DMG MORI Federal Services suppliers have heard the call to action about Cybersecurity Maturity Model Certification (CMMC) 2.0 requirements. They know they must meet these new Department of Defense (DoD) cybersecurity standards ASAP — or risk being ineligible for future contracts.
What suppliers may not have heard is a report about what it’s really like to go through the CMMC process. Until now. DMG MORI Federal Services has completed the assessment successfully and is certified.
Company officials smile when they discuss their achievement.
“It’s a relief, it was difficult,” said Kristine Quema, Vice President of Operations, DMG MORI Federal Services, providing a realistic pep talk. “It’s basically a different way to conduct business. I wasn’t sure what to expect because there haven’t been a lot of companies that have gone through this. So there were last-minute things that came up, and it was a very tight timeline when we sat down for the assessment. But it went well. We got a perfect score.”
The point of CMMC is to enhance cybersecurity within the Defense Industrial Base. Because modern manufacturing is heavily digitalized, contractors and suppliers need to prove they have best practices in place to protect sensitive data against intrusion.
The challenges related to CMMC are threefold: Vendors must make sure their operations meet certification standards, which likely requires IT investments and protocol changes. They must go through the certification process. Then, going forward, they need to keep current with DoD standards as they are updated, because companies must complete annual self-assessments plus another certification inspection every three years.
“This is not a one-time deal,” said Akbar Khimani, General Manager, Information Technology, at DMG MORI Federal Services. “The good thing for us is that leadership was open to having a discussion about how to set up the IT environment and cybersecurity controls. Part of our thought process was that since we need to expand on this in the future, let’s plan for that. I wouldn’t say that certification was easy, but it was an easy decision on our side to recognize that we needed a different environment.”
Four questions about CMMC for Kristine Quema (answers edited):
What’s the urgency about CMMC certification?
The DoD requires contractors to become CMMC-compliant, whether it’s Level 1 or Level 2. Enforcement is not yet in play but is expected to be finalized this summer. CMMC is more than cybersecurity. It’s a security requirement, an actual clause included in contracts. Companies with DoD contracts that handle federal contract information – non-public information about a federal contract or controlled unclassified information – must become CMMC-certified. The manufacturing industry is a high target for bad actors, so this is about more than meeting contract requirements. It’s about having good security so your business is sustainable.
Is there a hard deadline for compliance?
We expect CMMC enforcement will be phased in, and it will be up to contracting officers to include it in contracts outright or not. We hope all DMG MORI Federal Services suppliers are working toward compliance. The reality is you can’t be part of our supply chain if you don’t get certified. This is not going away. There’s a formal certification process and an industry behind it. Assessors are certified. There’s a cyber board behind it.
What’s the first step?
The first step is to do an assessment to understand the requirements and current status of the business, whether it’s cybersecurity or just security. To do that, you should partner with a vendor specializing in CMMC compliance. Maybe larger firms have an in-house cybersecurity team that can handle everything, but a lot of companies don’t. We wouldn’t have been able to accomplish what we did without an outside vendor.
Is it too late to start? Can this be done in six months?
It’s not too late, even if you haven’t started. For smaller businesses based completely in the US, it may be easier than for larger businesses like DMG MORI Federal Services. But the assessment takes time — and it’s impossible to complete in six months because there are not enough assessors. When we did our assessment, I asked if we could delay for two weeks. That was in April. The next available time slot was in November. The line started forming last year.
Visit the MxD Virtual Training Center for information on cybersecurity workforce training resources.