Losing the Silent War: The Urgent Need for CMMC Compliance
The United States is in the middle of a cyber war – and we're currently losing. It's time we, as a unified nation, choose to fight back.
Summary (TL;DR):
- America is losing the Cyber War to foreign adversaries.
- America's Defense Industrial Base (DIB) is being targeted to steal our Intellectual Property.
- The Cybersecurity Maturity Model Certification (CMMC) Program was created to fight back in the Cyber War.
- CMMC will begin rolling out to DoD contractors in Q1 of 2025 via a phased rollout.
- Prime contractors will likely expect CMMC compliance from their subs on or before Q1 2025 regardless of a phased rollout.
- It takes the average company 21-27 months from start to CMMC certification when done the right way.
- It's imperative that every company in the Defense Industrial Base start their CMMC compliance journey now to ensure future contracts, maintain relationships with Primes, and build a company that is prepared for a cyber-secure future.
The Problem: America is losing a silent war – the Cyber War
Many Americans don’t realize this, but our country is fighting a silent war – and we are losing. We’re losing badly.
This war doesn't particularly lend itself to advancing domestic political agendas, and it doesn’t make for good headlines. Most Americans are perfectly content to pretend it isn’t happening. The stereotypical head-in-the-sand approach works just fine on this issue for most people – until it’s too late.
The war we’re losing is a cyber war, at stake are some of our most valuable assets – our country’s Intellectual Property.
Every day, foreign adversaries launch malicious attacks against the very fabric of our business and information technology infrastructure. The goal is to obtain sensitive data regarding the very things that make America the world’s foremost superpower – the advanced technologies within our industrial and defense systems.
With Intellectual Property and sensitive data acquisition being the goal of the attacks, it should come as no surprise that the largest target is the U.S. Department of Defense (DoD) and its supply chain, also known as the Defense Industrial Base (DIB). Therefore, it is now more important than ever for DIB contractors to protect sensitive data and their Intellectual Property.
In this article, we will discuss the current state of cybersecurity in the DIB, provide a DoD cybersecurity regulatory refresher, and outline steps for organizations to become compliant with ever-increasing government cybersecurity regulations.
The Target: The U.S. Defense Industrial Base (DIB)
As tensions between the United States and foreign adversaries continue to rise, malicious actors have become increasingly adept at stealing data from American companies. In fact, recent estimates put the annual losses due to cyber theft at over $600 billion.
China has closed the technological gap with the United States in advanced weapon systems over the last 20 years. Much of this has happened via IP theft. According to the Australian Strategic Policy Institute, China now leads the United States in 37 of 44 critical technologies such as Optics, Advanced RF, Cybersecurity, Post Quantum Cryptography, Photonics, Robotics, and Drones.
In the words of former NSA Director General Keith Alexander, the sad state of our nation’s cybersecurity and the subsequent IP theft resulting from it is “the greatest wealth transfer in human history.”
It’s time we fight back against this malignant assault on our country.
It’s time to take our heads out of the sand and take the necessary actions to build sustainable security measures that protect our children, their children, and the children of many generations of Americans to come.
The Solution: Fighting Back With CMMC
To combat this war on American cyber gaps, cybersecurity experts at CISA (Cybersecurity and Infrastructure Security Agency) and the White House have issued multiple advisories, warning companies about their need for vigilant cybersecurity practices.
These warnings stress the importance of protecting Controlled Unclassified Information (CUI), which is defined by DoD regulations as information that requires protection against unauthorized disclosure in order to:
- Protect national security interests
- Safeguard private or proprietary information
- Maintain privacy and/or
- Prevent embarrassment or legal liability.
To accomplish the goals of protecting CUI and preventing malicious actors from gaining access to sensitive data, the DoD released a cybersecurity assessment program known as the Cybersecurity Maturity Model Certification (CMMC) to check contractor compliance against the NIST SP 800-171 standard, which has been required since 2017.
What is CMMC (Cybersecurity Maturity Model Certification)?
CMMC is a program by which the Department of Defense verifies contractor compliance with required cybersecurity measures when managing and storing CUI (Controlled Unclassified Information).
In order to achieve CMMC certification, a business must undergo an evaluation by a CMMC 3rd-Party Assessment Organization (C3PAO). This review assesses the company's compliance with NIST SP 800-171 requirements, after which they will receive their certification status from the governing body, the Cyber Accreditation Body (Cyber AB). To remain compliant, companies must update their certificates every three years.
What Does CMMC Require?
As stated, CMMC is an assessment methodology for implementing NIST SP 800-171 standards. It establishes three levels of requirements that must be met and verified by a C3PAO.
Level 1 requires a company to satisfy 17 basic security practices out of a list of 110 total security controls while Level 2 requires all 110 security controls to be satisfied.
The 110 controls of CMMC Level 2 are broken up into the follow 14 families:
- Access Control (AC)
- Audit and Accountability (AU)
- Awareness and Training (AT)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
These standards are essential for companies hoping to secure contracts from DoD agencies since failure to meet them can result in fines and other penalties.
