Time to Get Serious About CMMC Readiness

Estimated reading time: 6 minutes

Divyash Patel of MX2 Technology is a leading cybersecurity expert who’s sounding the alarm about getting your company into a state of readiness. But he’s not yelling fire in a theater. Whether it’s aligning with DoD’s CMMC, or just ensuring your company’s data and processes are protected, Divyash can see what’s coming. “This is a must-have compliance program,” he says. “It needs to be taken seriously and maintained.”

Nolan Johnson: Divyash, we are here to learn more about CMMC, and how it fits into today’s current cybersecurity concerns.

Divyash Patel: From a manufacturing standpoint, I’ve seen a lot of inconsistencies on how companies treat government data—general government, not even DoD. Many manufacturing companies don’t have any processes or formal cybersecurity awareness training in place regarding such information, especially when it’s confidential, especially involving the DoD. There are many businesses where this information was just flowing through as if it were written on a napkin somewhere.
That shows me there is a big gap. These companies are nowhere near meeting the most basic standards, not even CMMC level one. That’s a problem, especially if the DoD is requiring compliance to be pushed up and down the supply chain. Executives don’t seem to be taking this as seriously as they should, but it could become a deal-breaker for continuing to do business at any level within the DoD supply chain. Other government agencies will follow suit; it’s not just DoD.

Johnson: Hypothetically, I’m a circuit board assembler and one of my customers sends a board for me to build. That board happens to get used in a vision system in the general marketplace, but then I find out that vision system has been specified into a surveillance drone being sold to the U.S. military. As the assembler, I have no idea; I’m just working with my customer. I don’t have visibility to where that board might ultimately end up. Now it’s in a military application. That pushes the CMMC requirement all the way up the supply chain, not just to me but beyond to my suppliers. Is that correct?

Patel: If you’re part of that supply chain, and you handle controlled unclassified information (CUI), absolutely. If you’re a printed circuit board manufacturer, for example, that board may be part of a bigger assembly, and you’ll be accountable for meeting CMMC requirements. The bigger problem is that there’s no cybersecurity hygiene anywhere in the supply chain. And beyond the DoD, companies that don’t have compliance requirements like CMMC are failing to take security as seriously as they should. Yes, it is going to be up and down the supply chain, at least for those building these printed circuit boards.

Lack of Information Is the Weakest Link

Johnson: Tell me more about cybersecurity hygiene.

Patel: I’ll give you an example. Cybersecurity hygiene is having security awareness training across the organization, having access control, and adhering to best practices of cybersecurity for office productivity tools like email (no clicking links from unknown sources, no sharing sensitive files with vendors, etc.).

Cybersecurity hygiene is not willfully doing something “the way we’ve always done it.” For example, those who share confidential documents via email were never following the ITAR or cybersecurity hygiene processes. ITAR states that users cannot forward CUI documents via email to a vendor—but many simply aren’t aware.
This highlights the need for cybersecurity hygiene training.

Those who have taken CMMC more seriously are asking their vendors to fill out something as simple as a cybersecurity questionnaire. Questions include:

• What would you do with this type of information if we were to send it to you?
• What type of information are you sending?
• Do you use email as your main form of delivering?
• Do you also have a secure method of delivering documents?
• How are you controlling these?

The company says, “We’ve got this nice customer agreement that came in and we have to follow the requirements stated.” The ISO has certain mandates the company adheres to. But at some point, someone is not managing it like it should be and now can receive confidential unclassified information (CUI) through email.
What happens to that email? Does your staff understand what they just received?

The problem in the industry is that nobody’s maintaining the security posture. I’ve seen this happen several times where companies start off with clean protocols, but the breakdowns can be as simple as endpoints not being patched and kept up to date. That’s simple cybersecurity hygiene. People like to take showers regularly and feel clean. Cybersecurity hygiene is the same.

Barry Matties: What’s the risk, though? What are they jeopardizing by neglecting this area?

Patel: Specific to electronic manufacturing services (EMS), you find many types of devices, such as reflow ovens, AOI/SPI machines, screen printers, solder, and other equipment. If you don’t update the firmware, the security, or operating patches, they’re vulnerable to attacks. We’ve seen this repeatedly in EMS companies, where ransomware comes in, or they exploited the vulnerability, and then it wreaks havoc on the entire company.

Here’s another example. A customer is running older-line assembly equipment with Windows NT from the 1990s. It’s working and producing, and it’s expensive to replace; it’s doing the things it needs to do. From a security perspective, however, we have not isolated that older-line assembly equipment or the end-of-life systems that are critical to its operation.

It’s a different game today, and attackers go after this kind of stuff. Manufacturing is a very old industry, but still evolving and developing. It hasn’t been able to keep up with attacks. Once you set up a manufacturing company, you’re just thinking about producing and getting product out the door. Your focus is bottom line revenue and you’re not thinking about your vulnerabilities. Attackers are not people who want to randomly have fun on a network. They have a mission. They find vulnerabilities, exploit them, and make financial demands. That’s a big problem in our industry.

Matties: You mentioned an older piece of equipment as an entry point for a hacker. Is that the most common entry point? And how common is email compared to the equipment?

Patel: The entry point is usually going to be through email or a phishing scam. That’s the low-hanging fruit.

Matties: What is the red flag when it comes to emails? How do you safeguard a company against such emails?

Patel: It usually involves end-user, security awareness training. The biggest challenge for companies that want to safeguard their email is to know what to look for. It’s as simple as, “Do you even recognize who’s sending you the email?” A lot of people click on links, because it says, “click here” and “do this.” End users are not fully trained on what to look for. If you know you’re expecting an email, do you know the person who’s sending it? Even if you did “know” them, what are they asking you to do? Does it sound like them? You must be more conscious and aware of what is being asked.

In one instance, accounts payable was asked to send $110,000 to their vendor. The accounting person noted the email was coming from the CEO, which suggested the email was legitimate. However, the email sender asked that the vendor change the banking details. Why? This request was made in the final hour of the transaction. Something triggered in the accounting person’s mind to ask the CEO if they’d sent this email; the answer was “no.” It happens just like that. You click on the email and suddenly something is running in the background, like a keystroke logging system, that sort of thing. The chain starts from a simple email. That’s often the entry point.

Continue reading this conversation in the July 2022 issue of SMT007 Magazine.