Defense Industrial Base (DIB) contractors store and use sensitive government data to create and deliver goods and services. To ensure that contractors have the proper safeguards in place to protect this confidential information, the U.S. Department of Defense (DoD) developed a program known as the Cybersecurity Maturity Model Certification (CMMC).
The CMMC is a new certification model and unifying standard for implementing cybersecurity across the DIB. There are currently more than 300,000 companies in the supply chain and every day more express interest in working with the DoD. CMMC helps ensure that these contractors secure information like government agencies and military departments do.
CMMC requirements are not yet set in stone. The interim Defense Federal Acquisition Regulation Supplement (DFARS) rule has established a five-year phase-in period, during which time CMMC compliance will only be required in certain pilot contracts. Regardless, the CMMC has already had a significant impact on many organizations.
Why Was CMMC Created?
Starting in 2017, the DoD required subcontractors to complete a Plan of Actions & Milestones (POA&M) and System Security Plan (SSP) to assess their cybersecurity posture according to NIST 800-171 standards. This standard is made up of 110 controls and requires a comprehensive analysis of a subcontractor’s response to cybersecurity requirements and implementation outcomes.
By 2019, it became clear that these regulations were not being met. In response to concerns about government security and with congressional approval, the DoD commissioned updated standards and regulations known as the CMMC.
Before the implementation of the CMMC, contractors were responsible for maintaining the integrity of their own IT systems and the sensitive data stored, generated, and transmitted within them. While contractors are still responsible for meeting essential cybersecurity measures, a third-party assessment of compliance is now required to help businesses guard against cyber threats.
Why Is CMMC Important?
The CMMC brings multiple compliance processes, such as NIST SP 800-171, NIST SP 800-53, AIA NAS9933, ISO 27001, and ISO 27032, into a single, unified framework. It also includes best practice guidelines from other compliance procedures, such as those found in the Federal Information Security Management Act (FISMA).
The DoD brings in a significant amount of contract work. According to the Congressional Research Service, the DoD spent more than $665 billion on contracts in fiscal year 2020, an increase of over $70 billion from the previous year. For many organizations, contracting with the DoD can be highly lucrative.
Technology is constantly evolving and with advances in IT comes more cyber threats. To mitigate risks, the DoD and contractors must meet the standards and regulations outlined in the CMMC. The CMMC acts as the DoD’s metric to measure an organization’s ability to secure its supply chain from potential cyber threats properly.
How Are Businesses Impacted?
The CMMC has impacted DIB contractors in several ways, including financially. Prior to the release of CMMC requirements, contractors only had to spend enough to satisfy the DoD. With CMMC now requiring defense contractors to meet stricter requirements and pass a third-party assessment, contractors face higher costs.
The CMMC has become a barrier for some organizations that cannot afford to invest in the technology needed to maintain optimal security. Fortunately, the DoD has implemented some solutions to prevent costs from affecting job opportunities, such as providing a range of compliance with costs that scale up for each level. Security is also an allowable cost on DoD contracts.
How Can Organizations Prepare?
While the final CMMC standards have not yet been published, DIB contractors can begin to prepare for these requirements. There are several steps that contractors can take to be ready, including the following:
- Ensure that the organization understands its current cybersecurity posture. Review existing cybersecurity frameworks, such as NIST 800-171, and complete a self-assessment to gain awareness of where the business stands and where improvements must be made.
- Update any current security documents while focusing on the evidence required for standard DoD A&A processes. CMMC requirements are likely to reflect existing requirements, meaning organizations can leverage available materials in the CMMC process.
- Look for opportunities to transfer operational risk. For example, cloud-based managed services can provide organizations with turnkey solutions for CMMC compliance.
Identify a CMMC subject-matter expert for the business. This professional should be tasked with staying up-to-date on all DoD guidance and published CMMC documentation.
Contact SeaGlass Technology Today
There are many benefits that come from CMMC certification, such as maximizing cybersecurity resilience, recovering from cyber incidents without financial penalties, preventing future cyber incidents and adopting best practices across maturity levels.
Working with an experienced NYC managed IT service provider can help ensure that the organization meets CMMC compliance. For more information about the importance of CMMC or for help preparing for a third-party assessment, schedule a consultation with the IT experts at SeaGlass Technology.