What’s New in CMMC | Column 6
“What’s New in CMMC” is a regular column from MxD explaining aspects of the CMMC 2.0 framework.
Manufacturers following MxD’s lead on the Cybersecurity Maturity Model Certification (CMMC) 2.0 path first must scope their operation. That means determining where defense contract information resides and then identifying the assets in those areas.
Then the path gets a bit steeper as they turn their focus to the next step: securing assets.
“Once manufacturing assets are identified, companies need to make sure that equipment handling confidential defense contract information is protected and that only the people authorized to touch that information do so,” said Laura Élan, MxD’s senior director of cybersecurity.
Such work is at the heart of what the Defense Department aims to achieve with CMMC 2.0.
The CMMC 2.0 framework was launched to protect federal contract information (FCI) and controlled unclassified information (CUI) and fortify the vast defense industrial base — an increasingly frequent target for cybercriminals.
Controls, or security practices, in each of the three CMMC 2.0 levels will provide a cybersecurity roadmap, detailing the safeguards that manufacturers and other companies must have in place to qualify for Pentagon contracts. Recent reports indicate that CMMC 2.0 requirements could be included in those contracts as soon as next summer.
Securing assets in the areas, or perimeter, where defense contract work is being done in an organization covers a wide range of tasks that include limiting system access and restricting who goes where.
Companies want to be sure, Élan said, that they have nailed down exactly what authorized users are allowed to do when working on confidential government information and exactly what increased protection looks like.
For example, to make sure that only authorized workers can enter restricted areas, companies can require badges, identification cards, or smart cards for access.
A policy that requires all visitors to be escorted also can help to ensure that outsiders do not make it into restricted areas. And distinct badges for visitors help employees identify who needs an escort.
Does everyone with access to government contract information need to be able to read, edit, and delete it? If not, their permissions can be limited. And if a company doesn’t want those working with defense contract data to be able to print, it can disable the print function on all computers in that perimeter. Additionally, printers can be placed in a locked room to further control access.
USB devices are an easy way to move files between machines, but personal or unscanned USB drives can carry malware. Disabling USB ports helps ensure that the devices, even if plugged in, can’t accidentally — or intentionally — infect personal computers.
Individual usernames and passwords should be required for anyone accessing the company systems. And creating subnetworks adds another layer of security by keeping certain users, perhaps vendors or visitors, off of the company’s main network.“You must,” Élan said, “protect what’s going on inside that boundary against intentional or unintentional disclosure of FCI or CUI.”
MxD’s Cyber Marketplace offers assessments that provide organizations with vetted, market-ready cybersecurity solutions. Visit for more information.
What’s New in CMMC Series:
Article #1: Cybersecurity Framework: What to Expect
Article #2: Why Manufacturers Should Get Started Now
Article #3: Start With Scoping
Article #4: The High Cost of Skipping Cyber Certification
Article #5: Questions to Ask When Identifying Assets