women in military service in greater peril.
Cybersecurity Regulatory Compliance Phase-In: (applies to Aerospace & Defense)
December 31, 2017
The U.S. DoD requires Defense Industrial Base companies to provide “reasonable security” for Covered Defense Information under DFARS 252.204-7012. And many small-medium size companies were slow to implement it due to a lack of resources and technical expertise.
November 30, 2020
- Compliance enforcement strengthens through interim rules (DFARS 252.204 -7019 & -7020).
- The DoD requires companies submit NIST 800-171 self-assessment results into the Supplier Performance Risk System (SPRS).
- The SPRS enables DoD contract officials to consider a company’s self-assessment score (or failure to report it) in their contract award process.
Prime manufacturing contractors seek to understand their sub contractor’s compliance progress. And the status of their SPRS submission because of compliance flow down requirements.
Moreover DFARS 252.204-7021 ushers in CMMC (Cybersecurity Maturity Model Certification) that requires independent certification by an authorized C3PAO company.
November 04, 2021
The DoD releases CMMC 2.0 with the stated intention to simplify the CMMC standard while still safeguarding sensitive information. The previous 5 CMMC maturity levels are reduced to 3 and the number of controls is reduced to align with NIST 800-171.
What’s Next?
Determine if you handle CUI
If your products are not COTS, we look to your DoD contracts to determine if you handle Controlled Unclassified Information (CUI). But if you don’t handle CUI, your DoD contract information is Federal Contract Information (FCI). And you only need CMMC Level 1.
Ok, you handle CUI
Your goal is to differentiate CUI from all other information you handle, segregate it into a dedicated and secure environment, and minimize its footprint. We ascertain the nature and category of your CUI through a review with the DoD’s CUI Registry. And we scope CUI within your business organization using our proprietary Data Lifecycle approach to reduce compliance effort and cost.
We offer a CUI Scoping service to begin your CMMC 2.0 compliance program.
Your progression from NIST 800-171 to CMMC
DFARS 252.204-7012, -7019, and -7020 require you to perform a NIST 800-171 self-assessment. And submit summary-level score with POAM information to the DoD’s SPRS web portal, and remediate POAM deficiencies in pursuit of DFARS 252.204-7021 CMMC 2.0 Level 2 compliance.
SPRS DoD
Have you made your SPRS submission?
If you haven’t made your SPRS submission, we offer an affordable consulting package with a 30-day turnaround time.
CMMC Consulting
Have a low SPRS score? You’re not alone. Let us help you remediate NIST 800-171 POAM deficiencies and develop a CMMC 2.0 Level 2 compliance program just for you.
Gap Assessment
Want to confirm you’re ready for CMMC 2.0 assessment by a C3PAO? KLC Consulting evaluates readiness by simulating an independent C3PAO assessment.
CMMC for Aerospace & Defense: Challenges We Solve
- Lack of compliance knowledge
- Inability to remediate POAM deficiencies
- CUI exists in both electronic and physical forms
- Legacy MRP/ERP (Manufacturing Enterprise Resource Planning) systems complicate compliance
- Security of computers, network, file storage, and engineering software that generate code for CNC machines
- Separating manufacturing floor computer systems from the corporate (office) networks
- CUI proliferates across more departments and systems than is needed to perform DoD contract work
- Your design/engineering software processes CUI
- Your Operational Technology (OT) hardware and software may not be acceptable for CMMC Level 2
- Coordinating compliance activities with your MSP/MSSP
- CUI marking and labeling
- Uncertainty about flow down compliance requirements to subcontractors
- Uncertainty responding to compliance-related questions from:
- DoD agencies
- Prime contractors
- Subcontractors
- Cybersecurity insurers
- Incident response planning and reporting (DFARS 252.204-7012)
- Incident response plan testing (tabletop exercise)
- Penetration testing/vulnerability testing
Secure Your CMMC
C3PAO Assessment
Don’t Get Left on the Ground. With limited C3PAOs and a growing number of DIB companies requiring CMMC Level 2 certification, securing your assessment spot is crucial. Reserve your assessment with KLC Consulting today and avoid delays.