The Price To Be Paid for Security – CMMC 2.0

​

For top tier-related contract manufacturers, 2025 is set to usher in a new security provision mandated by the DoD for all who supply the millions of precision-machined parts that keep our tanks rolling and military aircraft flying. CMMC 2.0 is the revised version of the Cybersecurity Maturation Model Certification, which establishes a baseline cybersecurity protocol designed to safeguard what we in the industry refer to as controlled unclassified information (CUI).

With the final compliance regulations yet to be ironed out, the industry expects the new rules to go into effect by late spring or early summer. There is also a three-year phase-in period, which seems necessary at this point considering the level of disparity among the cybersecurity and procurement departments collaborating to ensure non-prime contractors like us get it right.

Sticker Shock and Higher Prices

As the owner of a top tier-level metal manufacturing company that supplies prime DoD contractors, I can share firsthand that there is a significant expense involved in meeting the CMMC requirements. We first became aware of the impact after acquiring a small machine shop that was supplying parts to a DoD prime contractor. Prime DoD contractors like General Dynamics, Lockheed-Martin, and Boeing can easily absorb the elevated costs but it appears we will have no choice but to raise prices to continue supplying our defense-related partners.

Smaller DoD suppliers like my company have a totally different perspective to share, as well as an overriding concern about the true price we’ll be paying to maintain these strict new cybersecurity standards. Ostensibly, it’s much more of a warning than a concern.

Third-Party Assistance Required

The final details of the new CMMC protocol are still being ironed out, but the information we do have at this point is complex, cumbersome, and likely to create several operational challenges. Because we don’t come from IT services or cybersecurity backgrounds, the highly technical details of the CMMC requirements are much too difficult to navigate and implement on our own. Firms like ours will likely require assistance from a third-party managed security service provider (MSSP) to help explain, implement, and maintain these new standards. And the price tag for such assistance is easily going to be cost-prohibitive for many of the smaller tier-level DoD suppliers.

While it’s easy to understand the necessity of ramping up security for the CUI assets we handle, many smaller contractors are in for a rude awakening once the new CMMC requirements begin showing up within the flow down of contracts. We’ve been warning our clients ahead of time that big changes – not of our making – are coming. But what I really fear are the unintended consequences I feel certain are looming on the horizon.

Less Competition, Less Parts, Less Security …

Hypothetically, what happens to the DoD’s supply chain if 25% of existing tier-level contract manufacturers, critical components in the defense industry, suddenly decide that the new CMMC regulations aren’t really worth the time and hassle? These firms are well aware that there is plenty of commercial and non-CUI work to be had in the manufacturing industry as a whole, which could ultimately thin the herd of available (CMMC-compliant) DoD suppliers. From the outset, this potential reduction in competition sounds promising to those who do intend to stay on and comply with the new security requirements, as it could drastically increase revenues. But it could also overwhelm our already stretched manufacturing capacity. It stands to reason, but remains to be seen, that with less suppliers, there will be less available output. And quite possibly increased prices to be paid for delivery.

Sounding the Alarm

The scenario I’ve shared so far brings me to my final point. The tier-level manufacturers who supply the prime contractors and DoD are facing a critical inflection point. This crucial manufacturing sector, which supplies the parts and pieces that make up our military might, is facing a potential disaster in the making – a metaphorical tsunami just offshore that won’t hit manufacturing shores as a one-time wave, but rather a flood, capable of devastating the existing DoD supply chain and changing the way we do business for good.

Time for a Time-Out?

We’re all aware the CMMC regulations are still a work in progress, but there’s still a lot of uncertainty swirling around regarding the intended – and unintended – consequences of implementing these new rules. A more relaxed version of these standards has been in place for the past few years but were loosely followed at best. Thankfully, there was a brief open comment period for CMMC, the concerns of which were seriously reviewed and in some cases applied. As for the financial impact, grants and assistance programs have been discussed to ease costs, but nothing specific to date has been offered. Before it’s too late, perhaps both sides should come together and discuss the operational realities for the top-tier DoD manufacturers working in the trenches. Aside from that – and barring an eleventh-hour reprieve – CMMC 2.0 is coming.

In the end, CMMC 2.0 will most likely accomplish what it intends. We’ll have first-class security for all of our CUI assets, such as CAD drawings, blueprints, and documents. Which, in turn, should make you feel safer about foreign threats like China accessing our top-secret and classified information. But if the remaining DoD suppliers and their CMMC-compliant contractors can’t keep up with the overwhelming demand for the precision-manufactured parts and pieces that keep our military might operating in top-flight condition, there will be even less combat-ready components in our domestic arsenal.

How exactly does that protect America’s national security interests?

Larry Caschette is the President of Metalcraft Industries, a Denver-based contract metal manufacturing company that specializes in CNC machining, sheet metal fabrication, and metal stamping, along with a wide range of post-production services.