The bottom line is complying with CMMC standards demonstrates:
- An organization’s commitment to protecting Valuable Corporate Data Assets (such as CUI, ITAR, etc.) from potential cyber threats
- Protection of our country’s valuable intellectual property from being stolen and replicated
- A willingness to stand up and fight in one of the most important international conflicts of our generation and future generations
Assessment and Attestations: How Compliance Is Checked
As security expectations rise, so too do the methods by which those standards are upheld. To uphold the CMMC standard, there are a few mechanisms in place.
First is the Supplier Performance Risk System (SPRS). It was launched in 2018 as a tool for contractors to identify suppliers that have not met the DoD's cyber security standards. The SPRS requires companies to complete basic assessments and it outlines access requirements and flow down procedures for subcontractors involved in contracts with federal agencies.
In addition to the SPRS, there is a Joint Surveillance Program that allows companies to voluntarily seek out CMMC assessment services from accredited third-party assessors (3PAO). This program was launched to further incentivize companies to become compliant with DoD cybersecurity standards before they are required by law.
When will CMMC show up in contracts?
Companies should begin their CMMC compliance journey 21-27 months before contract deadlines arrive so they can remain competitive in this ever-evolving cyber landscape.
DoD contractors should be preparing for a CMMC “final rule” scenario by Q1 2025.
By the date of the final ruling, contractors should be prepared with their CMMC certification at Level 1 or higher so they can receive new contracts from the Department of Defense. Also, levels 2 and 3 will require 3rd-party attestation to the submitted SPRS score, so contractors will need to schedule an assessment with a certified third-part assessment organization (C3PAO), which will take an additional untold amount of time due to the limited number of assessors and the growing number of organizations seeking compliance (OSC).
The kicker is that being prepared for a CMMC assessment could take anywhere from 12-18 months for most companies in the Defense Industrial Base. Add onto that the time it will undoubtedly take to schedule an assessment, and you’re looking at quite a long timeline. So, the clock is ticking.
Overall, companies hoping to secure contracts from DoD agencies will have to meet these standards through either voluntary or mandatory compliance processes. Companies must understand the importance of meeting these stringent requirements and take steps now in order to remain competitive and protect their data from being compromised.
CMMC Considerations for Small Businesses in the DIB
Small businesses seeking to become CMMC compliant should take special considerations into account when attempting to meet the requirements.
Firstly, it is important for them to understand their exposure level to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) data, as this will help guide them in choosing the appropriate CMMC level for their business.
For example, a small business with 1-5 employees may want to start at CMMC Level 1 with no DFARS 7012 requirement, as this is relatively easy to meet compared to higher levels of compliance. On the other hand, companies that handle CUI and FCI should be aware that achieving CMMC Level 2 or higher will require a significant investment in people, process and technology.
Small businesses should ensure they do not sign a contract including the DFARS clauses unless they plan on meeting the requirements. (If you have a contract with the DFARS clause and you need help, speak with one of our experts.)
Understanding DFARS Clauses
To meet CMMC standards, it's important to understand which contract clauses you – as a government contractor handling sensitive data – are required to adhere to.
DFARS 7012, 7019, and 7020 were published between 2015 and 2020 and required that contractors who handle Controlled Unclassified Information (CUI) implement cybersecurity standards and practices based on NIST 800-171.
This regulation mandated that contractors provide a System Security Plan (SSP) that outlines processes and procedures for secure information handling, a Plan of Action and Milestones (POA&M) to address any deficiencies in the SSP, and a Risk Assessment Plan to document any threats to the system and the impact the threats could have if not mitigated. This plan must include any countermeasures implemented to mitigate the threats.
These three DFARS clauses serve as the foundation for protecting CUI for government contractors. And all contractors are required to flow down these requirements to their supply chain for compliance with the CMMC program.
If you do have a contract including a DFARS clause, FedRAMP Moderate/High cloud services can provide cost effective capabilities and should be taken into consideration when making decisions about how best to comply with CMMC standards.
It’s also important that any Managed Service Provider (MSP) or Managed Security Service Provider (MSSP) used meets or exceeds their chosen CMMC level and complies with DFARS 252.204-7012, 7019, 7020 and 7021.
Finally, small businesses should research state DFARS / CMMC grant programs as well as SBIRs that offer funding allowances for attaining certification and contact their local Procurement Technical Assistance Center (PTAC) or Manufacturing Extension Partnership (MEP) for assistance if needed.
By taking all of these factors into account and planning ahead accordingly, small businesses can ensure they are effectively meeting all necessary standards before submitting contracts for DoD components.
Steps to CMMC Compliance
The urgent need for companies to become CMMC compliant is clear, but what are the steps businesses should take? Here are seven steps for companies to follow in order to become CMMC compliant.
- Identify the appropriate CMMC level
- Identify assets for CMMC
- Choose a technical design for your CMMC compliance: All-In vs Enclave
- Consider Microsoft Government for your CMMC compliance
- Find a Managed Service Provider (MSP) / Managed Security Service Provider (MSSP)
- Prepare for a third party CMMC assessment
- Complete a CMMC assessment