CMMC Compliance
The First Step
Where to Start with CMMC Compliance
The first step is the cost-benefit analysis. Our customers tell us this step takes them several months of prep work. You must ask customers what level of compliance they require and which jobs will involve CUI. You may then need to work with a local CMMC consultant to answer your questions on the topic. You would also need to see which technologies are CMMC-compliant and whether you need to hire IT help.
We’ve heard customers say that the requirements can be $60,000 on the low end. While it’s tempting to avoid CMMC altogether, your ability to do so will depend on your existing customer base.
For some manufacturers, cybersecurity is not top of mind, and they don’t back up their data. Suddenly, an employee clicks on the wrong link, and they lose all control of their data. Even if manufacturers do back up their data, there’s no easy way to tell how much of it is CUI.
On the other hand, we’ve heard stories of manufacturers falling prey to the pressure of consultants. Without completing their own cost-benefit analysis, they depend entirely on their consultants and do whatever they say. As a result, they may overspend thousands of dollars on people, processes, and technology.
Get Ready for CMMC Compliance
View our guide to learn all the details.
What is CMMC?
The Cybersecurity Maturity Model Certification is a Department of Defense (DoD) program that protects federal contract information (FCI) and controlled unclassified information (CUI) and keeps job shops, contractors, and manufacturers accountable for employing safe cybersecurity practices.
The CMMC compliance process is a complete change involving people, processes, and technology.
There are three levels of compliance for CMMC 2.0, and manufacturers handling CUI will most likely need to comply with Level 2, as Level 3 will be required only for manufacturers handling high CUI priority programs with data critical to national security (individual requirements should be found in existing contracts).
The three levels of CMMC 2.0 include:
Level 1 Compliance
Entry level/basic cybersecurity, 17 practices, FCI data only, includes self-assessment.
Level 2 Compliance
Advanced cybersecurity, 14 domains, and 110 controls. It handles CUI, including triennial third-party assessment and annual self-assessment.
Level 3 Compliance
The highest level of cybersecurity, 14 domains and 110 controls plus another subset of controls, includes triennial third-party assessment and annual self-assessment.
Why ECI's CMMC Compliant Solution?
With 24,000 customers and almost 40 years of experience, ECI has a cloud security team that is experienced in helping small and medium-sized businesses. We execute quality cybersecurity tools, processes, and policies so that our customers can meet compliance obligations and grow in profitability.
Cloud security is discussed in daily stand-ups, weekly touchpoints, monthly and quarterly business reviews, and board meetings. We run an Enterprise Risk Management (ERM) Program; our Information Security team performs an annual risk assessment incorporating the likelihood and impact of several critical risk categories to protect our customers against the latest threats.
ECI has processes in place to help ensure that CUI data is accessed only by US persons and is stored and transmitted using compliant encryption. We provide role-based authentication and permission using multifactor authentication (MFA). We also offer FIPS-compliant encryption to protect your data in transit and at rest.
Role-based Authentication and Permissions
Each user can be individually tracked and audited, and privileged accounts (accounts with access to customer data) require a business need and specific authorization, so only authorized users can access specified files and folders. We follow the principles of least privileged access and provide lock-out functionality.
What if you could find a technology solution to help take some of the compliance burden off you?
Our Government Compliance Cloud is the result of 40 years of experience working with small and medium-sized manufacturers, employing best-in-class people, processes, and technology for cybersecurity, and working with industry-leading cybersecurity experts to walk you through your customer journey.
Cybersecurity Best Practices and CMMC Domains Deep Dive Whitepaper
Read our whitepaper to learn all the details.
Cybersecurity Maturity Model Certification (CMMC) Frequently Asked Questions
Can people access the ECI Government Cloud from home? How do I keep that safe?
Yes, as a web platform, employees can log in from home. You can access ECI Government Compliance Cloud if you have company-issued credentials.
What is the difference between CMMC and NIST SP 800-171?
NIST SP 800-171 is a NIST Special Publication that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). CMMC is a certification program that follows the guidelines of NIST via a certification. Other certifications, like ISO, demonstrate a commitment to NIST.
What is the difference between CMMC and ITAR?
ITAR (22 CFR parts 120-130) governs the manufacture, export, and temporary import of defense articles, the furnishing of defense services, and brokering activities involving items described on the USML(ITAR section 121.1).
While there is overlap between the two regulations, if a weapons/defense manufacturer does not handle CUI, it likely will not need to be CMMC compliant. If a manufacturer does not contribute weapons/defense articles, it does not need to be ITAR compliant.
Which government regulations can ECI help us be compliant with?
Our ECI Government Compliance Cloud applications are designed to handle ITAR 22 CFR Parts 120-130, EAR 15 CFR Parts 730-774, FCI, CUI, NIST FIPS 140-2, and NIST SP 800-171/CMMC Interim Rule.
Our ECI Government Compliance Cloud applications are not designed to handle NIST FIPS 199 and 200 and NIST SP 800-53. Our applications have not gone through the FedRAMP authentication process as ECI does not sell directly to the Federal Government. Find more information here.
How do I get started with CMMC? Do I need to be CMMC Compliant?
To decide if your manufacturing facility needs a CMMC-compliant solution, we recommend that you talk with customers to see what they require. Manufacturers can be ten to twelve layers down from a major prime contractor like Lockheed Martin and Boeing and still be handling CUI, which requires them to be CMMC compliant. We recommend weighing the pros and cons of compliance regarding systems and processes outside of an ERP, educating your teams, and completing a self-assessment. These four steps should give you a good idea of your next steps. If you still have questions, please view our Getting Started with CMMC with ECI Guide and share your specific questions with your account manager.
Is ECI Government Compliance Cloud in compliance with FedRAMP?
As ITAR-compliant and CMMC compliant-ready solutions, JobBOSS² and M1 are currently approved to handle Controlled Unclassified Information (CUI) today. Hosted in highly secure AWS GovCloud and Azure Government environments with FedRAMP High authorization, we ensure top-tier protection for sensitive data. Looking ahead, we are advancing towards FedRAMP Moderate Equivalency within JobBOSS² and M1, further strengthening our commitment to security and compliance.
A Job Shop's Journey Towards CMMC
Learn from this 10-person job shop as they share some of the challenges and lessons from their CMMC voyage.
CUSTOMER SUCCESS STORY : Midway Swiss Turn
Learn how this contract manufacturer tackled CMMC
Talk to someone
Our ECI secure, cloud-based platform assists in CMMC compliance for manufacturers who serve the U.S. government's aerospace and defense needs. Reach out to us today if you want more information.