CMMC resources for companies now that the rule is here

The launch of the Defense Department’s new cybersecurity standard for its industrial base now is here now that the final rule is live for everyone to see.

DOD’s top cyber official David McKeown evidently was not kidding on Tuesday, when he said the release of the rule to officially get the Cybersecurity Maturity Model Certification underway was “imminent.”

Speaking on a panel at the Professional Services Council’s 2024 Defense Conference, McKeown told attendees that CMMC’s rollout will take place over three years and the department will emphasize the program’s higher two levels of certification.

“If you're at that level three and level two, we're going to really focus on what our most important programs are and try to push the companies that are handling data in relationship to our most important programs,” said McKeown, DOD’s chief information officer for cybersecurity.

Sitting alongside McKeown on the panel were Farooq Mitha, director of DOD’s Office of Small Business Programs, and moderator Eric Crusius from the law firm Holland and Knight.

Companies wanting a level three or two certification have to go through a third-party organization’s assessment of how secure their information systems are in housing government data.

DOD estimates it has approximately 220,000 companies in its industrial base, counting both prime contractors and their subs. McKeown said approximately 140,000 will only need to have a self-assessment, which would get them a level one certification.

That group of 140,000 does not “have any real important CUI (controlled unclassified information) data that we care about,” McKeown said. “As a result, no assessment needs to be done, no money needs to be spent there necessarily.”

But for those that do need a third-party assessment and particularly more cost-conscious smaller businesses, what resources are out there to help them navigate this new paradigm of working with the U.S. government?

Mitha highlighted DOD’s Project Spectrum as one of the first places smaller companies should look to as they embark on the CMMC journey.

For no cost at all, small businesses can receive training and assessments of their IT systems by participating in Project Spectrum. Mitha said the idea behind this program is to help companies understand what the risks are, plus how and where they can start to mitigate those risks.

“I have had companies say that ‘I've spent all this money and I feel like I've done it for nothing because CMMC isn't out yet,’ and I definitely sympathize with that,” Mitha said. “I've always encouraged companies first, before they do anything, especially smaller companies to go to project spectrum and at least get their baseline established.”

Mitha also pointed attendees to Apex Accelerators, a network of 97 centers under the purview of DOD’s small business office. These hubs are set up to help companies learn the ropes of doing business with the federal government, plus state and local agencies.

The Apex offices are helping roll out the Project Spectrum training and have other cyber resources to smaller businesses in the DIB, he added.