Have you received a letter from your DoD contract officer or prime contractor asking you to complete your NIST 800-171 Basic Assessment and enter your score into the Supplier Performance Risk System (SPRS)?

* Are you concerned about keeping or getting new Defense contract work?
* How is Cybersecurity/DoD’s new cybersecurity requirements going to affect your business?

As a small manufacturer you may feel that you don’t have the resources or bandwidth to comply with DoD’s new cybersecurity requirements. CPI Systems works directly with Defense Contractors or state-based Manufacturing Extension Partnerships (MEP’s) to help small manufacturers maintain or obtain Defense contracts with the new cybersecurity requirements. Grant funding allows MEPs to fund affordable solutions for small-medium contractors to comply with CMMC and NIST 800-171 requirements.
Who Needs CMMC & the NIST 800-171 Basic Assessment – and why is it Mandated in the FARs-DFARs?
If your company has a contract that references Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) you will be required to become certified to the Cybersecurity Maturity Model (CMMC). Contact your Defense contract customer to determine if or when you will be required to implement CMMC.
Current requirement (as of Nov 30 2020): NIST 800-171 Basic Assessment & Score
DFARS 7012-24.7012 currently mandates all companies within the Defense Industrial Base (DIB) that handle, store, process, or transmit (CUI), to provide a current (within 3 years) NIST 800-171 Basic Assessment score. The same contract clause requires Cybersecurity Maturity Model Certification (CMMC), to be rolled out to all 300,000 contractors in the DIB between 2021 and 2025.
What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification.
* There are 5 Maturity levels based on the risk of information being shared.
* “Maturity” is the degree of implementation throughout your organization.
* Level 1 is required in FAR Clause 52.204-21. It is the lowest risk and protects Federal Contract Information (FCI). FCI is any information in a contract not available to the public.
* Level 3 builds upon existing regulations (DFARS 252.204-7012) for NIST-800-171 requirements.

The DFAR regulation is intended to safeguard Controlled Unclassified Information (CUI). CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. It is either created by the government or created for the government.
CUI in manufacturing is often in the form of specifications and technical drawings but can also include ITAR (International Traffic in Arms Regulations) data, personnel data, military installation access data and dozens of other types.
Why is CMMC Mandated?
The theft of intellectual property and sensitive information from all industrial sectors due to malicious cyber activity threatens economic security and national security. Hundreds of billions in intellectual property theft affect every US citizen. One familiar example is Beijing’s J-31 stealth fighter, which was ripped off from Washington’s F-35 following a 2007 Lockheed Martin breach. The Manufacturing Industry experiences the lion’s share of malicious cyber-attacks.
What CMMC Maturity Level is your company?
Your company is Level 1 if you only get Federal Contract Information (FCI). Federal Contract Information is any information that is not available to the public such as delivery location, installation date, special access codes. Anything that could put the DoD at risk if a hacker received the information.

Your company is Level 3 if you get or create Controlled Unclassified Information (CUI). CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. It is either created by the government or created for the government.
CUI categories are defined in the Archives.gov site. There are 24 categories of content and 83 subcategories of content! Each category is defined as either CUI Basic, or CUI Specified. Your government contract requirements may identify what information is CUI.
CPI Systems helps small manufacturers maintain or obtain Defense contracts with the new cybersecurity requirements.

As ISO-NIST-CMMC system providers, CPI Systems combines a procedural risk management framework with a simplified compliance management system. Discover the CPI Systems difference Discover the CPI Systems difference- Email Jim@cpisys.com to chat.
CPI Systems is a CMMC-AB Registered Provider Organization (RPO) and is proud to work only with CMMC-AB Provisional Assessors and Certified Instructors (upcoming designation). CPI Systems partners Vicki Delaney and Jim Goodrich are CMMC-AB Registered Practitioners (RP’s).

For your company Management Reviews are an ideal place for these process discussions. Performance indicators may focus on issues that have already happened. But are you planning for likely scenarios ahead? Do Sales, Operations, and Shipping communicate well. How about your key suppliers? They are also part of your extended enterprise success. Planning for risk within and between these processes is key.