For the Defense Industrial Base (DIB), the release of the Cybersecurity Maturity Model Certification (CMMC) comes on the heels of previous compliance requirements: DFARS 7012 and NIST 800-171. CMMC requires countless businesses, including Small-medium Sized manufacturers in the the Defense Industrial Base (DIB) to pass 3rd party assessments centered on the level requirement detailed in their contracts. Defense contractors will be weighed based upon the application of actual technical controls in addition to their documented policies and procedures. These assessments will lead to a level certification of 1 to 5 issued from the CMMC Accreditation Body (CMMC-AB), level 5 being the most secure. For a more detailed explanation of CMMC and the Accreditation Body click here.

OUSD A&S and the CMMC-Accreditation Body solidified their partnership, November 25, 2020, in ratification of a No-Cost contract to provision this very important mission for our cybersecurity, information security, and thus national security.

For reference, according to the new DFARS 252.204-7021 clause released in the recent DFARS interim rule on September 30, 2020, the DoD estimates the total annual assessment cost for a small entity looking to achieve a CMMC Level 3 assessment will be $60,009. Since CMMC certifications will only be valid for three years, that would make the cost for an organization seeking certification (OSC) $60,009 every three years (these numbers are assumptive that the organization has already met the NIST 800-171 standards). If your organization handles Controlled Unclassified Information (CUI), you will be required to meet the NIST 800-171 standards, plus the 20 additional technical controls stated in CMMC Level 3.

To implement all 130 practices associated with Level 3, the cost of groundwork can easily double or triple the fees above over a three year period. Gratefully, grant funding was allocated to address the challenges for small businesses.  Section 1642 of the National Defense Authorization Act for Fiscal Year 2021 states:

Subject to the availability of appropriations, the Secretary of Defense, in consultation with the Director of the National Institute of Standards and Technology, may award financial assistance to a [MEP] Center for the purpose of providing cybersecurity services to small manufacturers. 

In other words, the NIST Manufacturing Extension Partnership (MEP) Center - find your MEP - in your state can provide economic aid to small to medium sized manufacturers in the Defense Industrial Base who are required to meet security and compliance regulations.

NIST and CMMC: Manufacturing Extension Partnership Program

Established by the National Institute of Standards and Technology (NIST) in 1988, the Manufacturing Extension Partnership program, or MEP, is a national network crafted to aid and support US supply chain manufacturers with organizational growth, the Generation /sustainment of jobs, the facilitation of dynamic manufacturing communities, and overall competitiveness on a national and global scale. Assistance through state partnerships, technology acceleration, manufacturing process improvement, technology acceleration, and cybersecurity services serve as the means for MEP Centers to help small to medium sized manufacturers in the aerospace and defense industry succeed. Particularly, additional resources are supplied to small to medium sized manufacturers with fiscal constraints or marketplace impediments, such as expensive cybersecurity measures. MEPs are aggressively supporting businesses to implement security practices and policies for DFARS and CMMC compliance through internal and external experts.

How do MEP Centers Help With Security and Compliance?

As beforehand discussed, CMMC is a security and compliance regulation mandated by the DoD, and organizations supporting the DoD seeking certification with less than 500 employees may have a challenging time delivering the resources required for a full NIST 800-171/CMMC technical implementation.

Applying affordable cybersecurity services to small to medium sized manufacturers the utmost, significance of the NIST MEP Centers. According to the 2019 nist.gov annual report for MEPs, $140 million in total funds were allocated to the NIST MEP program. Of that $140 million, 89% was used for direct support of MEP Centers. The remaining $15.9 million was used for directorial and/or non-direct support. Each U.S. state (as well as Puerto Rico) has one NIST MEP center aiding as a public-private partnership designed through a cost-share model. After consulting with your corresponding MEP Center or regional partner Organization( i.e. Florida Department of Economic Opportunity), they may recommend a solution set and undertake a share of the service fees through the aforesaid federal grants. The contractor then accepts the residual cost of the project(s). All of this in an effort to keep the organizations protecting the US functioning without major financial burden.

Because MEP Centers are especially interested in the success of each support effort: cybersecurity-awareness training, technical implementations, assessments and policies, etc. Ultimately, MEP centers are most concerned about the cyber-posture of the Small-medium Sized manufacturers beyond compliance and works to eliminate vulnerabilities for an adversarial attack on the SMM's information systems. 

Clearly, MEP Centers are producing enhanced opportunities for seeking cybersecurity certifications so that the overall security posture of the United States is enriched, and organizations in the aerospace and defense supply chain are given a reasonable opportunity to contend on contracts. This cost-sharing model allows smaller DoD contractors to satisfy mandatory compliance requirements, such as CMMC, and enable them to bid and be awarded contracts.

Reach out and get connected to your Local MEP today. Below is a link to information related to each Center

https://www.nist.gov/mep/centers