As of Spring this year, the U.S. Department of Defense (DoD) has initiated a slow rollout of a new cybersecurity certification model known as the Cybersecurity Maturity Model Certificate (CMMC). As a result, any company that wants to secure DoD contracts must comply with CMMC standards, which will augment or replace existing standards. But what does this mean?
Long story short, defense contractors have to step up their cybersecurity to get lucrative projects in the future. They're required to undergo certification review by an accredited third-party body and, based on their maturity level (more on this later), can participate in bidding for contracts. It comes in light of numerous cyberattacks over the years, resulting in the theft of state secrets.
Such a task may look daunting, but there are ways defense contractors can do to be prepared for CMMC compliance. It boils down to covering as many bases in one's cybersecurity framework as possible. Also, it won't cost as much as one might think.
- Hire a cybersecurity expert
Expect a long checklist in a cybersecurity audit. After all, defense contractors will be handling information crucial to homeland security. Its loss will put the U.S. in a vulnerable position, at least in the eyes of rival countries.
For this, contractors can benefit from hiring a cybersecurity company that knows the answer to the question: 'Who Needs CMMC Certification?" While not in the business of certifying those compliant with CMMC, it can guide contractors as to the requirements.
In addition, a comprehensive audit will reveal what the contractor's cybersecurity framework needs and doesn't need. No matter how advanced, state-of-the-art security features will be useless if the framework can't support them. Furthermore, thinking that the framework will be immune to cyberattacks is a dangerous mindset in this day and age.
- Take it one level at a time
The CMMC v1.0 framework outlines 17 distinct capability groups, each having 43 capabilities, that defense contractors must demonstrate for compliance. The more groups they fulfill, the higher their maturity level will be.
Below are the five maturity levels outlined by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD):
- Level 1 (basic cyber hygiene) – Demonstrates and practices at least 17 capabilities, namely protecting information in contracts not available for public release known as Federal Contract Information (FCI)
- Level 2 (intermediate cyber hygiene) – Demonstrates and practices 72 capabilities, namely safeguarding Controlled Unclassified Information (CUI) or information that's sensitive but not to the point of compromising national security
- Level 3 (good cyber hygiene) – Demonstrates and practices 130 capabilities, namely implementing multifactor authentication
- Level 4 (proactive) – Demonstrates and practices 156 capabilities, namely compliance with NIST SP 800-171B (to be explained in the following item)
- Level 5 (advanced/progressive) – Demonstrates and practices 171 capabilities, wherein they're constantly being improved to protect highly sensitive data.
So far, the CMMC framework doesn't state a mechanism for determining the maturity level of specific contracts. However, most fall within the scope of Levels 1 and 2, which are easier and less costly to achieve. Taking it slow will allow companies to build their capabilities enough to advance level after level, all without breaking the bank.
It should also be noted that companies don't need to demonstrate every capability listed on the CMMC framework. Fulfilling those that fall within their reasonable means will enable them to achieve CMMC certification.
- Know a few vital distinctions
Before CMMC, standardizing cybersecurity measures fell to NIST SP 800-171. This 150-page document highlights the requirements for securing CUI sent to companies by federal agencies. Since its implementation in 2018, it has undergone a few revisions and integrated addendums. The B draft, as mentioned earlier, is a guideline for handling data from nonfederal agencies.
CMMC is only a requirement if contractors wish to participate in bidding for defense contracts. It doesn't validate that a contractor complies with NIST SP 800-171, which remains important despite the CMMC rollout. Experts say claiming to be NIST SP 800-171 compliant because of CMMC compliance can get a company in trouble with the False Claims Act.
To avoid this pitfall, contractors must build their framework to secure data from federal (e.g., CUI) and nonfederal sources. Videos like the one shown below provide a complete summary of the difference between CMMC and NIST SP 800-171. Full compliance with NIST SP 800-171 will grant a company Level 3 maturity.
Conclusion
The OUSD estimates that CMMC will affect around 300,000 defense contractors in the U.S., as future contracts aim to achieve full compliance by 2026. So now will be as good of a time as any for a contractor to review its cybersecurity framework.
