The Cybersecurity Maturity Model Certification (CMMC) program is aligned to DoD’s information security requirements for Defense Industrial Base (DIB) partners. It is designed to enforce protection of CUI (Controlled Unclassified Information) shared by the Department with its contractors and subcontractors. The program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.
The DIB encompasses all organizations and facilities that provide DoD with materials, products, and services. DIB cybersecurity is and will remain an expanding priority for the U.S. Department of Defense. Most often DoD contract information is considered CUI and should not be disseminated to the public.
The CUI can be in many forms, frequently as Controlled Technical Information which includes:
The information in these categories may be in paper form, or more commonly now in digital form. This means that such digital records can be susceptible to cyber theft or corruption by insiders and hackers. In executing a DoD contract, DIB business must keep these records and share them with subcontractors. The process of sharing documents also creates vulnerabilities as they move in and out of secure perimeters.
Often, technical information is overlooked as a security risk because it is often considered of little value outside of the context of the internal environment. For example, what value would a CAD design have if the product has been released and is already available on the market? Some people would say it could be reverse engineered anyway, so don’t worry about the original design. The reality is that many designs have some intrinsic value and may give a competitor or enemy some insight or could expedite another similar design.
Even if the product is not for military use, the design is still IP (Intellectual Property) and can have patent protection. Some designs may be CUI and have patent protection as well, but patent protection differs from design security. Patent litigation can be lengthy and expensive, so why not protect IP directly and proactively?
In addition to CAD designs, there are many types of technical documents (as listed above) associated with the design process. These are often linked to a design in a PLM (Product Lifecycle Management) system or ERP system (such as SAP). It may be just as important to protect supporting documents as the CAD designs. While technical documents may be safely contained internally, they also may be shared externally, and need a different type of protection.
Documents supplied by the DoD for contract awards are considered CUI, and CMMC stipulates that DIB bidders adhere to CUI protection to be awarded contracts.
DIB contractors must undergo CMMC appraisals and comply with NIST 800-171 guidelines.
Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
What does this all mean for your engineering designs?
Because the engineering documents and designs may be included in the DoD contract, this means they are CUI by default. You must protect them in their original form, and when disseminating them they also must be protected. The documents may already have CUI Markings which are required, and the marking process is described in the references included at the end of this document.
When you create a design or related information as part of the contract, it is considered CUI, and therefore must be protected and marked. Documents not directly included in the contract should not be marked CUI but may still need protection like CUI or IP.In many cases CAD drawings can be marked as CUI with the text in the control block (depending on the CAD system) so that when paper copies are printed, the CUI markings will appear. Should all CAD drawings be marked as CUI? Not necessarily. You should check with your DoD contract administrator to be sure. The burden of marking all documents as CUI can be significant and unnecessary.
What can you do to ensure that your documents are secure?
Just putting a CUI label on a drawing or document does not really offer much protection. In some cases, it may encourage theft by identifying it as important. It merely perpetuates an antiquated concept of general trust and unrestricted access, assuming honorable behavior. We have learned that honorable behavior is no longer expected.
The new cybersecurity model is based on the “Zero Trust” framework, where minimal access is granted only to authorized personnel, and general perimeter protection is no longer adequate. The DoD is actively promoting Zero Trust and calls on the nation to adopt this technology.
Microsoft and Zero-Trust Approach
For DIB contractors wishing to protect their CUI there are several options. Microsoft has incorporated Zero Trust technology into their MS Office M365 system and related products. If there are CUI documents that need to be controlled, files in MS Word, Excel, Power Point and others can be protected with Purview. This affords restricted access, edit and change control, time restricted access and so on. Existing files in these formats can be converted to protected mode. However, files without Microsoft format (extensions) cannot be protected natively. For the exceptions, adaptations to the applications such as CAD must be made with add-on software. The CAD vendors have not incorporated zero-trust into their software.
How does SECUDE address CAD protection in the context of CMMC?
To meet this need, SECUDE has partnered with Microsoft and the major CAD vendors to include the adaptations to each CAD package providing the Zero Trust capability while not impacting use or function.
The add-on software for CAD offered by SECUDE is made for each vendor and versions of their system. This then provides a common approach across platforms and makes it easy for users to switch between systems. The look and feel of the HALOCAD add-on has a common look and menu to the controls in Word, Excel, PowerPoint and across CAD systems.
Many DIB companies use a PLM or PDM system such as Windchill from PTC, or Team Center from Siemens to edit and maintain product data. These of course could contain CUI and would be subject to CMMC assessment. PLM or PDM may also be the repository for CAD files, which are checked in or out for editing.
In this transfer process, CAD files may lose protection afforded by such repositories, since they could be copied or otherwise disseminated. These repositories contain metadata (descriptions about CAD and related files) which can be used to identify the security level of a file.
SECUDE has made adaptations for PLM and PDM systems so that metadata can be read and correlated with security labels defined in Purview. When a CAD file is downloaded to the desktop, the metadata is translated and a security label is read and applied to the file, including encryption and user authentication.
Not only are CAD files labeled, but other types of files, including PDF and Microsoft are automatically labeled and secured. When the files are checked back into the repository the label and encryption is removed. This means that the PLM/PDM system is unaffected by the security controls and will operate as normal.
How does SECUDE address SAP downloads in the context of CMMC?
Thus far, we have discussed CUI in CAD and files in PLM/PDM that need to be protected outside of their enclave. In addition to these files many DIB companies use SAP as their ERP system, from which they download business data to the desktop.
This business data may include DoD contract information, materials definition, HR data, and financial information. Some of this information can be considered CUI and would be subject to CMMC assessment.
The matter is complicated by the ability of an SAP user (although fully authorized) to download data he sees on his screen to his workstation. He can copy data from SAP into a MS Word, Excel, PowerPoint, and PDF. This means that security is now needed for these new files.
SECUDE has partnered with SAP and Microsoft to provide this security. The add-in software for SAP is called HALOCORE . It will intercept downloads and translate metadata at the SAP transaction level, then apply a security label and encryption to the resulting desktop file. In this way, any CUI downloaded from SAP will obtain the same level of security as native Microsoft files, which would include zero-trust controls.
- CAD files created by a DIB contractor in performance of a DoD contract can be considered CUI.
- Files downloaded/uploaded from a PLM or PDM system can contain CUI.
- Files downloaded from SAP can contain CUI related to contracts or designs.
- Even if files are not considered CUI, they may still be IP (Intellectual Property).
- Under the upcoming implementation of CMMC 2.0, CUI must be protected according to NIST 800-171.
- Zero Trust technology must be applied to CUI.
- SECUDE offers CAD, PLM/PDM and SAP add-on software for Zero Trust protection controls.
Many articles and blogs have emphasized the urgency of preparing for CMMC compliance. The lead time for implementing new controls can be many months, so to be eligible for new contracts, DIB contractors must accelerate preparation. CMMC is coming!