3 ways to prepare for CMMC
- By Dan Fallon
- Mar 05, 2020
According to Ellen Lord, under secretary of Defense for acquisition and sustainment, the cyber attacks at the Department of Defense in 2019 resulted in $600 billion of global GDP lost through cyber theft. As the potential attack surface greatly increases with third-party contractor involvement, the DoD announced the Cybersecurity Maturity Model Certification (CMMC) as a way to help bolster security for contractors doing work with the government.
Adopting the CMMC will help protect sensitive government data housed in the supply chain and ultimately set organizations that work with the federal government up for future success against outside threats.
As the federal government begins to adapt to CMMC Version 1.0, organizations hoping to do business with agencies can consider the following steps to prepare for these potential partnerships.
Determine how CMMC Version 1.0 fits into your organization
The CMMC is an evolution of existing security policies that combines and adds further policy and rigor for entities doing business with the federal government. As organizations begin to prepare for the new regulation, they should first start by reviewing the CMMC document in parallel with a review of the organization’s current security posture, especially in regards to documented procedures.
This review will allow the business to determine where the gaps are in their existing policy and what it needs to do to adhere to CMMC standards.
CMMC has five levels, with level five being the highest or most secure. Based on the level, the focus areas, number of practices, and requirements vary accordingly. While CMMC level one and two may be levels within reach for more mature organizations, the investment required for more advanced levels can be estimated from the outcome of the organization’s assessment on its existing security posture.
CMMC builds on existing National Institute of Standards and Technology and Defense Federal Acquisition Regulation Supplement standards. The policy specifically builds upon existing frameworks including NIST SP800-171 (Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations), which provides federal agencies with recommended security requirements for protecting the confidentiality of controlled unclassified information within nonfederal systems and organizations.
Organizations can also look to CFR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems), which states that contractors with access to information classified Confidential, Secret, or Top Secret shall comply with specific security agreements and submit any revisions to the contractor. Organizations familiar with NIST and DFARS standards may find that CMMC is a natural next step to preexisting security protocols. But for organizations new to security standards, understanding past requirements can be a good place to start.
With any new security standard, there will be challenges, and it will take time for third party security consulting organizations to fully familiarize themselves with the policy itself and its enactment. Public-private partnership will be critical in these efforts, to ensure that lessons learned are shared across agency organizations and procurement offices. Getting to advanced levels of CMMC will require rigor in security procedures and could require significant investment, especially for smaller organizations with less budget and manpower. Smaller organizations can look to enterprises for best practices or work more closely with agency or security partners wherever possible.
Plan for CMMC in the short-term
Once you’ve determined that status of your organization’s existing security posture, understanding and clearly outlining how much or how little work will need to be done to meet the CMMC requirements will allow organizations to get a jump start on putting a plan into practice. Once a plan is identified, documentation is critical in order to ensure every key stakeholder is aware and can provide an educated sign-off on the investment.
For organizations that have not worked with the federal government in the past, additional personnel and services from third party consulting companies may be needed. The DoD has set forth a goal for organizations to fully implement CMMC by 2026, giving organizations of all sizes and experience levels ample time to determine the best way to adopt the new requirements.
Strategize for future changes and additions to the CMMC
CMMC is a good checkmark for any organization doing business with the broader federal government as many civilian agencies will look to adopt this DoD standard. Anyone doing work with the DoD specifically will have to achieve level one at a minimum, and organizations doing services integration work, or holding government data, should plan for more advanced levels.
Many entities that are already doing integration work, especially for classified environments, have likely achieved the standards that CMMC builds upon. Thus, furthering security standards to the advanced levels of CMMC should ideally complement what organizations have already put into practice.
CMMC is designed to fortify existing security policies for organizations interested in business with federal agencies. Security threats are nimble and constantly evolving and as more government information is generated the organizations tasked with housing data must constantly evolve.
As organizations gain a broader understanding of CMMC and determine which levels needs to be met, it will be clear how to best approach agency partnerships. Gaining a deep comprehension of evolving security policies will ultimately help organizations be set up for success when working with the federal government.
Dan Fallon is Systems Engineer Manager for Nutanix Federal.