CMMC Implementation Creates Issues for ‘Shop Floors’ (UPDATED)
As of Nov. 30, defense contractors and suppliers are required to comply with an interim rule that strengthens implementation of the Cybersecurity Maturity Model Certification, which is designed to protect controlled unclassified information from hackers.
In December, the Legal and Policy Committee of the National Defense Industrial Association’s Cybersecurity Division hosted the second in a four-part series of tabletop exercises to dry run the implementation and highlight areas where special attention may be needed. This exercise focused specifically on the implications for manufacturers in defense supply chains, probing deeper into issues from the first exercise, held in October.
Controlled unclassified information, or CUI, needs to be protected not only in enterprise information systems, but also in shop floor networks and systems where technical data may be at risk. The Defense Federal Acquisition Regulation Supplement 252.204-7012 clause mandates use of 110 security requirements defined by National Institute of Standards and Technology Special Publication 800-171 that are appropriate for information technology systems, but in many instances, not appropriate for operational technology systems as found in manufacturing facilities.
Manufacturing systems are capital investments expected to last 20 years or more. Many run old operating systems that do not support patches or encryption. Updates are expensive and rare. Efficiency requires connectivity and safety requires easy, rapid access. Workarounds are possible, but smaller manufacturers may need help in implementing them.
Under the new interim rule — DFARS 252.204-7019, -7020, and -7021 — suppliers must perform a basic assessment and score themselves on their degree of implementation of the 110 security requirements and post that score in the Defense Department’s Supplier Performance Risk System.
This is a step toward CMMC compliance, where Level 3 certification will be required at a minimum to handle controlled unclassified information.
If manufacturers have connected operational technology systems, they need to decide how to apply these requirements and score themselves accordingly now, and plan for eventual CMMC third-party assessment which will determine whether they qualify for defense contracts.
The December tabletop exercise started with a poll question on how participants plan to protect information in their industrial systems. Of the 70 percent of the 324 participants who responded, 22 percent said the requirement did not apply to them; 12 percent said they would “air gap” the systems from enterprise and internet connectivity; 6 percent would leave operational technology connected and accept a lower score; 37 percent would upgrade the systems to be more compliant; and 22 percent said, “I don’t know.”
Panelists noted that “air gap” — disconnecting the equipment from any systems or internet access — is a compliant solution, but it may adversely affect efficiency. Other solutions, such as enclaves — computer networks separated from other computer networks — need to be individually designed to fit each particular operational technology configuration in places where information is at risk.
Smaller suppliers may find this challenging. Upgrades to operational technology are desirable, but the marketplace of automated machine tools does not currently offer CMMC-compliant equipment.
The “I don’t know” response indicates an industry need for more clarity on what constitutes controlled unclassified information used in, or created in, manufacturing systems and what operational technology protection measures will be considered acceptable for CMMC Level 3.
A second tabletop polling question asked for the best advice for dual-use manufacturers looking at the new interim rule. Responses were: 28 percent said “air gap the shop floor and accept the commercial productivity hit;” 39 percent said “upgrade the manufacturing system now;” 22 percent said “walk away from defense business and concentrate on commercial;” and 11 percent said “seek an ‘enduring exception’ for the shop floor.”
Enduring exceptions, which are allowable accommodations for legacy systems as long as they are managed through System Security Plans under NIST SP 800-171, need to be paired with a plan for the future, and may not pass muster for CMMC. The rule requires certified compliance with applicable security controls, not just plans.
Since the Defense Department cannot afford to lose dual-use suppliers, panelists underscored that commercial companies need to protect their own intellectual property and should find common cause with CMMC.
A stakeholder comment was “don’t let this stuff scare you.” But the reality of needing a business case for investing in upgrades was also underscored by panelists.
NDIA and member companies will continue to work with the Defense Department on better near-term guidance on what defines controlled unclassified information and on the IT/operational tech scoring dilemma for manufacturers.
One panelist made clear that the department is currently concerned with implementing CMMC Phase 1, which is not manufacturer specific. Fully addressing operational technology cybersecurity remains a goal for CMMC Phase 2. ND
Michael McGrath is an independent consultant who has led the development of NDIA white papers on cybersecurity for advanced manufacturing. Chris Peters is the executive director of the U.S. Partnership for Assured Electronics, has co-authored several papers on cybersecurity for manufacturing and testified on the topic before the Senate Armed Services subcommittee on cybersecurity.
Correction: a previous version of this story incorrectly stated that the DFARS 252.204-7012 clause established CMMC.