Efficient Plant Jan./Feb. 2023 - 32

column | cybersecurity insights
Prep For
CMMC 2.0
Laura Elan
MxD
W
HILE THE TIMEFRAME
for the final rules for the Department
of Defense's Cybersecurity
Maturity Model Certification (CMMC) 2.0 is
not yet set in stone, the advice from experts is
clear: Don't wait to begin securing your factory
against cyber attackers. We recognize that there
has been ambiguity, but if you are a manufacturer
who hasn't started on cybersecurity readiness,
start now.
CMMC is a requirement for government
contractors but is the " standard " to which
all manufacturers should aspire to assure
maximum possible cybersecurity. When it
launched CMMC 2.0 in November 2021, the
Pentagon said it could take as long as two years
for rulemaking to be completed. That lulled
some manufacturers
with
DoD contracts
into thinking
they had plenty
of time. Experts
agree that kind of
thinking can put
a company way
behind and leave
it vulnerable to
cyberattacks.
A study of 300
The first step toward protecting your
manufacturing operations from cyberattacks
is to perform an assessment that
determines the maturity of your
cybersecurity program.
DoD contracLaura
Élan is Senior Director of
Cybersecurity for MxD Cyber: The
National Center for Cybersecurity in
Manufacturing, Chicago (mxdusa.org).
Elan supports MxD's cybersecurity
projects and initiatives and
leads the company's
Cybersecurity Steering Committee.
32 | EFFICIENTPLANTMAG.COM
tors from Merrill Research, Pleasanton, CA
(merrillresearch.com), released in November
2022, showed that the vast majority had not
adequately protected themselves against cyberattacks.
For example, 80% lacked a vulnerability-management
solution and 79% lacked
a comprehensive multi-factor authentication
system. The DoD is now aiming to add CMMC
requirements to its contracts by May 2023.
To prepare for CMMC 2.0, manufacturers
should first determine their current level of
cybersecurity maturity. There are plenty of
tools available to do such self-assessments,
including a free CMMC playbook that you can
download at mxdusa.org/cmmcplaybook.
Remember that self-assessments take more
time than companies usually anticipate.
Self-assessments also require attention to
detail. For example, to meet a requirement
that employees have cybersecurity training, it's
not enough to say, " Yes, we train people. " You
should be able to provide specific information
on the types and frequency of training being
done, such as good password management
and identification and protection of sensitive
information.
If training isn't where it needs to be, companies
could create a roadmap, or a plan of action
and milestones (POA&M), a new feature in
CMMC 2.0. These action plans let contractors
demonstrate that they are working on
compliance instead of having achieved it. There
are going to be cybersecurity requirements that
won't be negotiable, but training could be one
CMMC 2.0 area where such action plans may
be allowed.
Getting an early start also affords manufacturers
the time they need to build the
cross-functional teams required for a robust
cybersecurity plan. This isn't a job just for IT.
For instance, CMMC 2.0 rules may require
a company to demonstrate that the people it's
made responsible for cybersecurity have specific
experience, background, and education.
Those background checks and hiring initiatives
are likely a job for the human-resources
department.
Companies may have to guarantee that
their procurement process assesses the
maturity of any software, hardware, or firmware
being used for cybersecurity. Also, firms
shouldn't forget to have executives on the team,
as they are key to putting policies in place and
driving long-term support.
The most important step is to start now. EP
JAN/FEB 2023
http://www.mxdusa.org/cmmcplaybook http://www.merrillresearch.com http://www.mxdusa.org http://www.EFFICIENTPLANTMAG.COM
Efficient Plant Jan./Feb. 2023

Table of Contents for the Digital Edition of Efficient Plant Jan./Feb. 2023
