, ,

Upgrade DNC Software & Streamline Your CMMC 2.0 Compliance

DoD contract manufacturing

In an effort to ensure defense contractors are following best practices to protect sensitive data, Cybersecurity Maturity Model Certification Program (CMMC) rulemaking is inching closer and closer to finalization, with rules proposed by the U.S. Defense Department (DoD) on December 26, 2023. While these rules are published for comment, the codified version isn’t expected to change too drastically, however, DNC software upgrades may be something to consider, and Shop Floor Automations can help.

Townsend Bourne, partner at Sheppard Mullin, noted during an interview with Federal News Network. “Personally, I don’t know that we’re going to see significant changes from the proposed rule that came out at the end of December and the way the final rule is drafted,” said Bourne. “Most importantly, because DoD has been working on this program for so long, and I think they’re at the point where they think it’s pretty close to final.”

CMMC 2.0 Level 1 Sneak Preview

USB CNC program transfer cybersecurity

Transferring CNC programs via USB can not only require hefty management of manual user authorizations, device logs and documentation, but they can risk USB CNC program transfer attacks and noncompliance with CMMC 2.0.

The progression of this rulemaking process is quickly advancing the impact of CMMC 2.0 to manufacturers of all sizes, especially small-to-medium sized businesses (SMBs) that will need to carefully manage finite resources to absorb added costs, personnel and training to meet and maintain compliance.

One aspect of CMMC 2.0 that will deliver a layer of complexity is the proper storage and control of removable media, like USBs and CDs, which many defense contract manufacturers utilize today to transfer CNC programs, images and other Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) to and from computers and machines. Let’s review a few aspects of the Level 1 requirements clause of 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, to illustrate some of the necessary steps to store and control sensitive data appropriately on these devices.

  • Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

There should be a clear set of procedures regarding who is permitted access to removable media, their accountabilities related to this access, and how often these procedures are reviewed, validated and updated. Programmers, engineers and others involved in the CNC program transfer process should have unique credentials and the correct identity or role-based permissions across devices and systems.

Credentials and keys should be properly managed and rotated to enhance the security of sensitive information. If you’re manually managing user security and authorization related to CNC program transfers via paper or spreadsheets, for example, it can be a time-consuming and involved endeavor that may be prone to errors and noncompliance.

  • Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

It’s necessary to have documentation of the transactions roles and personnel who are authorized to execute, so that sensitive data is not processed by those lacking permissions to do so. But do you also have the safeguards to block unauthorized transactions and track those attempts? Again, a manual means to meet this requirement can not only be labor-intensive and riddled with inaccuracies, but near impossible for some DoD contract manufacturers with complex operations.

USB CNC program transfer attacks

  • Verify and control/limit connections to and use of external information systems.

Even limiting the use of removable media can still leave data susceptible, as USBs are re-gaining popularity in cyberattacks. Daniel Wiley, the head of threat management at Check Point, relayed an instance in which a power company employee received a sealed USB device from an Amazon package, complete with Amazon tape. “He thought his wife ordered it. So he opened it up, plugged it in. Everything else was a chain reaction. It was able to break in across their VPN. Let’s just say the power company was not in a good place.”

It is imperative for defense contractors to have the proper controls set up to protect your CUI against USB CNC program transfer attacks – but no controls will be completely failsafe.

Roll Credits

It’s estimated that a CMMC Level 1 self-assessment will cost a small entity about $6,000, according to DefenseScoop. For SMBs, this cost could be significantly more depending upon the existing IT infrastructure, processes and know-how of your staff.

An ideal DNC software, which is a system that leverages Industrial Internet of Things (IIoT) and connects your shop floor equipment on one network, could be hugely beneficial. An upgraded DNC system can reduce or eliminate manual user authorizations, device logs and documentation for more streamlined CMMC 2.0 compliance and the prevention of USB CNC program transfer attacks.

 

Not only does this allow for CMMC 2.0 compliance, but DNC software upgrades also can streamline your entire operation. For instance, with Predator DNC software, you can network all CNCs, EDMs, PLCs and robots with a singular DNC package. At Shop Floor Automations (SFA), we have been the top Predator reseller for 20 years, and we also are a top provider of proven software from Scytec and Ascendant Technologies.

 

The team at SFA can provide you with DNC solutions for any brand, connection type or age of CNC machine. Additionally, we offer hardware solutions that can revolutionize your shop floor. To learn more about our machine monitoring solutions or how DNC software can aid your CMMC 2.0 compliance, contact an SFA representative today.