The new U.S. Department of Defense Cybersecurity Maturity Model Certification (CMMC) is shortly coming into effect. Its goal is to incorporate multiple maturity levels, ranging from basic to advanced, into the Defense Federal Acquisition Regulation Supplement (DFARS). A contractor’s maturity level will then be used as a requirement for contract award.
CMMC was created and implemented in just one short year. That’s lightning speed for a big government agency. While many would say a unified cybersecurity standard for DoD contracts was long overdue, the fast emergence of this requirement leaves hundreds of thousands of government contractors scrambling to get prepared and be compliant.
There is a big education effort underway to help. The recent program, What CMMC Means for Your Company, was part of that effort. Put on by Washington Technology, the event showcased perspectives on CMMC from different vantage points coming from those directly touched by it.
Katherine Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, and the DoD’s leader of the CMMC initiative, explained its importance, commenting that because business builds everything the DoD uses to perform its mission, if business isn’t safe, neither is the country.
Ms. Arrington emphasized that the model, which defines five maturity levels and is patterned after the NIST 800-171 and 800-53 standards, is not a checklist, but instead is guidance to help businesses know what they need to do. While she remarked that businesses are already doing most of the activities defined at Level 1 maturity, the biggest lift will be getting to Level 3, which will be needed for most significant contract work.
She acknowledged that especially smaller businesses, who mostly function as subcontractors, will need help getting “over the hump.” The DoD website projectspectrum.io offers guidance to small-to-medium sized businesses (SMBs) for the audit process, which, by the way, is not yet finalized. Any company offering these services now is simply not credible. Audits should be available in the next couple of months.
The CMMC requirement will begin showing up in DoD Requests for Information (RFIs) as of June. The required maturity level for a particular piece of work will be set according to the sensitivity level of the contracts a supplier works on. Auditors will do initial certifications, and the DoD will do continuous monitoring of suppliers, making this an ongoing process.
Following Ms. Arrington’s comments, panels of business representatives discussed how heavy a lift it will be to reach compliance, along with some policy issues driving the CMMC.
Alba Aleman, CEO of small government subcontractor Citizant, discussed how her firm has aggressively pursued the security capabilities DoD now requires. She noted that “It’s in all of our interest to get to the intent of the model, which is to protect…It’s actually easier to bake this kind of discipline around cyber hygiene into your organization when you’re small. The DoD is forcing us to do this, and it’s a great thing – we should have been doing it all along.”
Tim Trickette, Director of the Federal Supply Chain Cybersecurity and Compliance Practice at BDO, commented that it’s a long road ahead if you haven’t already started. He emphasized that it’s not an IT or cyber problem; it’s an enterprise risk problem. The CEO must own the process or it’s doomed to fail, because it requires cooperation from across the organization. He also noted that primes need to be helping their subs and communicating about CMMC as much as possible to support the businesses on whom they depend to fulfill their government contracts.
Alan Chvotkin of the Professional Services Council also noted that many in the government contracting industry had been concerned that a firm’s level of cyber preparedness would become a critical pillar for acquisitions, giving some advantages over others. While companies don’t want to share such sensitive inside information that could reveal their vulnerabilities, with CMMC the playing field will now be level because security worthiness will need to be proven. He did note that the maturity level for any given contractor will not be made available to the general public.
Moving to CMMC is certainly a big change in what feels for many like a short period of time. Communication, dialog and a shared sense of mission will be needed by everyone involved. As the panelists pointed out, it’s all about being able to innovate quickly and get the latest technology into the hands of the warfighter. As cyber threats continue to escalate, that mission simply cannot be compromised.