NIST 800-171 & CMMC Compliance for DoD Electronic Manufacturing
Security is a constant challenge for most companies, but for electronic manufacturers working on DoD manufacturing and related projects, security is even more crucial. The manufacturing supply chain all must be in compliance with the correct certifications and requirements. Falling out of compliance will mean that a full industry is unavailable for manufacturing. All contractors need to be in compliance, and the obligation is placed on the supplier and their supply chain.
What is NIST 800-171?
NIST 800-171 certification has certain minimum requirements to remain a trusted supplier for the government, specifically the DoD. These minimum requirements are:
- Self-attestation of the contract obligations for compliance.
- System Security Plan, updated periodically, with provable elements for system boundaries, the operating environment, how the security requirements are implemented, and relationships with other systems.
- Plan of Action that includes a detailed plan of cyber gaps and necessary remediations.
- Incident response plan, consisting of an approved process defined by the DoD for reporting incidents within 72 hours.
- Proof of cyber resiliency, such as cyber event modeling and processes.
Compliance with NIST SP 800-171 is required for any contractor or subcontractor that stores, transmits, or processes Controlled Unclassified Information (CUI). This includes ECMs who are working on PCBs that will be involved in DoD products.
CMMC is like a gate that a contractor must be able to pass through to be eligible to bid on, win, or even participate in a contract that involves controlled unclassified information (CUI). Without this certification, the manufacturer will be barred from the contract. There are different levels of CMMC compliance from Level 1 (foundational) to Level 3, for “special CUI”.
The DOD created CMMC in response to the continued exfiltration of controlled unclassified information from its supply chain. These breaches threaten national security, empower adversaries, and cost the US economy more than $600 billion per year. Therefore, CMMC serves as a unified standard for cyber security that will be incorporated as a “go/no-go” requirement for all DoD acquisitions.
CMMC requires periodic audits to ensure compliance. Every level will have its own specific set of controls in the scope of the CMMC audit. Level 1 requires 17 controls that are based on basic cybersecurity. Level 2 has 110 controls from NIST 800-171, and Level 3 involves the same requirements as level 2 with an additional 35 controls from NIST SP 800-172. Audits involve a documentation review as well as staff interviews. Passing the CMMC audit does not ensure compliance with NIST 800-1717, but both are required for any DoD contract.
Everything Begins with Documentation
When beginning the process of obtaining certification and preparing for a CMMC audit, the first step is to prepare the appropriate documentation to prove that everything you are doing is within the regulations and requirements. Having an ECM partner who is familiar with and involved in DoD contracts can help your project start off on the right foot with the right documentation. Non-compliance can result in contract termination, breach of contract lawsuits, and even criminal fraud, so compliance is crucial, and that begins with documentation.Start Your Quote Now!
Staying in compliance protects both the information and your company from potential fallout that can be costly and compromise security. Once the procedures are in place, it will become much easier to stay audit ready and prepared to take on DoD manufacturing projects.
Levison Enterprises is a full service turn-key domestic electronic contract manufacturer with the experience, certifications, and reputation necessary for creating electronic devices for the defense industry. With our vetted supply chain and superior manufacturing capabilities, there’s no reason to go anywhere else. Contact us today for a quote on your next project.