This article by Cory Harris originally appeared in Security Systems News [link]

The Department of Defense (DoD) has begun rolling out its Cybersecurity Maturity Model Certification (CMMC) program designed for companies that want to do business with the federal government.

In its efforts to establish cybersecurity as a foundation for future acquisitions, DoD has introduced the program with the goal of enhancing protection of controlled unclassified information (CUI) within the supply chain. As a result, potential DoD contractors will no longer be able to attest to their own compliance and will be subject to third-party assessment and certification. CMMC will now be required on all new DoD contracts.

Cybersecurity Threats

Ryan Heidorn, co-founder and managing partner of Steel Root, a managed services provider, explained to Security Systems News the importance of CMMC in establishing cybersecurity as a foundation for future DoD acquisitions.

“DoD is extremely concerned about the amount of critical information that goes out the door every year, by way of espionage or theft,” he pointed out. “Most fingers point to China, in terms of stealing intellectual property that was developed with DoD funding, which is taxpayer funding. CMMC is aimed at stopping the bleeding, I guess, in terms of this information walking out the door.

“Basically, DoD is saying that in addition to these criteria that we use to select our suppliers, for these companies that are the beneficiaries of these billions of dollars of defense spending, cybersecurity is going to be one of the selection criteria. In fact, it’s going to be a requirement.”

Heidorn noted some examples of cybersecurity threats that warrant the implementation of CMMC. “It’s two-fold from the DoD’s perspective,” he said. “It’s the exfiltration of data that’s being stolen, but on the other side of the coin, these companies that do business with DoD are just like any other companies in other industries. They face the same sort of threats, such as ransomware, disruption to business operations as a result of malware or targeted attacks. There’s a wide swath of cyber threats that these companies need to be concerned about. The DoD is sick of seeing critical information walk out the door.”

Business Opportunity

Companies intent on doing business with DoD could benefit from CMMC, Heidorn explained.

“One benefit from being forced to do cybersecurity is that it’s just a good business practice that you should have been doing anyway,” he said. “In the short term, at least, CMMC certification is a competitive advantage. If you’re going to bid on a contract, and you’ve reached Level 3 certification, and your competitor has not yet, you have a huge leg up on winning that business from DoD.

“Cybersecurity is a must have for any business, and I think that organizations should look at this as an opportunity.”

Third-Party Auditors

The role that independent third-party auditors play in preparing potential DoD contractors is critical for certification of their cybersecurity maturity, according to Heidorn.

“In the past, there was no enforcement mechanism for organizations working for DoD,” Heidorn explained. “DoD would give them a checklist basically saying, ‘Did you do the right thing, yes or no?’ Companies would say yes, regardless of whether they were doing it or not. The role of these third-party assessors is to come in and check their work.” 

Heidorn pointed out one really important major change with contractors now being subject to third-party assessment. “In the past, technically you were compliant, even if you weren’t doing everything, as long as you had a plan to do it,” he said. “What happened was all these companies said, ‘We don’t do this, but we’re planning to do it,’ and they never actually did it. The assessors now come in and say, ‘Did you do it, yes or no? Show me the evidence.” To have this enforcement mechanism is really moving the ball down the field in terms of getting these DoD contractors to actually implement these cybersecurity capabilities.”

Cybersecurity Maturity Validation

Heidorn pointed out that it is critical for a potential DoD contractor to have its cybersecurity maturity validated.

“I don’t think that companies doing business with DoD fully have their minds wrapped around what this entails,” he said. “In addition to all of the security practices that are required under CMMC, that you should be doing X, Y and Z, there’s also this concept of being able to demonstrate process maturity. Most of the businesses that do business with DoD are small. The majority of them are under 500 employees. When we talk about maturity, I don’t think organizations are prepared for what that means.”

He continued, “You have to demonstrate that you’ve got a plan, that plan is funded, that you have the appropriate amount and quality of resources, technology tools, etc. to do cybersecurity.

“Just like you need an HR department or an accounting department, you also need a cybersecurity department. The reason that it’s critical to have it validated is because in the past, the whole checklist format of whether you’re doing all these things did not really result in what DoD wanted to see, which is the state of being protected. Now someone has to come in and say, ‘Are you doing the right thing? Show me that you’ve not only checked the boxes, but also show me that you have cybersecurity maturity, that you have practices in place that support the government’s sensitive information.’”

The CMMC model has five defined levels of maturity, each with a set of supporting practices and processes. Practices range from Level 1 (basic cyber hygiene) and to Level 5 (advanced/progressive). Organizations that meet a specific CMMC level must meet the practices and processes within that level and below.

Heidorn noted the importance of how CMMC adds a verification component with respect to cybersecurity requirements.

“In terms of like a carrot in a stick, it’s a pretty straightforward stick,” he claimed. “In new contracts that contain CMMC requirements, you cannot win the contract if you don’t meet that requirement. The verification component comes in where that third-party assessor does an assessment and either says yay or nay. CMMC is a pass-fail type situation.”

Short-term and Long-term Benefits

Heidorn pointed out the short-term and long-term benefits of CMMC in regard to the fight against cybersecurity threats.

“I think everyone is watching to see if this moves the needle, in terms of sensitive data being breached,” he explained. “DoD has used the statistic of $600 billion lost annually to cybercrime across all industries. I think everyone’s waiting to see if programs like CMMC have a measurable impact on that.

“In addition, the DoD for the first time will, believe it or not, know which companies are actually doing work for them. To date, the DoD has only known about prime contractors; they don’t know about all the little companies that are subbing out work, which represents the majority of suppliers. Having that awareness seems critical to our national security.”

Heidorn continued, “I think the security practices prescribed in CMMC, especially at Level 3, are very good practices that are best practices in the cybersecurity industry. By being forced to have to implement some of these things, certainly they’re aligned with what the cybersecurity industry is saying that organizations should be doing to protect sensitive data. Being forced to do the right thing, you’re still doing the right thing.”

Rollout Process

CMMC was introduced in the first half of 2019. Heidorn said that DoD plans a five-year rollout, with every single DoD contract by the end of that period, FY 2026, requiring CMMC certification at one level or another.

He noted that there might be a “slower, measured rollout” in 2021, with a certain number of contracts having the CMMC requirement, as many companies prepare for certification in the future.

“In my opinion, DoD has made it clear that this is real; it’s not going away,” he said. “You have to prepare for it.”