Manufacturers that supply the defense industry will need to adhere to a new set of uniform cybersecurity standards in order to bid on contracts from the U.S. Department of Defense.
Despite how profoundly this measure could potentially affect their operations, a large majority of West Michigan manufacturers remain indifferent to the matter, cybersecurity experts say.
At the beginning of 2020, the Department of Defense released its Cybersecurity Maturity Model Certification (CMMC) program that establishes a multi-tier, unified set of standards for cybersecurity for all 300,000-plus members of the defense industry base. Beginning Oct. 1, 2025, a CMMC compliance clause will be included in every government solicitation, though the requirement could come sooner under new contracts.
The measure is designed to enhance national security and install a unified cybersecurity front to protect every manufacturer that contributes to a government project, even if it’s a single, small component.
As the Department of Defense makes requests for proposals from prime contractors, the agency will require a certain level of CMMC compliance. The contractors will expect the same from their suppliers. Manufacturers that aren’t deemed CMMC-compliant by an accredited third party will be ineligible for these projects.
“I think the reality is: Once we get into next year and we get more prime contracts coming that have the CMMC requirement,” manufacturers will start paying attention, said Chad Paalman, CEO of NuWave Technology Partners LLC, an I.T. firm with offices in Grand Rapids, Kalamazoo and Lansing.
Paalman has long championed CMMC compliance and also has an ownership stake in Florida-based Prescott, which spun out of NuWave and focuses solely on CMMC compliance for manufacturers across the country. He has yet to work with a West Michigan-based manufacturer that has completed the CMMC process.
“This year, we only had a handful of contracts that had a CMMC requirement nationally,” Paalman added. “You’ve got these companies — predominantly manufacturing companies — that, if they don’t have to make an investment, they’re not going to.”
Cost and confusion
For a variety of reasons, manufacturers remain mostly on the sidelines when it comes to CMMC compliance, Paalman said.
With CMMC awareness still quite low, most companies balk at the costs associated with the process — especially when they view it as an unnecessary measure, he said.
To comply with CMMC standards, not only do most manufacturers have to make upgrades to their technology but, in many cases, it fundamentally changes the way they do business.
“I use the analogy that we need to take a lot of these companies from a 200 credit score to an 800 credit score when it comes to their cybersecurity hygiene,” Paalman said, adding that only around one-third of CMMC compliance is technical in nature. The rest is procedural.
“It’s time, it’s money. Businesses are going to look at the return on their investment,” he added. “I’ve been telling these companies in the CMMC space: If you’re first to market with the ability to market yourself as having a CMMC certification, that’s a competitive advantage.”
The CMMC compliance journey can also last months. Very few manufacturers have an in-house staff capable of conducting their own gap analysis and technical remediation, which is why they must turn to third-party CMMC specialists for assessments.
Paalman estimates that it takes around six months to a year to adequately prepare for the official CMMC third-party assessment. This means that RFPs with a CMMC-compliance requirement can catch companies flat footed.
“That will be the unfortunate reality — they’re going to realize they don’t have enough runway to reach the point where they are CMMC certified and be able to bid on (projects),” Paalman said.
Recognizing the crucial nature of CMMC compliance, West Michigan-based economic development organization The Right Place Inc., and the Michigan Manufacturing Technology Center-West contained within it, works with manufacturers on the issue.
Terry Hossink, vice president of manufacturing services at The Right Place, said his organization works with local manufacturers to connect them with the necessary resources to move forward with CMMC compliance.
Despite the availability of these resources, Hossink sees very little urgency among local manufacturers. He added that the organization has had “disappointingly few” sign up for the program.
“The big concern nationwide is that everyone will wait until the last months and there won’t be enough people to certify these people and train them,” said Hossink, forecasting an 11th-hour surge in companies striving for CMMC compliance.
Hossink compared CMMC compliance to International Organization for Standardization’s (ISO) quality standards. In the 1990s, few manufacturers adopted the standards until the auto industry started to require it from any company that supplied it.
“Whether you see it as a competitive issue or not, it’s a national security issue,” Hossink said. “It has to happen. So how can we make it easier to understand and easier for them to move forward?”
Paalman said having an organization like The Right Place advocating for this cybersecurity measure will help move the needle.
“You’ve got an organization that West Michigan businesses know and trust,” he said. “They are a trusted resource when they need help with CMMC. The Right Place has access to the resources. They know who the people and players are and the organizations. In some cases, they have resources themselves that they can plug in.”
The manufacturing sector’s hesitancy to pursue CMMC compliance is relatively unsurprising for an industry that historically has paid little mind to cybersecurity in general.
Jennifer Wangler, senior business development manager at The Right Place, shared insight from a recent yet-to-be-released survey conducted by her organization. The survey revealed that, across all industries, manufacturing spends the least amount of time and money on cybersecurity. The financial sector devoted the most.
“That’s an area that organizations like The Right Place have to do a better job of educating our (manufacturing) community on those necessities to operate in that world,” Wangler said.
With its own technology counsel that features local partners in the private sector, like Paalman’s NuWave, The Right Place has the resources needed to help businesses of all industries improve their cybersecurity preparedness, Wangler said.