Why Does Cybersecurity Matter to a Machine Shop?
If you do business with the Department of Defence (DoD), either directly or as a subcontractor, it is necessary to have robust cybersecurity systems and processes.
As a government contractor or subcontractor, you are a link in the defense supply chain. As such, you receive and store sensitive information. Failure to implement cybersecurity measures and mitigate risks can have many negative implications. At best, this failure can prevent you from receiving government contracts. At worst, it can pose a threat to national security.
Toolcraft has been a trusted CNC Machining Manufacturer for over 60 years. For much of that time, we’ve been linked to federal government contracts. We are honored to support the national defense effort and the warfighter through our precision machining services. We take tremendous pride in our country and believe you can see that in our security and safety measures and the quality of our work.
Toolcraft Machining Is ITAR Compliant
Toolcraft is registered with the U.S. Department of State, Directorate of Defense Trade Controls (DDTC) to be International Traffic in Arms Regulations (ITAR) compliant. (See our announcement from July 15, 2021.)
ITAR is a set of regulations created to manage the export of goods that have uses within the defense industry. Any manufacturer that provides goods or services must register with the Department of State and maintain their registration status.
To comply with ITAR documentation and certification requirements, we’ve increased our security. We do this to protect the interests of the United States, our collective safety, and the quality and safety of your parts.
From NIST to CMMC: What You Need to Know About Federal Compliance Guidelines
NIST 800.171
We’ve been following NIST 800.171, a clearly defined set of federal compliance guidelines, for years to ensure that Toolcraft has top-notch security throughout our entire shop.
NIST (National Institute of Standards and Technology) created Special Publication 800.171 to protect Controlled Unclassified Information (CUI) by providing recommended requirements that contractors must follow to show that they have adequate security to protect defense information (as required by DFARS clause 252.204-7012). The primary goals of these guidelines are to strengthen the federal supply chain and protect national security.
NIST 800.171 includes the NIST Cybersecurity Framework to reduce the risk of data breaches, reduce the risk from insider threats, and provide a methodology for managing risk. (You can learn more about how Toolcraft adheres to NIST 800.171 in this blog post.)
This framework is voluntary, and there is no certification process. In 2020, the DoD did begin requiring a self-assessment to prove compliance. Though this was initially done using an honor system, now defense contractors must report their self-assessment score to the DoD’s Supplier Performance Risk System (SPRS).
CMMC Compliance
Defense contractors have been self-assessing against the NIST 800-171 security framework since 2017. The DoD found that the lack of certification meant some contractors claimed to meet the standards when they were not. So in 2019, the DoD began developing the Cybersecurity Maturity Model Certification (CMMC) to better enforce the NIST 800-171 requirements.
The DoD released CMMC Version 1.0 on January 31, 2020. It outlined 5 levels of increasing cyber maturity. Starting at level 1, a contractor had to demonstrate both the technical practices and maturity processes to graduate to the next level. All contractors were expected to comply with Level 1 Basic Cyber Hygiene, and some contractors were expected to comply with more advanced levels.
| CMMC 1.0 | |||
| Level 1 | Basic Cyber Hygiene | 17 practices | 1 process |
| Level 2 | Intermediate Cyber Hygiene | 72 practices | 2 processes |
| Level 3 | Good Cyber Hygiene | 130 practices | 3 processes |
| Level 4 | Proactive Cyber Hygiene | 156 practices | 4 processes |
| Level 5 | Advanced Cyber Hygiene | 171 practices | 5 processes |
After an internal review the following year, the DoD announced changes to the CMMC, and released CMMC 2.0 in November 2021. The update condensed the 5 maturity levels into 3 to better reflect the maturity and reliability of a company’s cybersecurity infrastructure and to streamline the process for all parties.
| CMMC 2.0 | ||
| Level 1 | Foundational | 17 practices |
| Level 2 | Advanced | 110 practices |
| Level 3 | Expert* | 110+ practices |
CMMC 2.0 also outlines assessment requirements for each level.
- Level 1: Annual self-assessment; load score to SPRS
- Level 2: Contractors handling non-critical CUI perform annual self-assessment and load score to SPRS; Contracts handling critical CUI will be assessed 3x/year by a Certified 3rd Party Assessment Organization (C3PAO)**
- Level 3: Government-led assessment 3x/year
*Expert Level 3 is under development; it will be based on NIST SP 800-172
**No company has been “certified to certify”
Defense contractors use a points-based system to prove compliance and then submit their scores to the SPRS. In addition to the assessment requirements, compliance with CMMC 2.0 will be enforced through contractual requirements, meaning defense contractors handling CUI will be required to achieve a certain CMMC level in order to receive a contract. Because the rulemaking process for CMMC 2.0 implementation is still underway, it is not yet a contractual requirement.
What Is a CMMC SPRS Score?
As there is currently no third-party company “certified to certify” compliance with CMMC 2.0, self-assessment is still required. Unlike NIST 800.171 compliance, which has operated on an honor system, CMMC compliance must be recorded as a score in the DoD’s SPRS.
The SPRS is an online application, and an SPRS Score is a numerical grade (-203 to 110) you enter into the application. As you begin your self-assessment, your score starts at -203. Control line items in the CMMC have different point values depending on their criticalness, with 1-point items deemed least critical and 5-point items most critical. As you implement controls, your SPRS Score increases.
The maximum score of 110 is difficult to achieve and not expected of suppliers, though the higher your score, the better. Why? Your SPRS Score is a key indicator of your cybersecurity strength and is a significant factor in your evaluation as a defense contractor.
At Toolcraft, we completed our second self-assessment and reported our improved SPRS Score in the second quarter of 2023. Our score is valid through 2024.
Why SPRS Scores Matter to the Defense Industry
There are currently 110 controls, and the maximum score is 110. A high SPRS Score indicates the health of your company’s cybersecurity across multiple areas.
If you think of your SPRS Score as a grade on a report card, you can understand why it would be a valuable data point to the DoD as they evaluate contractors. Your SPRS score can inspire confidence in your company and lead to governmental contracts, or it could make the DoD wary and prevent you from even being eligible to bid on contracts.
Aside from that, you can use your SPRS Score to inform additional policy, procedure, and process changes in your company. Working toward compliance in this way benefits you, as non-compliance as a defense contractor can have serious implications, ranging from contract cancellation to fraud.
Toolcraft Machining Is Your CMMC Compliant Partner for Government Projects
During our decades in business, we have been proud and honored to serve the defense industry by CNC machining high-quality precision parts. We work hard to maintain a high standard of quality and exceptional customer service for all of our clients. If you’re interested in knowing more about how to partner with the experts at Toolcraft for your next project, contact our team to get started.