The Department of Defense (DoD) continues to push toward Cybersecurity Maturity Model Certification (CMMC) 2.0 implementation, with requirements forecast to be in contracts as early as this summer.
But not all contractors in the defense industrial base (DIB) are ready for CMMC, according to recent surveys and industry experts. And that is despite DoD officials estimating that each day, hackers steal sensitive data worth up to $2 million. And despite manufacturing ranking as the top cyberattack target for the fourth year in a row, as measured by the IBM X-Force 2025 Threat Intelligence Index.
“A lot of people are focused ‘on the business’ and see cybersecurity as a cost-sink, thinking, ‘Well, I haven’t been hacked, so how is cybersecurity going to help me?’” said Brett Cox, Boeing’s DFARS Cybersecurity Program Management Office Lead. “But there are two kinds of companies out there: the ones that have been hacked and the ones that don’t know they’ve been hacked.”
Cox, who also teaches cybersecurity and CMMC courses at St. Louis University, shared insights as manufacturers in the DIB awaited finalization of the 48 CFR Rule. When that rule change is complete — expected by the end of the second quarter or early in the third quarter — CMMC requirements will begin to appear in DoD contracts.
With the clock ticking, manufacturers are working on cybersecurity hygiene and ensuring they understand CMMC requirements. Many large prime contractors, including Boeing, have completed CMMC qualification, which for Boeing is Level 2.
Boeing, meanwhile, was recently recognized by Acting DoD Chief Information Officer Katherine Arrington in the Networks and Digital Warfare section of Breaking Defense for its efforts to ensure that adversaries are unable to reverse engineer the F-47.
Organizations that have not started on their CMMC prep — perhaps because they assumed its measures would continue to be delayed — are being urged to begin immediately. Cox shared three essential steps to take now.
- Set up multi-factor authentication
“The No. 1 concrete step is to implement multi-factor authentication (MFA). Before you take classes — before you do anything — start MFA because with that, the majority of attacks can be stopped,” Cox said.
Many organizations don’t know how crucial MFA is, Cox added. But Microsoft and others have stated that nearly all cyberattacks can be prevented if MFA is used.
The three main authentication factors (with use of at least two recommended) are:
- Something you know, such as a password or pin number.
- Something you have, such as a company badge or token.
- Something you are, or biometric authentication, which most commonly is your fingerprint.
2. Join industry organizations
There are a lot of opportunities to get information about CMMC implementation, Cox said, “but you have to hear about them in the first place.” To do that he suggests:
- Joining organizations such as the National Defense Information Sharing and Analysis Center (ND-ISAC) or the National Defense Industrial Association.
- Attending industry events, webinars and courses, many of which are free. Cox shares information about such opportunities on his LinkedIn page and answers questions he receives there as well.
3. Reach out to other manufacturers
“Start communicating with your peers, because your peers are in the exact same boat that you are,” Cox said.
“CMMC is incredibly important to the cybersecurity hygiene of the entire defense industrial base,” he added. “There are all sorts of people who are willing to listen to your questions. There’s nobody who’s going to say, ‘Oh no, you go read that on your own.’”
Visit the MxD Virtual Training Center for information on cybersecurity workforce training resources.