Why Did the DoD Create CMMC?
The US DoD released the first version of the highly-awaited Cybersecurity Maturity Model Certification (CMMC) in January 2020, which will usher in an era of accountability and visibility in defense contracting services. The CMMC introduces sweeping changes that reflect the DoD’s new views on cybersecurity.
The new model defines five levels of a contractor’s cybersecurity maturity by measuring by examining the contractor’s processes, measuring the company’s controls, and ensuring they are in line with relevant policy. Most importantly, CMMC certification will determine if a contractor can bid on DoD contracts.
The CMMC standard is an evolution of the National Institute of Standards and Technology (NIST) and Defense Federal Acquisition Regulation Supplement (DFARS) frameworks, and require third party auditors (3PAO) to review the cybersecurity level of DoD contractors.
What Is CMMC?
The Department of Defense designed his cybersecurity framework in collaboration with Federally Funded Research and Development Centers, University Affiliated Research Centers, and industry players.
In the past, DFARS regulations required all contractors to work with the DoD to adopt cybersecurity compliance standards established by the National Institute of Standards and Technology (NIST). This framework, known as NIST SP 800-171, is part of a broader initiative designed to protect the Department of Defence’s supply chain from security risks and cyber threats.
The CMMC standard combines NIST SP 800-171 with other discrete compliance standards, including ISO 27001, ISO 27032, NIST SP 800-53, and AIA NAS9933. Additionally, the new standard takes some best practice guidelines from related compliance frameworks such as FISMA.
Until now, the Department of Defense contractors have been responsible for monitoring and certifying their information systems security, and the integrity of any DoD data that they generate, transmit, or store.
Under the new model described by the CMMC, defense contractors will still maintain the responsibility for implementing their cybersecurity measures. Still, the systems they put in place are subject to audits by third-party assessors. The audits check that the contractor complies with the framework’s mandatory practices, capabilities, and procedures.
Why the DoD Is Implementing CMMC
According to the Department of Defense, the CMMC is to serve as a mechanism to verify that there are appropriate levels of security processes and best practices deployed by its contractors. Certification ensures that its industry partners adhere to its cyber hygiene standards to safeguard Controlled Unclassified Information (CUI) stored on contractors’ networks.
There are three key reasons why the DoD created the CMMC:
- Increasing Ransomware and Phishing Attacks: The DoD faces enormous cybersecurity challenges. For instance, the Pentagon receives about 36 million email messages containing phishing attacks and ransomware every day. Despite its best efforts, a 2018 data breach affecting a system operated by a defense contractor at the Pentagon exposed more than 30,000 DoD staff’s personal information.
- Cyberattacks by Foreign Governments: At the beginning of 2020, the Department of Homeland Security issued a warning, cautioning of a possible rise in cyberattacks targeting government networks due to increasing tensions in the Middle East. There is also the constant threat of state-sponsored cyberattacks against the US by China, North Korea, and Russia. Protecting sensitive information is a never-ending battle, and required a revision of the DoD’s cybersecurity frameworks through the CMMC.
- Non-Compliance by Contractors under a Self-Declaring Model: In 2015, the Department of Defense identified specific cybersecurity requirements for its contractors in Defense Federal Acquisition Regulation Supplement (DFARS) (252.204-7008 and 252.204.7012). However, adopting the DFARS framework is slower than expected, despite the DoD’s efforts to incentivize supplier compliance. Instead, the department is concerned that most contractors in the defense sector maintain only the most basic of security hygiene standards.
In the face of unacceptable risks to the Controlled Unclassified Information that resides on its contractors’ systems, the Pentagon introduced the CMMC standards to ensure that the companies it does business with, adhere to an appropriate level of cybersecurity protections.
Starting in September 2020, the CMMC takes the place of the existing ‘self-declaring’ model. Instead, contractors will need to have third-party audits of their cybersecurity processes as a pre-condition of doing business with the US Defense Department.
Preparing For CMMC Certification In-House Is Risky
Department of Defense contractors with sufficient resources and the necessary cybersecurity experts could choose to prepare for their audit and CMMC certification in-house.
However, before undertaking an in-house Cybersecurity Maturity Model Certification program, a contractor needs to assess what is at stake, mainly due to the need to pass a third-party CMMC audit at the first time of asking.
If the contractor fails their initial examination, they could lose a lot of time trying to correct their security shortcomings. The contractor could also have to deal with holdups with the potential bottleneck of security audits in the early days of implementing the CMMC framework. DoD estimates expect that up to 6,000 companies will seek CMMC certification in FY 2021.
With CMMC certification set to become mandatory for the award of DoD contracts, any delays would prove fatal for businesses that rely on the DoD for most of their revenue.
Outsourced CMMC to a Managed IT Services Provider
Most DoD contractors lack the resources and expertise to adequately address the requirements of NIST SP 800-171B or SP 800-171 Rev.2, required for CMMC certification. For such organizations, the most effective way to ensure that they meet the cybersecurity requirements required by CMMC is to outsource compliance consulting and cybersecurity initiatives to a Managed IT Services provider.
Experienced service providers know the necessary processes and possess the templates needed to undertake gap analyses and develop an overall security strategy. The IT service providers also have the resources, expertise, and experience to undertake any remedial measures that may be required successfully. Besides, a managed security services provider has the tools contractors need to monitor their security performance and resolve issues to ensure continued compliance.
Most contractors will find that outsourcing these capabilities instead of building in-house capacity will save them time and money.
Let Advantage Industries Provide Your Business with CMMC Compliance Consulting
Are you a defense contractor seeking CMMC certification? Advantage Industries offers a simple, 4-step proactive plan to prepare you for your third-party audit. Do not worry about staying current with CMMC standards; we will do that for you.
The four essential steps we take to help you prepare for the rollout of CMMC guidelines are:
- Readiness assessment and gap analysis
- Design of a remediation Plan
- Monitoring, reporting, and documentation
- Providing a system security plan for ongoing compliance
Ensure that you are ready for CMMC certification. Contact Advantage Industries for a no-obligation readiness assessment before your audit.