In January of 2020, the U.S. Department of Defense (DoD) launched Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) in an attempt to increase the security and resiliency of DoD contractors. This set of unified cybersecurity standards has been designed to defend against potential breaches of intellectual property that pose a threat to national security and have emerged as a response to the previous compromise of sensitive information leaked from DoD contractors’ information systems. Contrary to previous cybersecurity practices, the CMMC framework now requires a third-party assessment to ensure compliance with required cybersecurity precautions, along with specific mandatory procedures and practices to adapt and evolve with new cybersecurity threats.

All DoD contractors, including small businesses, commercial item contractors, and foreign suppliers along the supply chain, will be required to implement this new CMMC process to assess their cybersecurity precautions and ensure accurate policies have been established. At Trinity Precision, a nationally trusted aerospace parts manufacturer, we have already taken the necessary steps to ensure the safeguarding of sensitive information by implementing the CMMC framework for cybersecurity. Learn more about the process of CMMC implementation, and find out how our partnership with the Anneal Initiative and Iconic IT have helped us stay ahead of the curve.

Understanding the CMMC Process

The CMMC framework is divided into five different certification levels reflecting the maturity and reliability of an organization’s cybersecurity infrastructure. Because the levels are cumulative and require the adherence of all previous lower-level specifications, organizations with more vulnerabilities will be required to meet higher security standards and require a higher level of certification. The different levels require organizations to meet the following compliance specifications:

Level 1—During the first level of the CMMC framework, a company must perform “basic cyber hygiene,” such as using antivirus software and ensuring employees change passwords regularly to safeguard all Federal Contact Information (FCI).

Level 2—Building on the specifications detailed in level one, level two requires companies to establish and document their “intermediate cyber hygiene” practices to protect any Controlled Unclassified Information (CUI) and serve as a transition between level one and level three.

Level 3—By level three of the CMMC framework, a company must have a standardized management plan to implement “good cyber hygiene,” safeguard CUI, and follow additional security requirements and standards.

Level 4—Level four requires additional cybersecurity practices to defend CUI from advanced persistent threats (APTs) and mandates companies to implement processes for reviewing and measuring the effectiveness of their practices.

Level 5—By level five, a company must continue to have implemented processes in place across the organization and additional enhanced practices to detect and defend against APTs. This level includes an additional 15 more practices not included in the first four levels, amounting to 171 cyber hygiene practices in total.

Partnering With the Anneal Initiative and Iconic IT

At Trinity Precision, our team is dedicated to safeguarding sensitive information while still manufacturing aerospace parts quickly and cost-effectively for our clients. To focus on the manufacturing process and create effective and reliable cybersecurity solutions, we have partnered with the experts at the Anneal Initiative and Iconic IT to begin implementing these CMMC requirements at an early stage.

“My first encounter with Trinity Precision was at a cybersecurity conference in Wichita when I was introduced to David May, president of Trinity Precision. This was when I was still working at a smaller company,” said Matt Lee, Director of Technology and Security at Iconic IT, a Managed IT Service Provider (MSP), specializing in fully managed or co-managed IT support, cybersecurity and cloud solutions, and strategic guidance. “At the time, I wasn’t focused on compliance matters but was willing to facilitate a discussion and learn more about the compliance issues because of how much I enjoyed working with David as a client. Now, after years working with Jeremy Jackson at the Anneal Initiative and developing a process to deliver CMMC certification requirements, I have close to 170 employees, am very dedicated to internal compliance and delivery of CMMC, and work with 16-17 other clients to provide the same services.”

Due to the level of trust built among all three parties involved in protecting sensitive information and navigating the CMMC requirements, a mutually symbiotic relationship has emerged between our team at Trinity Precision, the Anneal Initiative, and Iconic IT. This relationship has benefitted all companies by allowing each party to offer better solutions to their customers and remains a fantastic example of what a strong extended partnership and network can bring to a company.

Our teams at Trinity Precision have worked closely with Jeremy Jackson, a partner at the Anneal Initiative, to document all compliance regulations for continuity, ensuring that the policies are demonstrable, well-documented, and proven with non-repudiation. The only way to implement a mature approach is to document it in the leadership policy to capture these strategic decisions in writing so that moving forward, we are able to revisit and readjust. With the implementation of the CMMC framework, companies will now be audited to prove these practices are efficacious and written in a defensible manner, which is why partnering with Jackson has proven valuable for our teams at Trinity Precision. The Anneal Initiative not only wants to ensure they are helping their clients be more secure, but they also want to create low-cost, simple solutions that fit well with each particular operation.

“We learned a lot about MSPs through working with Matt and watching as he changed things, and learned a lot from David from the business perspective,” said Jackson. “Were it not for being able to work with them, we would not have been able to hone our offerings as early on, and we would not have been as prepared to help other clients with similar services.”

Staying Ahead of the Curve

At Trinity Precision, we began taking steps toward cybersecurity controls in 2017 before governmental policies and requirements were instituted. We specifically contracted with the Anneal Initiative to better understand the changing CMMC requirements and develop internal processes that remain compliant with these continuously changing requirements. To manage the execution of these policies, we partnered with Iconic IT to serve as our Managed Security Services Provider (MSSP) and deploy cutting-edge tools to help our team at Trinity Precision identify and protect against identity threats. They are constantly working to evaluate the best service providers, platforms, and tools to use in the area. In addition to creating these solid partnerships, we have also deployed advanced tools, including human factor training for phishing and cybersecurity threat training for all employees, which includes monthly testing in these areas with success rate reports.

Not only has our willingness to heed the advice of individuals like Lee and Jackson helped differentiate Trinity Precision from other companies, but our ability and efforts to continuously move forward and complete self-imposed security milestones have given us a significant advantage in terms of advanced cybersecurity efforts. Because of our preemptive security and compliance measures, our clients will not expect a disruption with the manufacturing of parts because we already have procedures and practices in place to meet the specific CMMC requirements. At Trinity Precision, we will cautiously navigate these cybersecurity requirements while continuing to produce parts effectively, accurately, and securely.

“The biggest thing that Trinity Precision does to differentiate themselves from other companies is that when it comes to living in a world that is under constant attack, and they still need to deliver more parts at a better price, they are constantly evaluating the three-year world, providing them with the ability to deliver a unified system and take additional cybersecurity steps on a constant basis,” said Lee.