Our Colorado CNC machine shop is in the process of pursuing CMMC 2.0 compliance, which will prove to the US Department of Defense that we meet rigorous cybersecurity standards.
To streamline the complex process as much as possible, we created a work order in our ERP system, ProShop, just like we would if we were manufacturing a complex part. The work order outlines a long series of steps to achieving CMMC 2.0 compliance.
Now that we’re several months into the process, we’re here to provide an update on our status—because transparency and accountability matter to us.
Our Progress Toward CMMC 2.0 Compliance to Date
As of March 2024, we’ve made significant progress through the Advanced Asset Inventory step in our CMMC certification work order. Here, we’ll provide insight into what each of these initial steps entails.
Introduction to CMMC and Resources - Complete
This step includes:
Reading through the CMMC 2.0 standard.
Understanding the certification levels.
Assigning a member of upper management to lead the implementation.
Informing employees of the process.
Documentation - In Progress
This step focuses on collecting all CMMC certification documentation and controlling who in the organization can access it.
Planning - Complete
This step includes:
Assessing whether the necessary resources are available to achieve CMMC certification.
Ensuring the entire organization is aware of the requirement.
Assessing how to allocate budgetary resources to necessary programs, platforms, or consultants.
Planning to achieve CMMC certification.
Assessing the available budget for implementing CMMC certification and the cost of becoming certified.
Appointing one staff member who is responsible for information security and can lead the implementation of CMMC.
Securing commitments from upper management to designate time and monetary resources for CMMC implementation.
Understanding the certification process, which involves arranging for a company that is part of the CMMC Accreditation Board to conduct an audit.
Identify Users - In Progress
This step includes:
Reviewing the definition of Least Privilege and understanding how it functions within the company. (Least Privilege ensures that users only have access to what they need to perform their job.)
Identifying all individuals in the organization with access to CUI systems.
Identifying all privileged and administrative accounts within all systems. (A privileged account is one with the ability to set configurations for all other accounts.)
Identifying all company positions within the organization.
Configuring the necessary access and training levels for each company position in our ProShop ERP system.
Assigning each employee a company position.
Defining the procedure for assigning company positions for employees who change roles.
Defining how users will be disabled once they are no longer employed.
Backups, Backups, Backups - 70% Complete
This step includes ensuring all platforms are being backed up. We’re working to document how our ERP system, ProShop, and our quoting software, Paperless Parts, manage backups.
Collecting Event Logs - In Progress
This step involves:
Creating and retaining system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
Providing a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
Advanced Asset Inventory - 80% Complete
This step involves:
Creating a hardware asset inventory that includes the network address, hardware address, machine name, asset owner, department of the asset, and whether the hardware asset has been approved to connect to the network.
Creating a software asset inventory that tracks the name, version, publisher, and install date for all software on systems, including remote workstations.
Creating an inventory for other assets.
Identifying asset owners.
Goal: Achieve CMMC 2.0 Compliance by the End of 2024
We’re thrilled to say that our Colorado CNC machine shop is on target to achieve Level 2 certification, which has a long list of 110 requirements aligned to NIST SP 800-171, by the end of 2024.
Our effective approach to obtaining CMMC certification underscores what customers who work with us already know: our shop is organized, methodical, and strategic in the pursuit of any goal—big or small. We’d love to show you what we can do for you. Request a quote to work with us.