Skip to main content
  • Blog
  • Industries
  • Decoding CMMC 2.0: A Comprehensive Guide for Aerospace & Defense Industry

Decoding CMMC 2.0: A Comprehensive Guide for Aerospace & Defense Industry

June 23, 2023

mfg-mechanics-fixing-a-helicopter - article banner

I. Introduction

Navigating the landscape of cybersecurity, especially in sensitive sectors like Aerospace and Defense, is often a daunting task for organizations. With the recent introduction of the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0), understanding the changes and implications becomes even more vital. In this blog post, we delve into the specifics of CMMC 2.0, how it impacts the Aerospace and Defense industry, and, importantly, how our specialized ERP software solutions can ease the transition toward compliance. As cyber threats evolve, so must our defenses and understanding of cybersecurity protocols - let's decode the complexities of CMMC 2.0 together.

The Aerospace and Defense industry is a critical part of our nation's infrastructure, handling highly sensitive information and technological advancements that, if mishandled, can pose significant risks to national security. Given the sector's high-profile nature, it is increasingly becoming a target for sophisticated cyber threats. Hence, understanding and implementing the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) is vital. This model sets the cybersecurity standards for defense contractors, helping to protect sensitive information across the supply chain. With the introduction of CMMC 2.0, there are new levels of mandatory controls, audits, and certifications to meet, all of which are designed to strengthen the industry's cybersecurity posture. Failing to understand and comply can lead to penalties, loss of contracts, and reputational damage. Therefore, understanding CMMC 2.0 is not just a matter of best practice, but a business imperative for the Aerospace & Defense industry.

II. Background

The Cybersecurity Maturity Model Certification (CMMC) was conceived by the U.S. Department of Defense (DoD) to help ensure that Defense Industrial Base (DIB) sector contractors could protect sensitive data, particularly Controlled Unclassified Information (CUI), against cyber threats. Launched in 2020, the initial version of the model (CMMC 1.0) introduced a set of comprehensive and scalable cybersecurity standards, replacing the self-certification system with a new third-party assessment requirement for DoD contractors. The primary purpose of the CMMC has been to consolidate multiple cybersecurity standards into a single, unified framework, thereby enhancing the defense sector's ability to safeguard critical information. Now, with the advent of CMMC 2.0, the aim remains the same but with refined processes and more clearly defined levels of certification, making it easier for organizations to understand and achieve the required cybersecurity standards.

As an ERP solutions provider serving the Aerospace & Defense (A&D) manufacturing sector, Epicor has been tracking the developments in cybersecurity and compliance, including the Cybersecurity Maturity Model Certification (CMMC). An updated framework was introduced in November 2021 with the CMMC 2.0 that, brought forth a host of changes and enhancements to the original model.

As of this writing, CMMC 2.0 requirements cannot be enforced in contracts until the final rule based on DFARS Clause 252.204.7021 ("CMMC Clause") is reviewed and published by the Office of Information and Regulatory Affairs (OIRA). The earliest estimates place the timeline for the rollout of CMMC 2.0 towards the end of 2023 and, more likely, into 2024.

Recognizing the potential implications and adjustments needed by our A&D manufacturers, we've distilled these changes into an easily digestible post. Our aim? To help you understand what these modifications mean for your operations and to help provide you with insights to effectively adapt and seamlessly maintain your compliance.

III. What’s Changed from CMMC 1.0 to CMMC 2.0

The CMMC 2.0 framework introduces a three-level structure, eliminating the previous five levels. Level 1, focusing on basic cyber hygiene practices, now only requires an annual self-assessment and company leadership affirmation, removing the need for third-party certification.

Level 2 in CMMC 2.0, equivalent to the 'old' Level 3, has eliminated 20 controls, leaving the implementation of 110 controls from NIST 800-171. This level applies to any manufacturers that handle CUI, but a lower CMMC level may apply to subcontractors when the prime only flows down select information.  Independent third-party assessments will be needed only for contractors working on "prioritized acquisitions," with annual self-assessments permitted for other contractors.

