The rise of sophisticated hackers and rival nation-states investing in electronic espionage prompted the federal government to undertake a seemingly Herculean task. In response, the feds have rolled out an initiative to bring all contractors in the Defense Industrial Base (DIB) into cybersecurity compliance under a single mandate: Cybersecurity Maturity Model Certification (CMMC).
In short, not only does the Department of Defense (DoD) now require all military contractors to gain certification under the CMMC, but it also insists that companies that participate in the supply line meet the standards.
Until CMMC compliance emerged as a requirement, companies were sometimes allowed to self-regulate their cybersecurity health. Those days have gone the way of the dinosaur, largely because small, mid-sized, and large companies are quickly discovering that the reaping the fruits of lucrative government contracts now calls for CMMC certification before bidding or taking on even peripheral work.
As you might expect, prequalifying under the cybersecurity maturity model has resulted in a log jam of businesses scrambling to produce CMMC certification before getting boxed out.
Entrepreneurs and business leaders who want a slice of the DoD supply chain pie must now prove they have determined cybersecurity measures in place. If you are unsure if your business meets the CMMC standard, or are considering government-paying work, this is what you need to know about CMMC certification.
1: What is CMMC?
The federal government’s cybersecurity maturity model essentially unifies wide-reaching data protection protocols. According to the Office of the Under Secretary of Defense & Sustainment Cybersecurity Maturity Model Certification:
“CMMC… is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB)… The CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.”
You see, over the years, a variety of cybersecurity guidelines were developed that tended to apply unevenly across more than 300,000 organizations that participated at some level of the DoD supply chain.
What eventually transpired was that cybercriminals and digital espionage funded by enemy-states found they could more easily infiltrate supply chain business systems than high-level military contractors with large cybersecurity budgets. That revelation prompted online thieves to breach the email, networks, and mobile devices of peripheral outfits. Hackers used this strategy to uncover sensitive data that gave them pieces of the U.S. defense industry puzzle.
Before diving into precisely how CMMC works, it’s helpful for you to have a working understanding of the electronic assets in play and influential cybersecurity regulations, including CUI, DFARS, and NIST.
2: What is CUI?
Controlled Unclassified Information, more commonly called CUI, involves any piece of information created or owned by the government that needs to be protected. The CUI housed by Defense Industrial Base contractors and those in the supply chain is not necessarily protected directly by a government agency. But this telling data provides insight to enemy-states about America’s military development and projects.
Our adversaries decided long ago that the CUI in poorly protected supply chain networks represented them with low-hanging fruit. Cybercriminals have been harvesting CUI to unravel U.S. national security for years. That’s why a unified and widely employed cybersecurity platform was necessary to protect the nation: DFARS.
3: What is DFARS?
The Defense Federal Acquisition Regulation Supplement (DFARS) is a cybersecurity policy the DoD required private-sector contractors and supply chain businesses to follow. Dating back to 2015, the DoD recorded a supplement that linked the National Institute of Standards and Technology (NIST) to the Defense Industrial Base. More accurately, the DFARS move required organizations to follow the NIST SP 800-171 regulations that defined the following and others.
- Cybersecurity Awareness & Training
- Organization Accountability
- Identification and Authentication
- Incident Response Strategies
- Personnel Identity Security
- Physical Protection
- Risk & Security Assessment
- System and Information Integrity
Some military network insiders felt the NIST SP 800-171 fell short of effectively protecting CUI and national security for wide-reaching reasons. Crafting CMMC 0.7 was designed to close gaps and increase CUI security in ways NIST regulations otherwise might not.
4: How is CMMC different from NIST?
You might feel that the shift away from purely NIST rules to a more comprehensive CMMC 0.7 framework is nothing more than government-mandated redundancy. While our bureaucracy misses the mark at times, CMMC certification isn’t one of one of them.
The NIST 800-171 mandate emphasizes the ongoing protection of CUI regardless of which network it gets housed. But because the way CUI gets processed and electronically transferred increases threat vulnerabilities, your company must also have broader cybersecurity defenses to deter hackers. This is key because while many see NIST as effective in this fashion, sophisticated and well-funded cyber criminals continue to develop hacking tools to infiltrate systems to outpace defenses.
One private-sector example stems from reports the massive Marriott hotel chain was stung by a hack that compromised upwards of 5.2 million customers in 2018. This marked the second time the international organization was hit despite implementing stringent cybersecurity measures. The first Marriott breach compromised upwards of 500 million personal identity files. The point here is that protecting CUI without hardened supporting defenses turns a business into low-hanging fruit for nefarious actors.
