For the more than 300,000 companies currently serving the defense industrial base (DIB), or companies that plan on doing business with the Department of Defense (DoD) at some level it in the future, the Cybersecurity Maturity Model Certification or CMMC is an important topic of concern. CMMC came into being in part because of the increasing trend of hacking into U.S. companies’ information networks by foreign nations and as a result, is the next stage in the DoD’s plan to better secure this sensitive (and often highly classified) information; information gained through hacking can have a direct effect on our future national security. We see an example how in this article. Our mission with this article is to talk about the importance of CMMC, what it is and how it will affect companies – at all levels – doing business now and in the future with the DIB.
The Important Cybersecurity Role that CMMC Plays
Mr. Cameron Chehreh, Dell Technologies Federal Systems Chief Technology Officer and Vice President, helps answer its importance by offering up an example of how a Nation-State Adversary of the U.S. could use what seems like innocuous information against us with devastating results – results that could pose a threat to our national security.
As an example, consider a fastener business that produces nuts, bolts, screws and nails as a subcontractor to a larger contractor that builds major end items like tanks, airplanes or ships.
Chehreh said of the fastener business, “This type of business may not supply directly to the government, but they might be selling to a Northrop Grumman or a General Dynamics, because — let’s face it — it takes a lot of fasteners to build a plane, a ship, a tank and all of those other products that ultimately become consumed by the government.”
So why is information about nuts and bolts of importance to our adversaries? Chehreh goes on to explain, “If an adversary knows how many nuts and bolts it takes to build a tank, the tensile strength of the steel of a bolt and they know how the tank is designed, then they now know how to build ammunition or a bomb to drop on the tank.”
And under the pre-CMMC standards, the nut and bolt company as a subcontractor, would most likely not have as high of cybersecurity standards and processes in place as the contractor they supply, thus it would be easier to hack into the smaller company than it would be the larger DoD contractor. One of the fascinating aspects of cybersecurity – and one of the most dangerous as Chehreh went on to say was, “It’s not always the sophisticated things that get us; sometimes, it’s the basics.”
Because it is often the basics that trip us up, that is one reason why the CMMC standard was introduced in early 2020 as a way to combat future outside threats at all levels in the supply chain.
What is CMMC?
CMMC is a five-level cybersecurity assessment and certification model that companies doing business with the DoD – at all levels as noted before – must eventually implement and adhere to throughout the duration of a contract. And under it, not only are DoD government contractors responsible for their own companies, but they must also assist the subcontractors they hire so they too have the appropriate CMMC level in place and practice for the part they play in the supply chain. As an incentive to get onboard, the higher level of CMMC a company attains, the more DoD contracts they will be awarded.
What is different with CMMC is that is not a self-evaluated process as cybersecurity measures and standards have been in the past. Now, independent Third-Party Assessment Organizations (CP3AOs) will certify the CMMC level of a company – a process that the CMMC Accreditation Body (CMMC-AB) is currently developing with the DOD.
What Should Contractors Be Doing with CMMC Now?
The takeaway right now is that CMMC is happening and DOD contractors and suppliers at all levels including, subcontractors, small businesses, commercial item contractors and foreign suppliers, should start right away by clearly documenting their current operating cybersecurity practices and policies as they relate to the CMMC levels ; and if they do not meet the cybersecurity level appropriate for their company, as it relates to how they do business with the DoD, they should plan for and implement further procedures that get them to their required CMMC level. CMMC is a highly evolving topic as the process continues to be defined and refined.