AMP 02 March 2024

FEATURE ADVANCED MATERIALS & PROCESSES | MARCH 2024 37 The push is on for organizations falling within the Department of Defense (DOD) downstream services supply chain to get ready for Cybersecurity Maturity Model Certification (CMMC) 2.0. Any company that stores, processes, or transmits controlled unclassified information (CUI) as part of its service offerings is directly affected. Noncompliance can significantly impact current and future business opportunities. To continue doing defense-related work, companies are obligated to be CMMC 2.0 certified once the final rule is fully implemented, which is coming sooner than later. The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is a set of cybersecurity standards and guidelines developed by NIST to protect CUI in non-federal systems and organizations. It’s part of the broader framework provided by NIST to enhance the cybersecurity posture of organizations and secure sensitive information. CUI includes information that is not classified but still requires protection, such as technical data, proprietary information, and other sensitive unclassified information. WHAT IS CMMC 2.0? Cybersecurity Maturity Model Certification 2.0 represents the most recent iteration of the DOD’s cybersecurity regulations. This framework builds on the requirements laid out in Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and NIST SP 800-171 security controls, introducing more stringent criteria to evaluate a contractor’s or subcontractor’s cybersecurity capabilities. CMMC 2.0 includes three maturity levels, with each level building on the previous one. Each tier of the CMMC 2.0 framework encompasses a set of processes, practices, procedures, and capabilities that contractors THE DOD’S CMMC 2.0: WHAT HEAT TREATERS NEED TO KNOW CMMC 2.0 is a framework developed by the DOD to improve the cybersecurity posture of defense contractors and their supply chain, including heat treaters. Joe Coleman Bluestreak Consulting, Delafield, Wisconsin 5 must implement to attain the corresponding certification level. These three levels are outlined below and in Table 1. Level 1 – Foundational. The most basic level of security, Level 1, requires the implementation of basic cybersecurity hygiene practices such as password manage- ment and keeping systems up to date with patches. This level is intended for small businesses with minimal risk to their data. Level 1 is built upon 17 specific controls outlined in NIST SP 800-171 Rev 2. It serves as an excellent starting point for organizations that are either initiating their cybersecurity efforts or operating with limited resources. Companies that handle Federal Contract Information (FCI) need to obtain a Level 1 certification. However, these organizations are not classified as part of the critical infrastructure, encompassing the majority of business and government agencies. This level is not for companies that handle CUI. Level 2 – Advanced. Level 2 builds on the cybersecurity hygiene practices of Level 1 and requires additional measures to be put in place. Level 2 is similar to NIST SP 800-171 and includes 110 controls. Some of the controls CMMC 2.0 is expected to be placed in DOD contracts, RFPs, and PFIs starting in Q1 2025.