Leaning into CMMC as it Evolves Works
Right now, many organizations are struggling to make sense of the recent information released regarding the evolution of the CMMC standard, specifically the retirement of version 1.0 and the introduction of revision 2.0. After reviewing the new materials, the question becomes, “What do I do now?”.
One important thing to remember is that regulations have always been shifting to meet the ever-changing business, threat, and security landscapes. In fact, before CMMC, companies needed to adhere to NIST 800-171, and before that DFAR’s 252.204-7012. Because of the constant stream of acronyms and the resulting confusion, most companies have either given up trying to understand it all or have enlisted professional support to help meet the evolving requirements.
Past experience applies to today’s challenges
Before I founded CyberSheath, from around 2008 through 2012, I was the Chief Information Security Officer for BAE Systems. At that time, compliance with the emerging cybersecurity guidance was voluntary. Within the company, we struggled with how to approach it since it was not required, but it was a legitimate national security issue that our board cared deeply about.
As one of the eight largest defense contractors, we joined our colleagues at the Pentagon, where the Deputy Secretary of Defense said in a classified briefing that we all needed to stop foreign entities from infiltrating our computer networks and stealing our intellectual property. The meeting called upon defense contractors to do their patriotic duty and safeguard the data entrusted to our care. The government also wanted industry to start sharing threat information and report cybersecurity incidents. Many of the largest prime contractors actively resisted the idea of sharing information with the government feeling their companies either might be put at a competitive disadvantage or that they were better equipped and better informed about cyber security matters. I recognized early on that resistance was futile, eventually this was going to be mandated and more importantly I sincerely believed this was a matter of national security. We leaned into the effort to improve our defenses, share information and be a good partner to our largest customer, the United States government.
We started down the path of meeting the cybersecurity standards as they were introduced. Even though it was voluntary, nobody was compelling us to participate, and there were no penalties, we simply decided that actively supporting this emerging public, private partnership was the right thing to do. I was blessed with an executive leadership team and bord that were ahead of their time in making cybersecurity a board level issue, a rarity at the time.
In many ways, my journey then parallels where the defense industrial base is today as they ask, “Do I ignore this until the government figures out what they want to do? Or is there some kind of playbook I can follow to get this done?”
Moving forward with CMMC 2.0
With CMMC 2.0, defense contractors can take a similar approach in a way that’s both cost-effective and smart. As a company, you will have to implement and comply with a construct that’s probably going to change over the next two years¬—but there are foundational steps that you can take now that will continue to make sense in the future, regardless of how things progress.
For example, we know NIST 800-171 is the law of the land and that is not changing. One good option would be for your company to fully implement NIST 800-171. If you are not sure where to begin, start with an assessment so that you understand how far out of compliance you are currently. The requirements outlined in the NIST standard represent good cybersecurity hygiene controls and any work you do to meet those requirements is going to pay dividends as you look to secure and maintain government contracts and ultimately full compliance with CMMC.
Looking to the future
It’s obvious that cybersecurity is going to become more important and mandated for federal contractors. So, if you are a federal contractor, there is minimal risk in embracing NIST 800-171 and a lot of upsides. Ultimately whether you work with DoD, DHS, NIH, or the Department of Agriculture, there’s going to be some level of minimum requirements—and they’re probably going to map back to a NIST standard.
The best partner to help you follow the rules is the one that helped write them. At CyberSheath, our executives have been involved in development of the first and every version of DoD cybersecurity initiatives since 2008. If you need any assistance navigating the cybersecurity standards and applying them to your business, contact us.