FEATURE ADVANCED MATERIALS & PROCESSES | MARCH 2024 38 6 focus on access control, incident response, risk management, physical security, and system and information integrity. Level 2 certification is required for companies that handle CUI on behalf of the DOD (or DOD prime contractors) and are considered part of the critical infrastructure. This also includes companies in the energy, water, communications, and transportation sectors. Level 3 – Expert. Level 3 is the highest level of CMMC certification and requires the most stringent security measures. Level 3 is based on NIST SP 800-171 and adds additional practices from NIST SP 800-172. The extra practices focus on more sophisticated detection and response capabilities, information protection, and system hardening requirements. Level 3 certification is required for the same types of companies who need Level 2 certification, but who also handle CUI in the most sensitive or higher security assurance of DOD contracts. Organizations required to comply with CMMC Level 3 certification are assessed by the Federal Government’s Defense Contract Management Agency. Assessment process details for Level 3 are still being developed and finalized at this time. 2.0 REQUIREMENTS CMMC 2.0 is an enhanced version of the CMMC framework developed by the DOD to improve the cybersecurity posture of defense contractors and their supply chain. Heat treaters, like other contractors, should be very worried about CMMC 2.0 for several reasons, especially if they’ve not started. Contractual Requirement. Defense contracts may require compliance with CMMC 2.0. If heat treaters want to participate in DOD-related contracts, they will need to adhere to the cybersecurity standards outlined in CMMC 2.0. Supply Chain Impact. CMMC applies not only to prime contractors but also to subcontractors and suppliers within the defense industrial base (DIB). Heat treaters in the supply chain may be required to meet specific cyber- security maturity levels to ensure the overall security of the defense ecosystem. Increased Security Standards. CMMC 2.0 introduces higher cybersecurity standards and maturity levels compared to its predecessor. Heat treaters need to assess and enhance their cybersecurity measures to meet the specified requirements, which may involve investments in technology, processes, and training. Data Protection and Confidentiality. Heat treaters often handle sensitive information related to defense contracts, including designs, specifications, and other proprietary data. CMMC 2.0 emphasizes the protection of CUI, and heat treaters must implement measures to safeguard such information. Competitive Advantage. Being CMMC certified provides a distinct competitive advantage for heat treaters. It demonstrates a commitment to cybersecurity and can enhance the trust and confidence of the DOD and its prime contractors, as well as other key customers. Continuous Monitoring and Improvement. CMMC is not a one-time certification but requires continuous monitoring and improvement. Heat TABLE 1 — CMMC 2.0 FRAMEWORK CMMC 2.0 High level Purpose Assessment Level 1 Foundational 17 practices Basic cyber hygiene FCI protection Annual self-assessment Level 2 Advanced 110 practices Based on NIST SP 800-171 FCI and CUI protection C3PAO-led assessment every 3 years Annual self-assessment for some organizations Level 3 Expert 110+ practices Based on NIST SP 800-171 and NIST SP 800-172 FCI, stricter CUI protection, and implementation plan DOD-led assessment every 3 years Heat treaters with DOD-related contracts must follow CMMC 2.0.
RkJQdWJsaXNoZXIy MTYyMzk3NQ==