How the MISI DreamPort Team Accelerates the Path towards CMMC Compliance for DoD Small Businesses
The MISI DreamPort team has been testing and evaluating solutions that cater to small and medium-sized businesses but also very specific solutions that meet the unique compliance challenges of small and medium-sized manufacturing Defense Industrial Based (DIB) companies.
After about 11 months of studying small businesses, engaging with experts, and gathering input from our direct engagement with small DIB companies, our team has learned that cyber knowledge and cost are daunting barriers towards cybersecurity resilience and cyber policy compliance. The small companies our team engaged with find the current NIST 800-171 controls, Controlled Unclassified Information (CUI), and Defense Federal Acquisition Regulation (DFARS) compliance difficult to understand and unaffordable to implement.
Let's be truthful, doing business with the Federal Government already requires substantial overhead, costly expenses, and the ability to navigate what seems like an endless array of regulations. If you deal in cost contracts you'll need a cost compliant accounting system, so pay up to comply. If you work on classified contracts you'll need a security officer to maneuver the slow and constantly changing clearance process in addition to the regularly conducted corporate and personnel audits. Basically, more money and time. Employees typically need to be compliant with DoD mandated cyber certifications to be eligible to work technology contracts in the government and must maintain or upgrade certifications to ensure more employment opportunities. Now here comes the Cybersecurity Maturity Model Certification (CMMC). It will be mandatory and yes, there will be a cost to comply.
The MISI approach was to first understand the challenge of complying. The bullets below are not exhaustive but they provide an idea about some of the challenges. This is how we presently see the problem in the small and medium-sized business sector and specifically manufacturers:
- The average employee size is less than 50 so these businesses need a cost-effective solution with minimal business disruption. Time is money.
- Manufacturers are unique in that they have Information Technology (IT), Internet of Things (IoT), and Operational Technology (OT) to contend with. OT includes the industrial control devices such as programmable logic controllers that control robots, sorters, and much more. IoT devices provide surveillance and manufacturing floor safety monitoring such as air quality, temperature, and humidity. Expertise in vulnerability assessment and mitigation is not cheap for this sector. Most of the companies with newly minted "I can get you CMMC compliant" websites simply cannot address the unique and careful approach that must be taken when dealing with OT and its connectivity to IT.
- To meet the DoD challenge of securing the DIB, periodic human audits are costly, difficult to be completed at scale, and will add to the line of auditors in the parking lot small businesses have to fit into their busy schedules.
- Cost-effective continuous monitoring and reporting in a secure manner is the only real answer. Think about it, how can you guarantee the cyber resilience of a DIB entity using an auditor that must traverse and understand the complexity of some small business networks? What tools will they use to get to ground truth on the answers to the cyber related business process questions that are part of each CMMC level? How long will it take to conduct the audit? What happens when the business can't answer certain questions or does not have the technical skill on staff to provide data from their systems and networks? Our team has already faced these and many other challenges as we have used the available CMMC drafts to test and evaluate processes and tools and engage with DIB manufacturers.
Our team tackled a number of questions as we sauntered down the road to come up with answers.
- The team developed an inexpensive appliance that easily deploys with little to no technical knowledge required. We offer this appliance, entitled MINNOW, to the DIB entities we are working with as part of our DoD test and evaluation effort. This is the starter kit that gets the DIB entity on the path to understanding what their assets are and how cyber vulnerable those assets are.
- Our team developed a cloud-based CMMC compliance data aggregator and continuous monitoring solution. The approach the team took was to test and utilize solutions in the lab that had been tested prior utilizing our lab networks, factory simulators, physical manufacturing devices, and programmable logic controllers. It was important that the new solution could collect data from a variety of tested solutions. It had to be solution agnostic. This new solution had to be able to collect the data, normalize it, and provide compliance data quickly and in an easy to understand visualization.
- To ensure that we had different views, the team simplified sets of views for the DIB entity and the type of data unique to industrial control connected environments. Our government stakeholders required visualizations and dashboards to track the progress of the live DIB participants in our CMMC test and evaluation pilot. The third part of the solution was to provide the more technical data access and visualizations that auditors, our cyber team, and our C3PAO type resources could use to score risk, assess vulnerabilities, and develop a compliance roadmap for the participating DIB companies.
The DoD DIB is estimated at over 300,000 suppliers, with a specific percentage being manufacturers and the bulk being small and medium-sized businesses. Manufacturers are different in that their networks include devices that utilize unique protocols that are not detected by traditional IT systems. These devices have limited but special functionality. While these devices are crucial, they are also potentially dangerous when not managed and dealt with carefully. Active probing of these devices while possible could disable the device and shut down a factory production line, safety system, electric grid or other vital and possibly life-threatening function.
The MISI DreamPort team has a vast array of technology partnerships, testing labs, expertise, and specialized focus on IT, IoT and OT compliance. Together, these factors ensure manufacturers in the DoD supply chain to have access to the resources needed to cost effectively achieve CMMC compliance.
About the Maryland Innovation & Security Institute
MISI is a non-profit formed exclusively to further and promote charitable, educational, and scientific purposes including, but not limited to, furthering innovation in cybersecurity through education, global technology partnerships, investment, and community engagement to create a collaborative network of subject matter experts and cyber professionals. To learn more, visit misi.tech.