Among CMMC's great unknowns, a necessary paradigm shift looms large

The federal IT and government contracting communities are abuzz with discussion about the Defense Department’s Cybersecurity Maturity Model Certification (CMMC)—questions loom, including how soon will the process begin seeing more momentum, what will compliance entail, and what kind of effects will it have?

The CMMC conversation is taking place against a dramatically shifting backdrop of cybersecurity developments. Amid an onslaught of high-profile cyberattacks, new guidance continues to emerge from the government, including the Homeland Security Department’s Cybersecurity and Infrastructure Agency (CISA), the National Institute of Standards and Technology (NIST) and the White House itself.

While agencies and their industry partners alike are evaluating steps toward implementation, it’s essential for everyone to also take a deeper look at their organizations’ internal cybersecurity readiness.

Preparing for CMMC can be a good starting place for companies looking to take stock of their cybersecurity capabilities and understanding. This is especially true since we know CMMC will involve different levels of compliance that hinge on security controls set forth by NIST. We also know new requirements and processes call for expert navigation through the move away from check-the-box compliance and toward evolving cybersecurity maturity.

We know that to succeed under CMMC, you need to have the ethos—and it needs to permeate your organization and every member within.

There’s also what we don’t know (and are aware we don’t know—known unknowns). We don’t know when CMMC will go into effect for all contractors and become the law of the land. We don’t know when there will be enough Certified Third Party Assessment Organizations (C3PAOs) to evaluate and accredit the hundreds of thousands of contractors subject to CMMC requirements. We don’t know what level of accreditation companies should aim for, or how reciprocity with FedRAMP will work.

And then there are unknown unknowns. Perhaps one of the most critical is the fluency in—and functional daily practice of—core cybersecurity practices in your workforce. Do your interns and your CEO understand and exercise cyber hygiene just as well as the IT team? Have you audited your work equipment’s technology debt (how old it is, how close it is to end of life), your comprehensive training, your team-wide level of security sophistication? It’s quite possible that, no matter your role, you don’t know the answers to those questions—so you can’t know how mature your organization is in cybersecurity.

This is the great unknown unknown: How much of a paradigm shift is required for your specific organization to embody a cybersecurity ethos, individually and collectively?

Regardless of Title, You’re Part of the Security Team

How do you run your business? Does your entire company—not just a specific application or service that’s being provided to the government—institutionally practice basic cyber hygiene? That’s essentially CMMC Level 1, and the scrutiny increases from there. If your cybersecurity “hygiene” is limited to annual trainings and mandatory password changes every so often, it’s time to integrate cybersecurity into organizational structure, as customary as your code of conduct and your regular staff meetings.

The degree of onus this places on your company depends on several factors, including your current security stance and the work you currently do. Do you already adhere to Defense Federal Acquisition Regulation Supplement requirements and meet high-level security controls and handle FedRAMP High-level data? You’re in good shape. But if you’re running Windows 7 in your shop producing brackets for the new fighter jet, this will be a greater burden. And of course, these are two ends of a spectrum—so it’s a fair question to ask, how sophisticated do you have to be?

The short answer: sophisticated enough to understand that just like when you’re going on family vacation, it’s everyone’s responsibility to help lock up. Ensuring cybersecurity in your government contracting firm isn’t the role of “the company” or “the IT guys” anymore—to succeed under CMMC, security is everyone’s duty, methodically and smartly integrated into routines and functions.

This requires a true paradigm shift. In many ways these practices slip into zero trust architecture, in which untrustworthiness is assumed until proven otherwise. But it’s hard to legislate or mandate a paradigm shift. Too often in government contracting, such attempts only raise the barrier to participation, diversity and competition needed for a healthy defense industrial base.

Driving a paradigm shift means “living the policy” in action—not just talking the talk, but also walking the walk. It likely requires incentivizing and investing, thoroughly understanding the grave consequences of failure, and making cybersecurity part of everyone’s job description, part of the conditions of employment and part of company culture.

Luckily, humans by nature are good at noticing differences—they like to figure out what’s different. This is why the “See Something, Say Something” campaign has been so successful; everyone knows what it means without further explanation, and everyone feels vested in public safety around them. This can also be a valuable and effective element in the campaign to ingrain a cybersecurity mindset; it gives everyone some skin in the game.

Ultimately, CMMC is for the benefit of all of us: the troops and field operatives at the pointy end of the spear; the analysts, strategists and leaders supporting mission-critical operations; and the American people whose data, tax dollars, clean water and access to fuel hang in the balance.

Nobody is outside the cyber “danger zone,” so nobody is outside of the security force, either.