But what does this have to do with YOUR business?
5: Why Is CMMC Necessary to National Security?
Marriott fell prey to hackers with advanced skills. But what the DoD uncovered after reviewing the way it dealt with supply chain cybersecurity compliance sent a chill down the spines of national security officials.
Before the heightened defenses of CMMC took effect in 2020, the DoD routinely handed out profit-driving contracts that trickled down to supply chain businesses without requiring cybersecurity certification.
Frankly, the task of reviewing 300,000 organizations probably seemed beyond onerous. The DoD basically took the word of business professionals they self-regulated their cybersecurity measures and met published standards.
Then, when things started going sideways and breaches occurred, officials punished rule-breakers after the fact under the False Claims Act. High fines and loss of contracts were little help to national security because nefarious actors already had American military secrets in their possession.
For more on this, check out the report: “Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War” sent shock waves across the DoD. The report demonstrated that an overwhelming number of outfits participating in the DIB didn’t even possess basic cybersecurity knowledge or measures.
The report uncovered startling facts that numerous government contractors failed to meet the cybersecurity requirements. Few met the NIST standards, and it was abundantly clear that pre-certification was crucial. The recently implemented cybersecurity maturity model maps out five distinct levels of cybersecurity hygiene that match a supply chain outfit’s CUI value and risk to national security.
6: What are the CMMC Certification Levels?
Whether your organization requires cybersecurity in manufacturing, transportation, technology, or directly creating military hardware, a designated CMMC certification level will apply. Determining which of the five opens the door to DoD-related work often prompts industry professionals to contact a CMMC consulting firm.
Keep in mind that while numerous managed IT firms can handle basic cybersecurity health, very few have the expertise to diligently ensure a niche company meets or exceeds the requirements for first-audit certification. These are what the five CMMC levels entail.
- Level 1: The CMMC framework requires an organization to demonstrate “basic cyber hygiene” that typically includes updated antivirus software and password protections consistent with the Federal Contract Information standards. Level 1 generally applies to peripheral supply chain companies that do not necessarily store or transit sensitive CUI.
- Level 2: This standard tasks an outfit with proving it enjoys “intermediate cyber hygiene.” This calls for protections of CUI consistent with NIST 800-171 thresholds that have been adopted under the CMMC framework. It’s critical for industry leaders to work with a CMMC consulting firm if a significant period has elapsed. The federal government routinely updates and enhances regulations.
- Level 3: Businesses that fall under the Level 3 guidelines must demonstrate “good cyber hygiene.” This usually means an organization must exceed the NIST parameters concerning CUI protections. Simply updating antivirus software, firewalls, and patching programs could fall far short of CMMC certification.
- Level 4: When the DoD requires Level 4 compliance, significant cybersecurity protocols must be in place. Achieving CMMC certification requires an organization’s defenses to repel and respond to advanced persistent threats (APTs). Such adversaries often possess expert-level hacking skills, tools and can bring multiple vectors to bear against a DIB target.
- Level 5: This top-tier cybersecurity threshold tasks organizations with detecting, deterring, and responding to the most dangerous threat actors trying to undermine U.S. national security.
Now that the federal government has rolled out its CMMC compliance mandate, any organization working in the DIB must gain certification before engaging in profitable work.
It’s no secret that federal agencies pay top dollar. Failing to meet the Level that applies to your business could sideline your operation potentially losing critical revenue until you’ve achieved CMMC compliance.
7: How Can You Get CMMC Certification?
The most cost-effective way to work toward CMMC compliance begins by identifying the level of certification required of your organization. Due to the specific nature of the work to be done, many businesses enlist a CMMC consulting firm like Machado to match the type of work a company conducts with the CUI they’re dealing with to assess the potential vulnerability. After that has been determined, a network analysis and full review of cyber hygiene are typically conducted. This process generally includes heightened scrutiny of the following and other cybersecurity measures.
- Cybersecurity Awareness and Best Practices
- Cybersecurity Policy and Employee Education
- Multi-Authentication Password Protections
- Mobile Device Data Encryption Protections
- Detection, Deterrence, and Response Capabilities
Since the CMMC framework took effect, too many companies have waited until deadlines were imminent and are rushing to get certified. This has created substantial accreditation and scheduling problems. CMMC consulting firms became overbooked and organizations that relied on in-house IT technicians sometimes flunked. The industry has loosened up, to some degree, and savvy decision-makers outsource this facet of their cybersecurity necessities to a CMMC consulting firm due to niche expertise.