So far, the new Level 3, incorporates the 'old' Levels 4 and 5, is expected to include controls from NIST SP 800-172, with assessments being government-led, intended for the most sensitive and high-risk projects.  Additional security requirements such as reporting security incidents from DFARS clause 252.204-7012 still apply. 

One crucial change introduced with CMMC 2.0 is the shift in assessment requirements. Level 1 now permits annual self-assessments, while Level 2 differentiates between triennial third-party assessments and annual self-assessments based on the nature of acquisitions. Level 3 will require government-led assessments on a triennial basis.

Another key update is the acceptance of a Plan of Action and Milestones (POA&M) for practices and processes not yet met, addressing criticism that CMMC 1.0 required meeting every single practice and process for certification, allowing for a more realistic and phased approach to cybersecurity.

Lastly, DoD contractors dealing with Controlled Unclassified Information (CUI) are still obligated to abide by DFARS 7012, 7019, and 7020. Compliance with these regulations involves implementing NIST 800-171 standards, which also correspond with the 'Advanced' level under CMMC 2.0's Level 2 certification.

This transition to CMMC 2.0 represents a major shift in the certification landscape, aiming to make the certification process more streamlined and user-friendly for DoD contractors, lending itself to provide a more dynamic model better equipped to adapt to the constantly evolving landscape of cybersecurity threats, As the specifics continue to roll out, keeping abreast of these changes is of paramount importance to maintain compliance and secure defense contracts.

IV. Challenges of CMMC 2.0 for the Aerospace & Defense Industry

Navigating the path to Cybersecurity Maturity Model Certification (CMMC) 2.0 compliance can present numerous obstacles for the Aerospace and Defense (A&D) industry, given its specific operational complexities and the imperative to securely manage highly sensitive data.

The complexity and scale of A&D operations can make the implementation of robust cybersecurity controls a daunting task. Multilayered supply chains, wide-ranging physical and digital infrastructure, and diverse personnel all add to the challenge of securing controlled unclassified information (CUI).

Achieving CMMC 2.0 compliance requires a significant investment of time, resources, and effort. From training personnel and enhancing infrastructure to conducting audits and navigating the certification process, compliance can be a resource-intensive endeavor.

Moreover, the A&D industry is a high-value target for cybercriminals and state-sponsored actors. The sensitive nature of the data handled by these organizations means they need to contend with an evolving array of sophisticated threats. Keeping up with these threats to maintain compliance can be a persistent challenge.

Lastly, a degree of uncertainty exists in the path to compliance due to the ongoing development and refinement of the CMMC 2.0 framework. The need for clear guidance and support in navigating these changes can be a challenge in itself.

V. Achieving CMMC 2.0 Compliance with Epicor for A&D

To overcome these hurdles, Epicor has partnered with Cre8tive Solutions, a company that specializes in the A&D industry and holds a deep understanding of CMMC 2.0 requirements. Together, we can provide the necessary tools, resources, and expertise to help A&D manufacturers meet the compliance challenge head-on.

Secure Data Management: Robust software solutions capable of secure data management. This includes encryption of data at rest and in transit, role-based access controls, audit logs, and secure backup and recovery procedures. For instance, sensitive design and manufacturing data should only be accessible by authorized personnel, with each access or modification accurately logged for audit purposes.

Process Automation and Control: With robust systems to streamline and automate controlled processes. A&D manufacturers often have complex, multi-tiered supply chains, and enabling the secure and efficient management of these is crucial for compliance. Epicor for A&D provides visibility into the entire supply chain, enabling secure information sharing with partners and suppliers while maintaining stringent control over CUI.

