Top 7 Concerns About CMMC and What it Means for DoD Contractors

Gray Analytics Partners with SAP NS2 to Enhance Supply Chain Security
August 13, 2020
Verify, Then Trust: Best Practices to Stay Cyber Safe
September 28, 2020

Top 7 Concerns About CMMC and What it Means for DoD Contractors

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 300,000 companies in the supply chain. The CMMC brings together a number of previous compliance processes into one unified framework including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, and AIA NAS9933. 

Why is there a need for CMMC? 

Foreign actors are stealing sensitive data, trade secrets and intellectual property from DIB firms, potentially harming U.S. military capabilities and future military operations. The Council of Economic Advisers stated that cyberattacks cost the U.S. economy between $57 billion and $109 billion in 2016, including losses from data breaches, ransom demands, downed infrastructure, lost work hours, and the theft of proprietary data, intellectual property and sensitive financial and strategic information. 

The CMMC is the DoD’s response to significant compromises of sensitive defense information located on contractors’ information systems. Previously, contractors were responsible for implementing, monitoring and certifying the security of their information technology systems and any sensitive information stored on or transmitted by those systems. Contractors remain responsible for implementing critical cybersecurity requirements, but the biggest change brought about by the CMMC for DoD contractors will be the necessity to subject themselves to external security audits of contractors’ compliance with certain mandatory practices, procedures and capabilities. The results of these assessments will be made available to the public.

Who must comply with CMMC?

All DoD contractors will eventually be required to obtain a CMMC certification. This includes all suppliers at all tiers along the supply chain, small businesses, commercial item contractors and foreign suppliers.

What are the levels of preparedness? 

The CMMC establishes five certification levels that reflect the maturity and reliability of a company’s cybersecurity infrastructure to safeguard sensitive defense information. These five levels are tiered and build upon each other’s technical requirements. Contractors will require compliance at varying levels depending on the sensitivity of information and goods they disseminate along the DoD supply chain. The levels of preparedness are as follows:

Level 1 – Basic Cyber Hygiene – Performed

Level 2 – Intermediate Cyber Hygiene – Documented

Level 3 – Good Cyber Hygiene – Managed

Level 4 – Proactive – Required

Level 5 – Advanced/Progressive – Optimized

When will this affect my company?

DoD contractors should keep the following dates in mind:

  • January 2020: The DoD released the first full version of the CMMC.
  • June 2020: Contractors began to see CMMC requirements as part of the requests for information (RFI) process.
  • September 2020: Contractors will start to see CMMC requirements as part of the requests for proposals (RFP) process.
  • October 2020 and beyond: DoD contractors will be required to get certified by an accredited Assessor/C3PAO to bid on new work.

How much will certification cost? 

Costs associated with CMMC compliance will be ongoing and will vary by the level of certification that is being pursued by the contractor. Other variables include the company’s current cyber posture and in-house cyber capabilities. The good news for contractors is that the cost of certification can be considered an allowable, reimbursable cost. However, it’s important to note that other businesses may already be ahead in the advancement of their cyber posture and will use this as a business differentiator. 

Where do we start?

For most organizations, preparation for certification will take considerable time and effort. Additionally, this new requirement will force top leadership to make strategic decisions about when to pursue certification and at what level. DoD contractors should start now by learning the CMMC’s technical requirements, reviewing current cyber internal policies and practices, and reviewing NIST SP800-171 to ensure their current compliance. By taking these steps, companies will not only be prepared for certification, but also long-term cybersecurity agility. 

Contractors should not view their cyber-compliance as “complete” once certification is achieved. The DoD has emphasized that the CMMC is a starting point for transforming contractors’ cybersecurity standards and that industry must focus on preparing for evolving threats.

An independent analysis of the company’s current cyber posture can help businesses better prepare for future needs. At Gray Analytics, our staff has been involved with the creation of the CMMC guidelines from conception. We have provided technical support to the government as the regulations were being developed and are staying abreast of all updates and modifications as they become available. We can provide businesses with our in-depth knowledge of these requirements and help identify what steps each company needs to take to maintain compliance with these new regulations. Our turn-key compliance services allow your team to focus on growing and managing your business.