This approach has the added benefit of freeing up in-house staff to conduct many day-to-day functions and improves the chances of first-audit certification. The process generally begins with a systems assessment conducted by an impartial third-party cybersecurity expert. Typically, this (and other CMMC preparation) can be done with a Registered Practitioner (RP) like Machado.
After decision-makers feel confident they can pass muster, an accredited C3PAO can be enlisted to provide the CMMC assessment.
8: What is a C3PAO?
The federal government has certainly learned from mistakenly taking thousands of companies at their word. Self-assessments and promises to improve cyber-defenses left critical CUI vulnerable for years. That dysfunctional system has come to an end now Certified Third-Party Assessor Organizations (C3PAO)s take the lead on compliance.
A C3PAO provides an impartial audit of a business’s cybersecurity measures and submits its findings to the CMMC Accreditation Body (CMMC-AB). The CMMC is the overarching non-profit organization that educates, monitors, and certifies service providers as qualified to conduct CMMC audits.
An organization that requires CMMC certification conducts a C3PAO to schedule a review. The analysis typically ferrets out gaps in a company’s defenses.
These accredited firms or individuals usually charge a fee based on the complexity of the audit and demand for their services. The Under Secretary of Defense for Acquisition and Sustainment’s have indicated that financial support may be available for qualifying businesses. Naturally, scheduling an audit in a timely fashion can mitigate your cost.
C3PAOs are important to getting certified and provide your final assessment, but preparation and getting ready for certification doesn’t need to wait until a C3PAO is available. It can begin with choosing the right CMMC Registered Practitioner (RP).
9: What Should You Look for in a CMMC Registered Practitioner?
The value of starting your preparation with an experienced CMMC partner cannot be understated. Because your business requires precertification to file a request for proposal with the DoD, it’s critical to demonstrate compliance successfully (The alternative would effectively put your business outside the DIB. That could result in lost revenue and competitors usurping your lucrative revenue streams).
That being said, these are things to look for in a CMMC partner.
- Experience: Working with a C3PAO who enjoys previous experience in cybersecurity can be a boon. The CMMC framework is not the federal government’s first attempt to enhance cybersecurity in the private sector. Consider working with a CMMC consulting firm that provides determined cybersecurity defenses in wide-reaching sectors. If a CMMC consulting firm routinely works with federal entities, that can be a qualitative benefit as well.
- NIST & DFARS Knowledge: Because CMMC compliance encompasses and enhances protocols covered by the NIST 800-171 and DFARS frameworks, knowledge about them provides a C3PAO or CMMC consulting firm a wealth of practical knowledge. This means your lead person has experiential knowledge of why you should meet a certain level. Sometimes leveling up can be in an outfit’s best interest and people with NIST and DFARS history know why?
- Accreditation: Service providers that have gone through the CMMC-AB process are deftly positioned to deliver insightful assessments of your organization’s cybersecurity strengths and weaknesses. A CMMC consulting firm with a Registered Practitioner on board may be the best available option to get the job right the first time.
10: What if You Don’t Get CMMC certified?
Failing a CMMC certification audit ranks among the worst possible outcomes a military contractor or supply chain business could imagine. Your company could be sidelined for an indefinite period as competitors gain the market share you once enjoyed. Adding insult to injury, the DoD may not allow you to submit bids for future contractors while stuck in a CMMC holding pattern. Your company will need to upgrade its cybersecurity policies, protocols and cure the gaps discovered during the C3PAO’s evaluation first.
Going forward, the DoD will increasingly require new requests for proposals to submit proof of CMMC certification. That policy is currently underway and is expected to only get more stringent over the next five years.
Failing to meet the CMMC compliance standards could prove disastrous to a business that relies on contracts and revenue that trickles down from the federal government.
What Defense Industry Base Supply Chain Companies Need To Do About CMMC Compliance
If you are among the many businesses that fell behind the CMMC curve or are considering bidding on work, it’s crucial to start with a thorough review of your cybersecurity hygiene. The initial analysis does not necessarily have to be linked to a C3PAO audit—it can be completed by a Registered Practitioner before your official review. It can be a way to find out how close your outfit is to meeting the standards and decide whether it’s cost-effective to get certified and start bidding on work.
Those already in the supply chain would be wise to move toward compliance quickly. It’s abundantly clear the DoD is serious about CMMC compliance, and companies are rushing to earn compliance. Perhaps the best thing you can do to advance your business’s financial goals is to start a conversation with a CMMC consulting practice like ours.