It’s coming. Next year, Ben Machine and all other defence machining companies will need to work under the guidelines of the Cybersecurity Maturity Model Certification (CMMC) framework. This will be version 2 of the framework and it’s designed to shield all aspects of the defence industry from the threat of cyber-attacks.
What is CMMC 2.0?
While large defence contractors have been adapting well to existing cyber security requirements, complaints and concerns about the cost of compliance for small- and medium-sized defence machining businesses have created problems. CMMC 2.0 is the Department of Defense’s response to those concerns, as well as updating requirements to address today’s cyber threat environment.
Ben Machine is ready to go. Because of the nature of the CNC machining work we do, we fall into the advanced level of the framework. The focus of these new measures is what is known as Controlled Unclassified Information, or CUI. Many of the things we produce fall into this category, which is why we have effectively siloed our network and our offices. Along with design files, emails, and electronic documents, Ben Machine has extended these guidelines to cover paper records and items like scrapped parts. Nothing goes in or out of our system.
The Price of Dropping Your Guard
In 2009, some design and electric systems files for the F-35 Joint Strike Fighter were spirited out of a US defence contractor. These files were CUI. Chinese hackers were suspected, though nothing was ever proven. The stolen information wasn’t classified, but it was sensitive, and it was thought it would reduce the advantages provided by the fighter’s new design by several years. Two years later, China unveiled the J-20 fighter, followed soon by the J-31, both looking very similar to the F-35. This was akin to the development of the old Soviet Union’s Buran spacecraft in the 1980s, which looked virtually identical to the US Space Shuttle. The price of dropping your guard is high.
The Steps We Take
Sometimes, seemingly innocuous bits of information, even during the CNC machining process, can be enough to give unfriendly governments a leg up, and that’s what CMMC 2.0 is designed to address. Smaller businesses that have contracts with NASA, the DOD, or the GSA will have to comply with 17 core practices and submit annual assessments. Ben Machine, at the advanced level, has to comply with 114 practices outlined in a specific set of NIST requirements, as well as undergo third-party security audits and annual assessments.
Ben Machine has always invested heavily to stay ahead of hackers. We’ve been employing the services of CrowdStrike. They are one of the world’s foremost cyber security companies, providing endpoint security, threat intelligence, and cyber attack response. We also provide security training for our employees. Unlike most offices, our employees can’t leave notes with their passwords under their keyboards or print off copies of something just to have. The flow of all of that controlled unclassified information is managed within our operation so stray copies don’t wind up in trash bins or accidentally copied in an email to someone.
Sometimes, during machining processes, where critical conversations need to go back and forth to deal with design improvements or complications, it’s a difficult tightrope to walk while being able to share information. Our CRM software is fully integrated with our security, though, so we do indeed have the ability to make sure our customers have all the information they need about machining work on their products while maintaining security. It’s a daily challenge and our IT staff, engineers, CNC machine operators, office staff, and maintenance crews all play their part in protecting the security of our customer’s information. The hackers aren’t giving up any time soon, and neither are we.
Ben Machine takes pride in providing the highest quality products for our CNC machining and sheet metal fabrication customers in the defence industry. That quality does not end with the final pass of a CNC machining mill. We proactively get ahead of programs like CMMC 2.0 in order to provide the highest level of security and compliance in the industry.
Other Articles You Will Be Interested in Reading: