Experts in defense contracting are advising small and mid-sized businesses to start preparing for the looming rollout of the Cybersecurity Maturity Model Certification (CMMC) program.
Developed through the Department of Defense’s Office of the Undersecretary for Acquisitions and Sustainment, CMMC is designed to make cybersecurity a foundational component of all DoD programs and contracts, CMMC Director Stacy Bostjanick told attendees at the Fort Meade Alliance’s Small Business Conference.
Once implemented, the CMMC will enforce the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) 800-171 frameworks for all DoD contractors who touch controlled unclassified information (CUI). Based on preliminary drafts, the regulations will require contractors to meet multiple requirements within 17 security domains.
The framework also includes five levels of certification depending on the extent of a contractor’s cybersecurity. Contractors will have to be assessed by an independent auditor to receive CMMC certification and will have to be re-audited at least every three years.
CMMC regulations are scheduled to be released in January, training of auditors should begin this spring and by June, some DoD Requests for Information will include CMMC requirements.
“We are not trying to put any of you guys out of business. We are not trying to make life hard for you. We are trying to make us secure,” Bostjanick said at the conference. “We are trying to establish a culture of security where people are thinking about these issues and thinking preemptively.”
Federal and state governments are discussing making funds available to small companies to offset certain costs of meeting CMMC standards. Some DoD contractors may also be able to include certain related costs in contract billings.
But federal officials and business leaders say contractors, especially small and mid-sized companies, need to start learning about and preparing for CMMC.
“I’m not sure that all small businesses understand the seriousness of this,” said Mike Kelleher, Executive Director of the Maryland Manufacturing Extension Partnership (MD MEP). “This is not a situation where you can check a box and certify that you are compliant. You can’t go online and buy a widget and become compliant … If you aren’t compliant, it may end up impacting contracts and renewals and purchase orders.”
Kelleher recommends that companies begin by assessing their systems to determine where they do and do not comply with the draft CMMC requirements. CMMC Version 0.7 is available through the CMMC website: https://www.acq.osd.mil/cmmc/
Many companies that aren’t already complying with DFARS and NIST 800-171, may be surprised by the number of cybersecurity gaps they have. Through a pilot program with DoD’s Office of Economic Adjustment, MD MEP has helped 47 companies assess their level of their compliance with NIST 800-171. Pre-mitigation scores from those gap analyses showed companies, on average, were 34 percent compliant.
The pilot program provided 33 companies with funding to offset the cost of technical upgrades. MD MEP is currently negotiating with DoD and the Maryland Department of Commerce to launch a similar program that will help small companies comply with CMMC.
Contractors who are already meeting NIST 800-171 standards, will still need to learn about and prepare to adjust to CMMC, said Dr. Myron Cramer, Co-Founder and Chief Technology Officer of BCT LLC.
“We are very familiar with government’s security requirements and design, and we mirror them to the extent that it makes sense for us. We have the strongest firewalls available, some of the same ones the government uses, and we have the strongest anti-virus products,” Cramer said.
Even though Cramer believes the company is meeting CMMC standards, he also expects to have to implement some changes when the company is assessed by an CMMC certifier.
“Any time you get a third party coming in to do an assessment for accreditation, they are going to have their own opinions about things so we may have to make some changes,” he said.
In addition, some large questions still linger over the CMMC rollout. New security protocols will require two-factor authentication. Workers in many government facilities, however, are not permitted to bring personal cell phones or other electronics into their workplace and DoD has not yet indicated what alternate devices, such as electronic tokens or fobs, could be permitted, Cramer said.
The definition of controlled unclassified information remains unresolved to date. Contractors who use cloud services, do not yet know about options to migrate to CMMC-certified cloud services. Finally, most individual government clients have not yet announced how CMMC requirements will mesh with their individual requirements and what changes contractors may have to meet to satisfy both.