As the DoD published its final guidance regarding the Cybersecurity Maturity Model Certification (CMMC) framework recently, defense contractors – especially small businesses – are scrambling to find out what this certification process will mean for their companies.
CMMC requires third-party assessment of internal cybersecurity practices and processes that will result in a certification level between one and five, with Level 1 denoting the lowest level of compliance and Level 5 denoting the highest. This will allow the DoD to quickly determine the cybersecurity capabilities and institutionalization level of contractors and subcontractors. It is anticipated that most prime contractors will require a Level 3 certification, with Levels 4 and 5 focusing on defending against advanced persistent threats and accounting for less than five percent of the defense industrial base. The DoD has stated it will require CMMC certifications for all sub-contractors in the supply chain, but the required level may not be the same as the prime.
To bid on the next multi-million-dollar contract, only contractors, which include partners and subcontractors, who have met the minimum CMMC Level, as denoted in the Request-For-Proposal (RFP), will be accepted. This means an immediate go/no-go decision based on a company’s ability to obtain certification.
CMMC was established by the DoD because of the ability of hostile nations and other adversaries to acquire information on DoD programs and services via contractor networks. Instead of focusing their efforts on attacking military networks, U.S. enemies turned their efforts to major DoD contractors that are working on the next generation weapons systems and training platforms.
“This change in targeting was inevitable,” said Donald Lawson, Cybernet’s vice president for cybersecurity and training systems.
The military continues to spend an enormous amount of time, money and effort to protect their systems, but there are still so many opportunities to acquire this data from poorly protected industry partners.
“It’s as simple as an employee in accounting who clicks on a link with malware, or a human resources staff member using a free version of a seemingly harmless software plug-in to view videos online,” said Lawson. “Hook. Line. Sinker.”
“The attack surfaces our adversaries can target to obtain the nation’s secrets are large, dynamic, and many times the equivalent of child’s play,” Lawson added.
Large businesses have more resources and enhanced ability to acquire cyber professionals and solutions to bring their networks into compliance with the DoD’s CMMC Framework, while small businesses bear an unequal impact to acquire the resources to ensure compliance. Even though the new standards require a higher level of cybersecurity protections and oversight, the need for all defense contractors to be in compliance is clear.
How can small businesses stay competitive under the CMMC guidance?
“The good news is there are reasonable solutions available for small businesses,” explained Lawson. “Companies like Cybernet are available to businesses of all sizes to explain the certification process, as well as implement it.”
The first step for any business is an analysis of business cyber tools, processes and practices. With this information, cyber professionals determine the gaps and scope of work required to bring a company into compliance. In the second phase, cyber professionals develop solutions specific to each company in order to make them compliant to the highest extent possible. Once these solutions are implemented, obtaining certification through a third party under the DoD system is in order.
The DoD is targeting June 2020 for introduction of the new CMMC requirements into Request-For-Information submittals, with the intended awardable RFPs to include these provisions in early 2021.
“The government is taking a crawl, walk, run approach to the roll-out,” said Lawson. “But it’s anticipated that by 2021, all new contracts will contain CMMC provisions.”
Compliance is a looming threat to all competing for defense contracts. Small businesses are most at risk and should not hesitate to start this process.