Still trying to properly position your organization for the Cybersecurity Maturity Model Certification (CMMC)? Have you considered using the CMMC to your advantage? Here is how.
Ever since the Cybersecurity Maturity Model Certification was announced to the public by the Department of Defense in the Summer of 2019, defense contractors have been gathering information to better understand how the CMMC will impact their organization.
At first, there were plenty of questions, and rightfully so. The CMMC was not released publicly all at once out of thin air. The CMMC was introduced in pieces through scheduled releases. Why? Because the CMMC is a game-changer.
One major change is that every single contractor wanting to do business with the DOD, will need to be certified to CMMC Level 1 at a minimum. This is considered “basic” cyber hygiene.
Katie Arrington, Chief Information Security Officer for Assistant Secretary for Defense Acquisition, often states that “the majority” of defense contractors in the DOD supply chain will only need CMMC Level 1 certification. Of the approximate 300,000 organizations that make up the supply chain, that sounds simple enough, right?
That depends on the objective of the organization. So, what does “majority” really mean?
At first glance, the word “majority” seems to mean a lot of the above mentioned 300,000. That might very well be true, but when talking about the DOD’s information being handled by organizations that make up the Defense Industrial Base (DIB), how many view themselves as “basic” pieces of such an important supply chain?
Hopefully not the “majority.” That doesn’t seem very convincing to taxpayers, does it?
In order to get any sort of certification process in place, there has to be a minimum. A baseline.
Consider CMMC Level 1 as basic. Ms. Arrington does a great job discussing Level 1 in this short interview on Government Matters. At the 3:40 mark, Ms. Arrington discusses the importance of creating a “unified standard” for small businesses in order to “level the playing field.” She’s absolutely right.
Every organization that handles someone else’s information, should be held to some level of expectation on how they will keep that information protected. For contractors of the DOD, CMMC Level 1 is that basic, entry-level proof they value the business relationship with the DOD, and the extra layer of responsibilities required to keep an on-going relationship in place.
Until the first RFI’s come out later in 2020, no one can say for sure what “CMMC Level 1” will look like in a contract, only that it’s core is FAR 52.204-21 “Basic Safeguarding of Covered Contractor Information Systems.” For now, organizations should focus on the data being handled.
Is the data/information “basic?” Would the organization be embarrassed or upset if the information ended up in the hands of a competitor? Or an adversary?
Starting with these types of risk-based questions should give an organization some direction on where their cybersecurity maturity should be, regardless of what their CMMC requirements will be in the future.
There are 17 basic, and in most cases, free practices that are required for CMMC Level 1, but do not require any formal process to be in place. They are referred to as FAR Clause 52.204-21 and were to be in place by December 31, 2017.
One example of a basic practice: Limiting information system access to authorized users and devices. Another example is implementing sub-networks for public use that are physically and/or logically separated from internal networks.
Unfortunately, there are still contractors within the DOD supply chain who don’t have even the basics in place. Scary to think, isn’t it? If every DOD contractor had these 17 practices in place, the simple attacks from our adversaries would succeed at a much lower rate.
CMMC Level 1 is the basic layer of security we desperately need as a nation right now. Any contractor who has yet to implement these basic controls should be viewed as a vulnerability to the supply chain.
Does the DOD really want the “majority” of its supply chain operating with a “basic” level of security? Sure, basic is better than nothing when it comes to national security measures, but is there enough motivation to be better than basic?
Although there are numerous information resources available to learn about how the CMMC will roll out, one thing has been made clear:
CMMC Level 2 will not appear in DOD contracts.
Level 2 will serve as the transition step in the cybersecurity maturity progression of protecting Controlled Unclassified Information (CUI). For organizations seeking to handle more than basic information from the DOD, their goal should be achieving CMMC Level 3 maturity.
According to Ms. Arrington and her team’s estimates, there are currently around 15,000 contractors believed to be handling CUI. Therefore, they should already be compliant with DFARS 252.204-7012 and have the 110 controls of NIST SP 800-171 in place.
Unfortunately, due to self-attestation, there was no way to verify compliance, thus no leveling of the playing field for all contractors. The CMMC will become the way the DOD can confidently award contracts that contain CUI, to organizations who positioned themselves to handle that level of data/information.
At first glance, 15,000 does not sound like a lot when compared to 300,000. But, divided across the 50 states, that is 300 defense contractors per state that handle CUI. Considering some states have a fairly small footprint within the DOD supply chain, perhaps using 35 states and 428 each is more accurate.
Still, that is a lot of organizations that make up a critical piece of the supply chain.
The beauty of CMMC Level 3 is that the prescription has been relatively the same for the past few years, which is NIST SP 800-171. Although there are 20 additional CMMC requirements that go beyond the 110 of NIST SP 800-171, this level of cyber hygiene is referred to as “good.”
This should be viewed as positive news for the Defense Industrial Base, because being “good” will give you a clear advantage over those who are not, regardless of them potentially being behind in their maturity or only targeting CMMC Level 1 contracts.
CMMC Level 3 should be viewed as an organization’s “buy-in” for non-basic DOD contracts. Requirements are requirements, and DFARS 252.204-7012 has been around for years. Getting requirements in place and investing in the business, is proof that an organization is serious about contracting with the DOD. That they are a good partner.
