Navy Gold Coast Recap: CMMC Updates

Whether it is precision machining, environmental services, high tech equipment for military members or anything in between, it is fun to meet these companies in the flesh!
This article is written based on CMMC version 1.0, and may not reflect the updated requirements of CMMC 2.0.

For the latest information on CMMC 2.0, please click here.

The National Defense Industrial Association (NDIA) hosted their annual Navy Gold Coast Small Business Procurement Event conference last week in San Diego.

For small businesses who are, or want to do business with the United States Navy & the Department of Defense, this is the conference to be at! Here is our Navy Gold Coast Recap.

One of the coolest parts of Navy Gold Coast is being able to walk the floor and meet some people responsible for the top products and innovation that keeps us, the civilians, safe.

Whether it is precision machining, environmental services, high tech equipment for military members or anything in between, it is fun to meet these companies in the flesh!

Besides the exhibitor showcases, the featured speakers in the main room were excellent.

Much of the focus was on how to educate, guide, and assist businesses, large and small, in support of the warfighter mission within Department of the Navy and throughout the Department of the Defense.

Contact Us To Get Started

Cybersecurity and Securing the Supply Chain of the DoD

A lot of the focus was immediately about cybersecurity and why securing the Defense Industrial Base (DIB) is critical. This topic is not going away. In fact, it is getting a major boost.

We recently wrote about both the DFARS and NIST SP 800-171 requirements, as well as the newly announced Cybersecurity Maturity Model Certification (CMMC).

Both were hot topics both in the exhibitor hall, as well as the main stage. And rightfully so!

During the first full day of Navy Gold Coast, featured speakers like Kevin Fahey (Assistant Secretary of Defense for Acquisition | ASD/A | Department of Defense), Vice Admiral David H. Lewis (Commander | Defense Contract Management Agency) provided direct, yet colorful, insights as to what is working, what is not working, and ways to improve.

Mr. Fahey spoke about cybersecurity, specifically when referring to the Cybersecurity Maturity Model Certification (CMMC), stating, “the level of verification will matter based on what the DoD is buying.” In short, the DoD needs to start thinking more about what, and how, they are buying from industry.

Also, Mr. Fahey said,“We need a quality system to make decisions based on risk.” The days of buying products based only on cost, performance and schedule are over.

Cybersecurity was often times used in the same breath as quality assurance. This, in our opinion, is where the mindset has to change.

Vice Admiral Lewis said it best: “If I find garbage in our reviews of quality, I’m going to ask ‘who is responsible for this garbage?!’, because we are going to get rid of the garbage.”

Our adversaries are currently far too successful in stealing the data that is being used to protect our nation, we have to do better.

CMMC Updates

On Friday, Ms. Katie Arrington (HQE for Cyber for the Assistant Secretary for Defense Acquisition ASD-A | Department of Defense) was joined on stage by the following panelists:

  • Ms. Dawn Greenman, Deputy Program Manager Cybersecurity, Johns Hopkins Applied Physics Laboratory (JHU/APL)
  • Mr. Mark Gordon, Vice President and Chief Information Security Officer, Lockheed Martin
  • Mr. Doug Gardner, Senior Security Engineer, Risk and Resilience Directorate, Carnegie Mellon University’s Software Engineering Institute (CMU/SEI), House Armed Services Committee – Principal Staff Member

Ms. Arrington immediately took control the room by mentioning the recently released Department of Defense Inspector General report. She summed it by saying “even the DODIG is saying no one is doing this right!”

The passion of Arrington and her team really came out when she loudly stated “I am a taxpayer. This upsets me. WE [the taxpayers] should be irate!” when referencing how our adversaries are stealing from us.

As Arrington began to explain the Cybersecurity Maturity Model Certification in more detail, these statements stood out the most:

  • Of the 280,000 companies who make up the supply chain of the DoD, roughly 70% are companies with 100 employees or less.
  • There is no more “us vs them”…this is a WE approach. Collaboration!
  • Everyone that is in the supply chain of the DoD will HAVE TO BE certified.
  • Security has to be the foundation.
  • Wouldn’t be surprised if CMMC will become a federal standard, not just DoD.
  • This will be a “go/no go” certification. This is NOT negotiable!
  • $600 billion is being stolen from the DoD supply chain.
  • Will it cost a little to do business with the DoD? YES!
  • We are losing our competitive advantage.
  • Self-assessing is NOT working.
  • CMMC is way overdue.
  • We don’t need to re-invent the wheel, we need to make the wheel USABLE.
  • COST makes all the difference in the world to make this work.
  • Implementation and proof matters.
  • We will never eliminate the risk (100% doesn’t exist), but we need to buy down the risk and buy up certainty.

The message is pretty clear. If cybersecurity is not a major focus for a contractor, they won’t be doing business with the DoD.

All in all, Navy Gold Coast was a terrific event. From exhibitors to featured speakers, the energy in the room was obvious. Collaboration was used throughout the event, which was music to our ears!

What Can Small Business Contractors Do Right Now?

Based on what was presented and discussed, contractors who think simply having a Plan of Actions and Milestones (POA&M) and a Systems Security Plan (SSP) will be enough to keep or win contracts, are wrong.

Proof of implementation is what matters. Waiting until the CMMC becomes official, is not advised. Get to where the DoD needs/wants you NOW.

As far as the CMMC Levels go, it appears Level 3 (110 NIST SP 800-171 controls) will be what most DoD contracts will require. Sadly, some contractors are not close to having those implemented.

Fortunately for small businesses, who often times lack the resources to implement the proper security controls (correctly), Beryllium utilizes CUICK TRAC as the economically efficient, fully implemented solution to all DFARS 252.204-7012 & NIST SP 800-171 requirements.

The best part? Implementation can take as few as 14 days.

In short, CUICK TRAC gets small business contractors to CMMC Level 3, in a short period of time, for a fraction of the cost of doing it themselves. And no additional infrastructure is required.

Securing small business contractors is how WE (the taxpayers) take our competitive advantage back.

Contact Us To Get Started

Derek White
Chief Product Officer
Derek’s success comes from his customer first mentality, utilizing collaboration between security and technology, to create positive outcomes & compliant solutions.

Speak With a NIST Security Expert at Beryllium InfoSec Today

To reach us please fill out the form below.