The Cybersecurity Maturity Model Certification (CMMC) was the Department of Defense’s response to the threat of cybersecurity compromises. The framework builds on existing requirements like NIST SP 800-171, NIST SP 800-53, and AIA NAS9933, and it will provide a unified standard for implementing cybersecurity standards across the defense supply chain. The network of companies in the DoD’s supply chain exceeds 300,000 and with the list of cyber threats growing, the DoD needed a stronger response. You may have already spotted CMMC level requirements in Request for Information (RFI)s this past June. Come this fall, you should begin to see CMMC requirements in the Request for Proposal (RFP) process, and contractors should be getting assessed for certification.
Cyber Hygiene is a thing, and CMMC will Measure it
Instead of each contractor responsible for implementing, monitoring, and securing DoD data on their information technology systems, the CMMC will seek to streamline the procedures the military’s partners use for cybersecurity. As expected, the CMMC comes with a long list of technical requirements and requires each contractor to be certified according to their role and access to sensitive information. The framework will rank contractors on their maturity and reliability, measuring their level of “cyber hygiene” as part of the certification process.
CMMC Framework Long Overdue
In many ways, the requirement can be interpreted as an overdue part of the DoD’s working relationship with its contractors. While cybersecurity has become increasingly important for the military, the Pentagon’s contracting process could also benefit from the increased clarity that the CMMC’s framework would provide. Because contractors can be distinguished along five discrete levels of certification, accepting jobs can technically be done more automatically. Competing third parties may also find the certification levels to provide a clearer picture of their respective requirements. However, Mike Jordan, vice president of research at The Shared Assessments Program, told ClearanceJobs in January, “If you read the number of reference documents that informed this certification, it’s apparent that it would be very hard for government contractors to figure out what’s required of them.”
CMMC Entry is Easiest, but Higher Levels Require a Bit of Work
While the lower levels will be relatively easy to achieve, levels three to five will introduce the need for auditing firms that certify contractors to the higher requirements, a process that will undoubtedly take time to roll out fully. The length of this process (no doubt worsened by COVID-19) has been cited among other concerns of shortcomings since January’s announcement. In March, several technology industry associations published a series of recommendations for how the CMMC could be improved. Chief among their concerns was an enhanced clarity of the framework’s scope, applicability, and timeline. It should be noted, however, that the weaknesses pointed out did not focus on the actual technology or security standards required by the CMMC.
CMMC is a Standardized Effort to Meet the Cybersecurity Gaps
In its current wording, the CMMC can be viewed as a standardized metric for DoD evaluation. Although further clarification of the program may be in order, it appears that the certification is a broad response to cybersecurity concerns and not a checklist set in stone. Its rollout in recent months has been interpreted as such. Contractors have been preparing for the program. And while a marketplace of resources is rapidly emerging to help meet the certification needs, only CMMC Third Party Assessment Organizations (C3PAOs) and accredited assessors can actually perform the assessment.
Cyber Protection is the CMMC Goal
Although the CMMC will require companies to adapt their current practices to be eligible for DoD contracting, the change could mark a positive shift for the industry. The CMMC’s new baseline will ensure all contractors are making necessary investments in cybersecurity, and the upkeep and implementation of these policies will help protect the DoD’s cyber technologies. The requirements are also all-encompassing; contractors will need to be sufficient at a wide range of operational solutions. Encrypted assets, back-ups, platforms, and other operations will need to work together. The path to CMMC compliance will require a varying amount of change for each company affected. In any event, its rollout clarifies expectations from the DoD and sparks competition within each respective level.