CMMC | CAD Security
3 Critical things DoD Contractors Need to know about CUI for CMMC 2.0
CMMC assessments began on 16 December. If you handle CUI, here’s 3 things you need to know for CMMC
December 17, 2024
CMMC assessments began on 16 December. If you handle CUI, here’s 3 things you need to know for CMMC
The CMMC final rule change is now live. On 16 December, certified third-party assessment organizations (C3PAOs) officially began assessing DoD contractors. Given the wide disparity between the number of assessment teams (~100) and members of the Defense Industrial Base looking for certification (~100,000), DoD contractors need to ensure they are assessment-ready asap.
If you handle Controlled Unclassified Information (CUI) and plan to work on DoD contracts as either a prime or subcontractor, here’s three critical things you need to know.
The ‘Big Five’ (Lockheed Martin, RTX, General Dynamics, Boeing and Northrop Grumman) account for roughly a third of DoD contracts. The remainder of the DoD’s $420 billion pot is split between large firms (i.e. Huntington Ingalls Industries and General Electric) and SMEs (i.e. Torch Technologies Inc and Deployed Resources) with small businesses winning nearly 25% of DoD prime contracts in 2022-23.
But no matter if you have 20 or 20,000 employees, you’re responsible for proving your CUI security in order to be CMMC compliant. For example, prime contractors must ensure all their subcontractors handle and protect their CUI correctly or find another supplier. Small suppliers, such as niche consultancies or custom part providers, must prove their management of CUI adheres to CMMC requirements or miss out on subcontracted work.
CUI comes in many forms, but in general, any document, drawing or design included in DoD contracts are CUI by default. If you handle CUI, such as construction blueprints or test reports, you need to satisfy 110 security requirements and 320 assessment objectives aligned with NIST SP 800-171 to pass CMMC Level 2.
DIB members need to adhere to all of these controls to receive CMMC certification and compliance will be assessed externally by third-party experts. What’s more, the final CMMC rule stated that disagreements with third-party assessments cannot be appealed to the DoD, so you need to make sure you know exactly how to protect CUI before applying for your CMMC Level 2 assessment.
CMMC 2.0 was designed to protect the DoD’s supply chain (and the sensitive national security information they hold) from cyberattacks - not slow down their production processes. As such, when using tools to protect, track and control access to your CUI, you need to prioritize practicality. If your team of engineers, consultants or scientists have to face cumbersome security checks every time they access a technical report that is CUI, then you’ll lose DoD contracts due to inefficiency not CMMC compliance.
Instead, look for security tools that have the flexibility to adapt to CMMC requirements and don’t adversely impact the end-user experience. For instance, as part of CMMC, you need to prevent foreign nationals from accessing military drawings. If you have a non-US citizen on your production line or work with overseas teams (even if they’re part of your company), your CUI security tools must provide controls to prevent foreign nationals’ access to CUI.
CMMC 2.0 assessments are up and running. To ensure you’re compliant, you need to work out where your CUI lives, who has access to it and implement tools to secure and monitor CUI. If you use CAD files for DoD contracts, such as technical drawings, it’s highly likely these CAD files are considered CUI.
To find out how to easily protect and track CAD files that are CUI, check out our eBook: ‘How to easily protect and track CAD files that are CUI for CMMC compliance’.