If you’re a company that serves defense industry customers or hopes to, chances are you’re aware of U.S. Department of Defense (DOD) cybersecurity requirements to protect sensitive information. Up to now that effort has been under DFARS—a government acronym for the Defense Acquisition Regulation Supplement— Clause 252.204-7012 which was the DOD’s first attempt at codifying requirements to ensure that its suppliers adequately protect project-related data.
The threat is real. There are plenty of bad actors out there looking to steal data and other defense information. And because the larger contractors have long had sophisticated cybersecurity systems in place, cyberthieves increasingly are attempting to access data through subcontractors—and subcontractors to subcontractors—many of which are small businesses with proportionally small IT departments and few or no protections in place.
The end of self-certification: DOD contractors brace for CMMC 2.0
DFARS Clause 252.204-7012 is a self-certified requirement, and as such is somewhat lax in its enforcement. That is about to change. The new standard, CMMC 2.0, which stands for Cybersecurity Maturity Model Certification, is in the final comment and review period, and it’s expected to become a contractual requirement for all DOD contractors as early as Q4 2024. With CMMC, self-certification ends. Compliance is mandatory and must be certified by an independent third party.
This time the DOD is serious. CMMC compliance will be a go/no-go requirement to compete for and win DOD contracts for primes all the way down to the smallest subcontractors.
CMMC: Three levels tied to varying data security needs
DFARS is the contractual obligation which mandates the security requirements in NIST 800-171. CMMC will become the verification and enforcement of those security requirements. These contractual obligations and enforcement efforts are intended to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
The good news: CMMC requirements are tiered based on the level of sensitivity of the data your company and people will handle. Of the three Levels, Level 1 and Level 2 will be required of the majority of Defense Industrial Base (DIB) contractors. Level 1 is the most basic, with just 17 requirements focused on protecting FCI. Level 2 is more advanced and expected to affect the largest number of contractors and subs, with 110 requirements.
The third-party certification part is the less-than-good news, unless you have already implemented the 110 security requirements mandated since December 2017. Regardless of level, most journey’s to compliance start with an assessment.
What now? How does the DIB solve for CMMC 2.0?
The DIB is an incredibly diverse collection of suppliers, ranging from large primes who have entire departments dedicated to monitoring and managing data security to mom-and-pop operations whose daughter-in-law is good at computers and handles IT between calling on customers and making sure the coffee machine is working.
Some suppliers specialize in DOD work. For some, defense is just a small percentage of their total business. Others have no defense-related customers but consider it a potentially lucrative area for expansion.
For the vast majority of companies that are not primes or larger subs, compliance will be a significant challenge that likely will surpass their ability to handle in-house. Government regulations are notoriously complex and opaque. And besides, who has time to figure it all out? Most businesses are turning to third-party providers.
Where to get help
The universe of third-party providers advertising CMMC compliance services is almost as diverse as the DIB itself. Some are divisions of large consulting firms. Some are value-added resellers (VARs) of data security software. Some are basically auditors focused solely on assessment. That makes finding the right provider as daunting as compliance itself. Who should you talk to? As a business, you want to minimize or at least manage the cost of achieving compliance.
There are some pitfalls. The first: Of all the providers out there offering CMMC compliance services, a surprising number don’t actually get you to full compliance. What? That’s right. Some just want to sell you the software you need, which is only one piece of the compliance puzzle. Some focus on selling what they do—assessments, for instance—which is just one step in the journey. Others take the typical consultant approach, which is to speak in acronyms, bill their hours at a high rate, dump a big fat binder on your desk and wish you good luck.
So, what’s the surest path to solving this CMMC compliance thing?
Look for an end-to-end provider. You’ll want a provider that can guide you through all the steps required for your business to get and stay CMMC-compliant. Not just some of the steps. All of the steps.
Look for an experienced provider. The best partners in the DOD data security space are the ones with the most experience in the DOD data security space. Specialists who know the requirements backwards and forwards. The ones who have done this many times before.
Look for a flexible provider. Your business—every business—is unique. You don’t want a boilerplate solution, which is the recipe for overpaying for undercompliance. The best providers meet you where you are, tell you exactly what you need and then deliver it.
It’s bigger than compliance
One final thought—cybersecurity is not just about meeting a bunch of tedious government requirements. This is a serious threat to your business, it’s increasing, and it’s never going away, at least not in our lifetimes.
Hackers can severely damage or even destroy a business with spyware, ransomware, viruses and any number of other bad deeds. Even if you do little or no DOD work, it’s just good business to fully understand the threats and take appropriate action to protect your livelihood.
The DOD sees hackers as nothing less than a serious, growing threat to our way of life. And trust me, not dealing with CMMC with the appropriate amount of urgency could be a serious threat to your way of life. The time is now to get on this.