Enterprise Resource Planning (ERP) solutions can play a significant role in helping Aerospace and Defense (A&D) manufacturers achieve compliance with CMMC 2.0 by streamlining and automating processes, supporting data protection, and providing essential documentation. Here are a few examples of where ERP Solutions can play an important role:

Level 1: At this level, A&D manufacturers need to demonstrate basic cyber hygiene practices. Epicor for A&D solutions helps by enabling the essential data protection protocols to be in place, such as controlling access to protected data like Federal Contact Information (FCI) and enforcing user authentication and authorization. Epicor solutions also provide comprehensive audit trails and extensive forward/backward traceability, essential for documenting adherence to practices for self-assessment.

Level 2: For the advanced level, manufacturers must implement the 110 controls from NIST 800-171. Epicor A&D solutions can support these processes with robust data security and encryption methods, secure data transmission protocols, and tools for regular security risk assessments. ERP systems also offer change management capabilities, enabling organizations to track and control changes to data, which is critical for maintaining security. Because A&D manufacturers often have complex, multi-tiered supply chains, helping ensure the secure and efficient management of these is crucial for compliance. Epicor for A&D provides visibility into the entire supply chain, enabling secure information sharing with partners and suppliers while maintaining rigorous protections over controlled unclassified information (CUI). 

Level 3: This level targets manufacturers working on sensitive and high-risk projects. Besides needing to meet controls from NIST SP 800-172, companies must also demonstrate an ability to protect CUI and reduce the risk of Advanced Persistent Threats (APTs). With the help of our A&D Partner, Cre8tive Solutions, Epicor offers advanced security features, such as intrusion detection and prevention capabilities. Other capabilities include the ability to manage and track employee training records and ensure personnel are educated about the latest cybersecurity threats and practices.

VI. Conclusion

Although CMMC 2.0 is still under review, it could become final and go into effect as early as late 2023. Given this timeline, it's prudent for manufacturers to start their preparations in advance with a readiness asse. Teaming up with knowledgeable experts, such as Epicor's certified partner, Cre8tive Solution, can facilitate this process by identifying any gaps and implementing suitable remediation strategies. Now, there are a few compelling reasons for starting these preparations immediately.

Firstly, comprehensive readiness assessments can take a few months. Companies that have swiftly adopted NIST 800-171 could potentially enjoy a competitive edge, enhancing their appeal to DoD customers and partners.

Secondly, DoD contractors who handle Controlled Unclassified Information (CUI) are still mandated to comply with DFARS 7012, 7019, and 7020.

Lastly, it's crucial for DoD contractors to evaluate the potential risks to their organizations and financial status due to threats like ransomware and other types of breaches, all of which can be effectively mitigated by adhering to NIST 800-171.

At Epicor, in partnership with Cre8tive Solutions, we offer cutting-edge ERP software solutions specifically designed to help Aerospace & Defense manufacturers. Our team is intimately familiar with the CMMC 2.0 requirements, and we can provide the guidance and software solutions you need to ensure full compliance. Do you have questions about CMMC 2.0 or want to understand what it means for your business? Don't hesitate to reach out. We're here to offer a product demonstration or a personalized consultation to help you navigate the journey toward CMMC 2.0 compliance. Let's secure your future in the Aerospace and Defense industry together.

 Key Terms

  • C3PAO – Certified Third-Party Assessment Organization
  • CMMC - Cybersecurity Maturation Model
  • CMMC-AB – CMMC Accreditation Body
  • CUI – Controlled Unclassified Information
  • DFARS – Defense Federal Acquisition Regulation Supplement
  • DIB – Defense Industrial base
  • FCI – Federal Contract Information
  • FedRAMP - Federal Risk and Authorization Management Program
  • NIST SP 800-171 – Security requirements for protecting CUI
  • NIST SP 800-172 – Enhanced security requirements for protecting CUI
  • DFARS Clause 252.204-7012 – Requirements for Safeguarding Covered Defense Information and Cyber Incident Reporting
  • OSC – Organization seeking certification
  • POAM – Plan of actions and milestones
  • RPO – Registered Provider Organization
  • OIRA - Office of Information and Regulatory Affairs