If an organization’s mindset on CMMC is “what can we do to get around this?” and not “how do we use the CMMC to our advantage if we get what we need in the most practical, affordable, and secure way?”, the former could be viewed as a red-flag by contracting officers. What business wants that label put on them?
Circumstances and threats are always going to evolve, therefore, defenses also need to evolve. The CMMC is a maturity model, which means always moving forward.
Requiring a layered approach to security based on the level of data being handled, organization, and planning for future changes will be much easier for the DIB to adopt. If an organization has CMMC Level 1 maturity today and wants to mature to a CMMC Level 3, they have that choice.
That said, for those currently at CMMC Level 3 maturity, the requirements call for a managed security approach. As threats evolve, this makes it easier to apply additional security enhancements to mitigate the new threats.
No one can say for sure what CMMC standards will look like in 5, 10 or 20 years. What is certain? The DIB needs to continuously mature their cyber defenses to protect our nation.
Not only will threats evolve, but situations change as well. Take a look at how quickly the COVID-19/Coronavirus situation changed the business world. A situation that came at everyone quickly, not only changed the threat landscape, it changed the DOD contracting landscape.
Take this article by Jon Harper of National Defense Magazine as a perfect example. Harper quotes Assistant Secretary of the Navy for Research, Development and Acquisition James “Hondo” Geurts on the following:
Guerts points to the importance of small business suppliers to the DOD during a crisis like COVID-19. Small businesses providing innovation, as a critical piece of the supply chain, oftentimes become the most vulnerable.
It goes without saying, the challenges facing small businesses today seem to be piling up. Fortunately, there are affordable, practical, and secure ways to increase an organization’s cyber hygiene and maturity.
For anything to mature properly, realistic expectations cannot be “zero to hero” overnight. For the CMMC, the journey from “basic” to “great” is not going to happen with the snap of a finger.
As mentioned above, contractors should be focused on becoming GOOD before they become great.
By now, if your CMMC concerns are centered around your uncertainty with being at CMMC Level 1 maturity, it’s likely that your path to good cyber maturity seems lengthy. Does it have to be?
Can a small business piece everything together themselves? Yes.
The time and resources of maturity up to CMMC Level 3 has to be expensive, right? No.
Is the cloud the only option? No.
Do true small business solutions exist yet? Yes.
One question every business leader needs to ask themselves is, “Do I have confidence in passing an audit today? How about a year from now?”
Under the current DFARS rule, believing that your organization is fully compliant is allowed.
With the CMMC, organizations should be knowing, not believing. There is too much risk in unverified “belief” when the CMMC certifications consist of “go/no-go” outcomes.
Knowing starts with an accurate and effective plan. A plan that has a practical path to execute the objectives in a timely fashion.
Do you know your compliance progress and status today? Are you sure? Has the CMMC left you a little dazed and confused? Are you a small business with no infrastructure? Are security and information technology (IT) not a key focus of your business?
Regardless of your answers, it’s OK. The CMMC has graciously given you some time, but also eliminate all excuses.
What if all of the technical requirements already existed as a small business solution offering? What if all of the non-technical requirements were available through security expertise as a separate function, that collaborates with the technology solution?
And what if no further investments in additional hardware or software solutions were required?
Can that exist…in one solution? For a fraction of the price of piecing everything together? And for less than putting the whole organization into the cloud?
The CUICK TRAC™ solution is perfect for small businesses that need every requirement in place, at all times, for NIST SP 800-171 in order to be DFARS 252.204-7012 compliant, while increasing cyber hygiene to CMMC Level 3 maturity.
CUICK TRAC™ combines a secure virtual environment, built to the specifications of NIST SP 800-171, to allow organizations to process, store or transmit CUI while protecting its confidentiality, with all supporting administration and non-technical requirements.
Secure Virtual Environment/Desktop (access from anywhere) ✔
System Security Plan (SSP) ✔
Plan of Actions and Milestones (POAM) ✔
Policy and Procedures ✔
Training and Awareness ✔
Security Incident and Event Management (SIEM) ✔
IT Support Staff ✔
Multi-Factor Authentication (MFA) ✔
Encrypted Email and Secure File Share Portal ✔
Office 365 Applications ✔
Audit Manual and Preparation ✔
Access to Government Sites ✔
Incident Response ✔
Has COVID-19 caused the majority of your workforce to be remote? Not a problem. CUICK TRAC™ is securely accessible anywhere there is an internet connection.
If the unanticipated coronavirus situation has taught the business world anything, it’s that waiting for something bad to happen before figuring out what to do, can be a catastrophic situation for businesses.
With the CMMC, there is no reason to wait. Get the requirements in place and use the CMMC to your advantage!
Learn how the CUICK TRAC™ solution can put your organization in a position to achieve the proper level of cyber hygiene sooner, versus later.
For additional information on the CMMC, the only two websites with confirmed information are:
CMMC Accreditation Body | https://www.cmmcab.org/
The Office of the Under Secretary of Defense for Acquisition and Sustainment | https://www.acq.osd.mil/cmmc/