Plenty of action promised as new CMMC standard looms for contractors

We should expect a lot of action in the coming weeks around a new cybersecurity standard that the Defense Department will require all contractors to abide by eventually.

At the end of this week or early next week, the Defense Department will release Cybersecurity Maturity Model Certification 1.0, the first final rule governing the certification requirement.

To support CMMC, DOD has stood up the CMMC Accrediting Board that will train and certify the auditors who will assess the compliance of government contractors.

Third-party auditors will assess how well contractors comply with cybersecurity requirements and cyber hygiene practices. Contractors will be awarded CMMC Level 1, Level 2 and so on with Level 5 being the highest standard. DOD wants to move away from relying on companies self-certifying themselves.

There is still plenty to come even with these two big actions looming -- the naming of the CMMC Accrediting Board and the imminent release of the CMMC standard.

Here’s a brief rundown of what needs to happen between now and when DOD starts adding CMMC as a requirement in its contracts.

Finding, training and certifying the third-party auditors

No auditors have been named yet because the final CMMC standard hasn’t been released. The CMMC Accrediting Board still needs to establish the training protocols and then train and certify the auditors.

Potential auditors are likely to face this choice -- do you work with companies to help them prepare for their audits or do you do the audits?

Software company ComplyUp sells an auditing tool. It has created a CMMC Auditor Marketplace for companies to sign up. So far, 164 companies have expressed an interest in being auditors.

Determining what the first contracts with CMMC requirements are

Katie Arrington, who is running the CMMC program for DOD, has said full CMMC compliance will take place in steps. Only 15 defense contracts will be awarded in fiscal year 2021 with CMMC requirements.

But don’t think that means only 15 companies will need CMMC certification. Arrington estimates those 15 contracts as touching 1,500 firms that will need to be CMMC compliant. That is because CMMC compliance reaches down into the different tiers of subcontractors.

We don’t know yet what those first 15 contracts will be, but the speculation is that they will be large defense programs of record.

The expectation is 75 contracts with CMMC requirements for fiscal 2022, then 250 for FY 2023, and 479 by fiscal 2024. By fiscal 2025, that means 48,000 companies will need to be CMMC compliant.

The CMMC Accrediting Body also offers up some staggering numbers for full compliance: 350,000 vendors in the DOD supply chain that eventually will need to be assessed and 10,000 professional assessors who will conduct the audit.

All of that said: some unanswered questions linger

Arrington and DOD have been very proactive with industry, collecting feedback and they have been very transparent with their goals. That’s all good. But here are some things to watch out for.

Is there enough time?

I've been told that this kind of audit typically takes three people working full-time for 30-45 days. That is just for one location. A company is not going to get a blanket certification. Each location that is doing work for the government will need to go through their own audit. How long will the backlog be?

How do you fight CMMC creep?

When solicitations come out with CMMC requirements, the solicitation will say what CMMC level is required. Who will make that determination? Human nature will be to put the highest cybersecurity requirement on the solicitation.

That reminds of comedian Jim Gaffigan’s joke about his wife being in intensive care after having a brain tumor removed. “Should everyone in the hospital be in intensive care? Oh, we’ll put you into mediocre care.”

What about rogue contracting officers?

Arrington says DOD will start with 15 contracts, but what’s to stop contracting officer from adding it as a requirement right away?

As for now, I’d watch the CMMC Accrediting Board closely. What they are doing with the trainers and licensing the auditors will set the pace. Also keep a close watch on Arrington and what those first 15 contracts are.

How will small businesses fare?

The big boys have the resources to pay for these certifications. But as CMMC currently stands, it is likely to bite many small businesses hard.

What about new entrants?

Will CMMC turn off innovative commercial companies that might have a product or service to offer government agencies? Will we see companies walk away or scale back significantly?

Stay tuned.