What is the Cybersecurity Maturity Model Certification (CMMC)? The DOD is implementing the CMMC to normalize and standardize cybersecurity preparedness across the Federal government’s defense industrial base. Meaning? If you’re doing DOD work, they’re mandating that you get this certification. So you need to know what this is all about. We’ve brought in Paul Van Metre and John Bilek to help fill in the blanks. Check it out!

Segments

• [0:00] Amper Technologies machine monitoring systems
• [3:39] Cybersecurity Maturity Model Certification (CMMC)
• [5:05] Let’s talk acronyms (there’s one for everything)
• [7:20] What’s happening at ZENGERS?
• [8:20] The amount of money wasted on cybersecurity
• [11:05] We welcome our two guests to the show
• [14:48] What is CMMC really all about?
• [17:09] Who is impacted by the CMMC requirement? 
• [19:44] Check out ProShop ERP for more information on manufacturing software!
• [20:44] The five levels of CMMC compliance
• [21:56] The CMMC implementation process
• [27:19] What does “CMMC Compliant” mean?
• [29:02] What ProShop ERP is rolling out to enhance security

The amount of money wasted on cybersecurity

Cybersecurity is a large problem. Most attacks originate from Russia but there’s also a lot of domestic hacking happening. Because of this—according to MXD—the DOD is now spending more than $300 billion each year on government contracts. The DOD Directive 8140 requires that any contractor must satisfy specific training and certification provisions to ensure sensitive data remains secure. The qualifications can be transferable and useful across the board. 

Jason points out that this cybersecurity effort is how we protect our country, industry, economy, and more. Our enemies want to steal our technology, which is why we must keep it secure. Because manufacturing is a huge part of what the DOD does, anyone in their supply chain must follow the same cybersecurity protocols. 

Who is impacted by the CMMC requirement? 

CMMC applies to anyone in the defense contract supply chain. That includes both contractors who engage directly with the DOD and subcontractors who fulfill and/or execute those contracts. The CMMC standards will affect over 300,000 organizations. If you want to continue to do work for the DOD, you will have to get certified over the next 4–5 years. 

Paul has heard of shops that are starting to lose work because they aren’t on track to get the CMMC certification. John has been asked multiple times if he’s been certified. While you cannot get certified yet, he is working toward compliance. There are five different levels of CMMC compliance. Most machine shops are expected to be certified at level three.

How soon do you have to implement this? Paul points out that you can’t sit on this. There are very few approved auditors, so if you wait until the last minute you’ll lose out on a significant amount of your sales. If 30% of your business deals with the DOD, you could lose millions without the certification. 

The financial impact on machine shops

In May 2021, an entity was announced that would start handling the CMMC audits. What kind of costs will be put on machine shops? It’s going to be far more expensive to implement than an AS9100 audit. The CMMC is built on cybersecurity standards, the main one being the NIST 800-171 standard. 

If a company is already compliant with that standard, they can likely check off the boxes for CMMC Level one. If you aren't compliant with this standard, to reach level one compliance could cost you between $5,000 to $25,000. For level three, it will be around $15,000 to $100,000, depending on the size of your shop. This is going to be a large financial hit no matter what you do. The certification is costly—but if you don’t get it, the loss of business may cost you more.

A shop in Florida was quoted $100,000 for a company to “help” them get CMMC certified. Be wary of who you look to for help—a lot of unscrupulous people will take advantage of this rollout. Find accredited and reputable consultants. There will be grant money offered to help companies get this certification.

Can you swing the cost of the certification? 

What can help cover some of these costs? IMEC gave Carr Machine a grant to get ISO certified years ago, which covered some of the implementation and auditor fees. IMEC will be giving grants out to augment the cost of implementing this. Paul points out that the MEP gets its money from the Federal government and allocates it to different organizations like IMEC. The unknown? The amount of labor you may have to invest in to get to level three certification. 

So what does CMMC compliant actually mean? How is ProShop ERP implementing updates to help you walk through the process? John and Paul share a few examples, so keep listening!

If you have an idea for a MakingChips message, please ask us a question or leave us a message at 312-725-0245 and let us know!

Resources mentioned on this episode

Get The Boring Bar Newsletter - Text CHIPS to 38470 to subscribe!

• John Bilek
• MXD USA
• The DOD Directive 8140 
• ITAR
• IMEC
• Making Chips Episode #1
• The NIST 800-171 standard
• 85 FR 51161 - Award Format for DoD Grants and Cooperative Agreements

Connect With MakingChips

• www.MakingChips.com
• On Facebook
• On LinkedIn
• On Instagram
• On Twitter
• On YouTube