Where to start and how to go forward with CMMC preparation

The Department of Defense has made it clear that hardened and verifiable cybersecurity practices are a critical part of those companies wishing to bid on U.S. defense contracts. As with any regulatory change, the new Cybersecurity Maturity Model Certification will present a series of challenges to DoD contractors that make up the Defense Industrial Base supply chain.

The oversight body for this process, the CMMC Accreditation Body, acknowledges the significant undertaking of the certification process, as 300,000 companies that make up the Defense Industrial Base take steps to revamp their cybersecurity practices and policies to comply with the ongoing requirements.

What is the CMMC, and Why is it Needed? 

The U.S. has strived to maintain a technological edge over adversaries by investing in resources to keep its enemies at bay and to protect those who must carry out the dangerous tasks required of a military organization. However, in the last decade, cybercriminals have advanced their techniques and have been able to steal massive volumes of sensitive data from defense programs, costing the government billions of dollars.

In fact, “as much as $600 billion, nearly 1% of global GDP, is lost to cybercrime each year, with no slowing down,” according to a report from the Center for Strategic and International Studies in partnership with McAfee. A 2018 report from the Council of Economic Advisers, reveals that “malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.”

In addition to the high economic cost, the compromised data poses a significant threat to national security and this country’s ability to maintain the unique technical advantages provided by the U.S. Defense Industrial Base.

Threat actors have strategically targeted the supply chain to extract critical information because contractors typically lack the full sophistication of the DoD’s cybersecurity practices and capabilities. Lesser-resourced organizations are at greater risk and vulnerable to advanced actors; the supply chain is only as strong as its weakest link.

In response to the threat, the DoD established the CMMC to enhance the defense industrial base’s cybersecurity posture and to bring the base case of cybersecurity practices up to par with those seeking to steal that sensitive data, whether they be criminal organizations or state-sponsored hackers.

The certification program assesses organizations across five levels of increasing expectations, enabling contractors and suppliers to know what is expected of them to work with the DoD.

One big improvement for CMMC over previous security standards is that this is no longer a self-assessment, implementing instead a thorough third-party auditing process before awarding certification.

Under the updated plan, the CMMC-AB is responsible for identifying, training and certifying third-party auditors to conduct physical audits. These auditors will make the final decision on whether a contractor has met the controls required to receive their certification.

Should Organizations Prepare Now?

As the CMMC certification program unfolds during the next five years, preparing for certification is a critical exercise. The DoD plans to require CMMC certification in some contracts starting in FY 2021, specifically November 2020.

The CMMC-AB estimates that up to 6,000 companies will require CMMC certification in Federal FY21, and companies need to take into account the amount of the time it may take to get certified.

While specifics are yet to be determined, contractors would be smart to assume that any contract -- new or up for recompete -- is a candidate for CMMC. No defense contractor is immediately compliant with the CMMC since an in-person audit by an approved auditor is required.

Adopting its principles now will only enable your company to get ahead with additional opportunities for acquiring future DoD work.

Some initial recommendations on where to begin include:

• CMMC Readiness & Pre-Assessment: CMMC draws from a few existing certifications—NIST 800-171, CIS Controls, DFARS -- and helps contractors understand the policies and procedures that need to be revamped. It is an important first step to take a pre-assessment prior to meeting with auditors to understand their organization’s current state of CMMC readiness.

• Meeting with Auditors: Once the list of C3PAOs is publicly distributed, companies should contact C3PAOs to begin building a business-to-business relationship for the certification process. This is similar to the FedRAMP process.

• Prepare Documentation. A paper trail of documentation will most likely be needed for the assessment process. It will be essential for contractors to prepare internally.

Looking Ahead: What’s Next?

While the detailed timeline remains unknown, the CMMC-AB disclosed it is ready to begin testing and plans to roll out the first wave of auditors in time for the first RFP’s that require CMMC in November.

Acknowledging the unique challenges presented by COVID-19, companies should plan on how to meet the requirements of the onsite audits to align with the COVID-19 restrictions that may still be in place in the coming months.

Although appreciative of the lasting impact of the current global climate, the underscoring necessity to institute more transparency and due diligence in cybersecurity for government contractors of all sizes is something that cannot and should not wait.