3 minute read
The Road to CMMC Compliance
By Phillip M. Perry
Spring manufacturers selling to the Department of Defense (DoD) are facing a critical deadline. By October 2025 they will need to ensure their security procedures comply with the requirements of a uniform set of standards designed to protect national security.
Dubbed Cybersecurity Maturity Model Certification (CMMC), the mandated policies and procedures govern practices for restricting access to sensitive data on a need-to-know basis, and protecting such data from both accidental loss and transmission into the wrong hands through cyberattacks.
“CMMC compliance is a must-have, not a nice-to-have,” said Neil Jones, director of cybersecurity evangelism at Egnyte, a content security and governance platform. “Every DoD contractor or subcontractor, regardless of size, will need to comply.”
Getting it Done
While the road to certification will vary widely by company, the experience of one spring manufacturer suggests that applicants can face significant challenges. Precision Coil Spring needed to comply with CMMC requirements because of its heavy defense work, making parts for weaponry such as stealth bombers and fighters. About 80% of its production is destined for aerospace; the rest goes into commercial, medical, and nuclear.
Precision Coil Spring began working on its compliance program in late 2020. “It’s been a real struggle because there are so many facets involved,” said William Turek, the company’s vice president of manufacturing. “There are a lot of controls to put in place and a lot of software to deal with.”
From the very beginning, Turek had a sense that the job would be complex. He sought outside help from California Manufacturing Technology Consulting (CMTC), a nonprofit that provides a variety of support services for the state’s manufacturing enterprises. CMTC was able to get about half the job done before state funding ran out.
Turek’s second stop was at a consulting firm, which managed to get the job to the 80% completion point before something became painfully evident: It lacked the expertise to push the project over the finish line.
“We realized we could not go forward with them,” said Turek. “They had never done a CMMC compliance project before, and it became clear that we were their experimental customer.”
After looking around for a replacement, a process that involved interviews with three potential companies, Precision Coil Spring settled on a cloud-based consulting firm with some 50 CMMC projects under its belt.
Like other firms, Precision Coil Spring has discovered it must invest in some new hardware to ensure CMMC compliance. It had to upgrade its firewall along with security cameras that could send notifications when someone approached a building’s doors. “Luckily our computers are not too old, or we would have to replace them, too,” said Turek.
With transition to the new firm now underway, CMMC compliance is expected by the end of 2023. The end result for the company will be a dramatically different IT structure. “Things will be cloud-based, so we will no longer be operating our server on-site,” said Turek. “All our workstations will log in to a cloud-based interface and will also have cloud-based backup software. And all our desktops will access data in the cloud.”
Precision Coil Spring estimates the project will require an investment of as much as $200,000 the first year, and then $135,000 annually for its outside consulting firm. There are significant staff hours involved, since the project has required the ongoing attention from Turek, as well as two other company employees and an IT representative. Time must also be spent on internal training to ensure that someone can take over when Turek retires. “The project can’t rely on just me,” he said. “The outside consulting firm will always need a point person in the facility to help push the project along.”
Reaching Out
The Precision Coil Spring story illustrates an important truth: Achieving CMMC compliance can take longer than some companies expect. Just how long? Companies with a capable staff who try to undertake the program on their own might require up to two years, said Jones. Outside help can cut the process down to a few months. “Many smaller and medium-sized organizations start with a do-it-yourself approach,” said Jones. “The pro is that it’s a lot less expensive; the con is that it often takes a long time.”
For many companies, outside help is essential. “One of the best things you can do is reach out to an organization that’s an authorized CMMC accreditation body and have an assessor do a basic readiness check,” said Keatron Evans, principal security researcher at Cengage
