If you are a federal contractor doing business with any part of the United States government, meeting some level of mandatory minimum cybersecurity requirements is in your future if you want to continue to capture that revenue.
The Biden administration has made it crystal clear as to where we are heading relative to minimum cybersecurity requirements. In fact, the National Cybersecurity Strategy states, “Where Federal departments and agencies have gaps in statutory authorities to implement minimum cybersecurity requirements or mitigate related market failures, the Administration will work with Congress to close them.”
We’ve seen how the DOD has moved from proposing and mandating these minimum requirements to actual enforcement with CMMC. And that’s the key difference between DFARS 7012 and CMMC, the fact that CMMC introduces an enforcement mechanism.
Survey findings for 2023
Last year we released a landmark study by Merrill Research. It was the first one ever conducted by an independent third party, in which the research consultancy pulsed the defense industrial base to understand where they were in their journey to compliance. We tasked Merrill Research with refreshing their findings for this year, to allow you to the best possible benchmark for your company.
Here are some snapshots of what’s happening.
86% of the respondents in this year’s survey believed that positive change would come about as a result of the national cybersecurity strategy. This is interesting because while most respondents were very optimistic about the strategy, their progress toward CMMC compliance as viewed through their SPRS submissions was underwhelming.
There is a growing gap between contractors who claim to be compliant via self-assessment versus those who have completed SPRS submission.
- The number of contractors who claim to be compliant via self assessment has increased. In 2022, 71% said they were compliant via self-assessment, which rose to 81% in 2023.
- While many contractors have not completed the steps necessary to maintain compliance, more contractors are in the ‘undertaking’ for SSPs, POAMs, required controls, and ongoing solutions.
- SPRS submissions among contractors is significantly lower (fell from 46% in 2022 to 36% in 2023) while the average SPRS score has slightly increased.
What does this mean and what should you do?
The Federal government is mandating minimum cybersecurity requirements across all of their estate that they can control, and where they don’t have the ability to control this, they are going to work with Congress to get it. CMMC is now moving to enforcement.
Here are steps you can take to achieve and maintain compliance.
- Assess operations for compliance with NIST 800-171.
- Generate a system security plan (SSP).
- Document plans of actions and milestones (POAMs).
- Implement security requirements.
- Maintain compliance.
Start with an assessment and planning documents
Depending on where you are in your journey, you should begin by assessing yourself. This assessment is required for SPRS submission, and that’s probably the first thing that’s going to trip you up relative to your ability to capture additional revenue with the Department of Defense, your prime, et cetera. Use this potential for a lost business opportunity to make a solid business case to fund an assessment or to prioritize internal resources.
A properly done assessment is going to get you everything you need for your SPRS submission, including an updated plan of action and milestones, which is essentially your roadmap to full compliance. The assessment also enables you to answer the two questions every defense contractor wants to know—how much is this going to cost and how long is it going to take?
Move to implementation and maintenance
Once that is complete, enact the policies, planning, documentation, technologies, and controls you’ve already planned for. This is the longest, most expensive part of your journey. Whether you measure the expense in dollars or in time, it’s where the real effort is. After the implementation is complete, you begin managing your compliance.
How CyberSheath can help
Know that your organization can get to the place where you are surviving and thriving in the face of cybersecurity audits. You’ll be able to easily produce artifacts, manage your systems, and more. That’s what we do for our managed services customers. We make sure that there’s an ongoing production and validation of artifacts and infrastructure required for compliance. The CyberSheath Federal Enclave brings all of the security, information technology and regulatory requirements and capabilities together to complete your CMMC compliance puzzle.
Many companies coming to us to solve this problem for them have years of less-than-optimal infrastructure practices. Perhaps patches haven’t been maintained, there’s little to no documentation relative to how they’re doing things today, or they’re under invested in security. It’s our job to solve that problem for each of our clients and we do it on a firm fixed price basis.
Bottomline: Contractors need to take action and seek help if needed, as time is running out for compliance. One solution is to jump to a whole, cloud-based solution. This is a great option if you can do it, if you can afford it, and if you have a partner who can migrate your legacy infrastructure to the cloud.
The benefits of implementing the required controls of CMMC are twofold. It’s mandated and you are going to become more secure from an operational perspective. This is compliance that will make you more secure.
Lastly, remember that there’s no such thing as partial compliance. Whether you’re working to achieve CMMC compliance with CyberSheath, within your organization, or with other vendors, make sure you’re solving the whole problem. At the end of the day, that’s how your success will be measured. Our experts are committed to this space and to your success. We help implement a solution that’s right for your business to achieve full compliance. Contact us to learn more.