The executive order signed this last week will help American Manufacturing organizations by tightening the government procurement rules to make it harder for federal agencies to purchase imported products. The Buy American Act Biden Executive Order revises definition of U.S.-made products as the president seeks to boost domestic manufacturing. By revising the definition of American-made products, not only are there more stringent requirements around manufacturing supplies but also company security standards. Buy American company security standards will be qualified with a CMMC Certification to help domestic manufacturing, including small and midsize companies gain better access to information needed to bid for government contracts.
Buy American Company Security Standards & the CMMC Certification
Aside from common compliance requirements, the Buy American Act Biden Executive Order may also require domestic manufacturing companies to meet company security standards or receive a certification through the Cybersecurity Maturity Model Certification (CMMC ). CMMC will be especially true for any DoD contractors and subcontractors. This was developed by the US Department of Defense to address the protection of information and data on DoD networks as well as improving overall cybersecurity and supply chain protection.
There is a rise in supply chain attacks where the cyber criminals are trying to pull information from smaller organizations to get to larger government organizations, creating the demand for greater security measures within the supply chain. This has become increasingly apparent with the attacks on the COVID-19 Vaccine distribution and supply chain in December 2020.
According to Security Intelligence, “Manufacturing companies account for nearly a quarter of all ransomware attacks, followed by the professional services with 17% of attacks, and then government organizations with 13% of attacks.”
CMMC Certification has 5 levels whose company security standards and cybersecurity requirements increase with each certification level. It also incorporates pre-existing legislation such as NIST SP 800-171, 48 CFR 52.204-21, DFARS clause 252.204-7012, and others, into one unified set of cybersecurity best practices.
5 Cybersecurity Initiatives to Get Started
Full implementation of the CMMC Certification is predicted to take a couple of years, but to start deploying cybersecurity solutions and instituting the necessary changes now, will save considerable time throughout the verification process. There are five key cybersecurity solutions to begin with that covers requirements the across the various levels.
- Multi-Factor Authentication – Defined and required by CMMC, NIST, and much of the security community to supplement the username and password model with other factors that only the specific user has access to. These factors include something you know, have, are or do.
- Endpoint Detection & Response (EDR) – Provides not only threat detection, blocking, and insight, but is a tool that collects information to provide insight on potential threats. Also provides audit tracking for compliance reporting.
- Managed Patching – Prevents your software and systems from being vulnerable to bugs, malware, and major security issues while ensuring each device on your network is up to date to.
- Spam Filter and Advanced Threat Protection – Intelligent filtering systems designed scan email to check for legitimacy and potential risks. Add data protection capabilities provides resiliency, and easy recovery from ransomware and accidental data loss.
- End User Training – Employee training program for them to gain knowledge and be able to recognize and report threats. An ongoing training plan to be implemented to get in front of threats that are constantly evolving.
Though no cybersecurity requirements have been issued for the Buy American Act, it is important to start reviewing cyber security practices, especially for companies managing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), or subcontracting for a company that does manage FCI or CUI. Ensuring you are implementing the appropriate level of security before handling sensitive information or government contracts will be essential to gaining future contracts.
Other Steps to Ensure Company Security Standards are Met for CMMC Certification
There are a lot of details and requirements you need to achieve and maintain to meet your Cybersecurity Maturity Model Certification (CMMC) requirements. The five cybersecurity initiatives above will get you started, but there are other more advanced measures that will need to be taken. Some other actions to take that help your company and plan and outline your company security standards are:
- Start with a Cybersecurity Assessment – be able to fully understand the current security state of your company and what you need going forward.
- Password Policies – Create a company wide password policy that outlines best practices, educates employees, and plans secure password creation for entire staff.
- Cybersecurity Plan – Develop a detailed plan that identifies key assets and treats, prioritizes them and documents policies. Outline risk mitigation measures to protect its customers, employees, corporate information and supply chain.
Buy American Act Biden Executive Order has placed more precedence on helping domestic manufacturing companies which leads to prioritizing CMMC Certification for those looking to participate in most DoD request for information (RFIs) and request for proposals (RFPs). It is important to start by evaluating your technology, processes, procedures and IT assets as well as develop reporting requirements and training of your employees. You will be able to identify gaps and need to provide solutions for remediating those control gaps. CMMC is largely impacting the supply chain for government bid and proposal and project-specific IT systems.
If you don’t have an internal team working on this, CompuData has been working with Manufacturing organizations for over 50 years partnering with them to manage their technology needs. Email us to learn more on what your security infrastructure may need.