What does CMMC really mean for small businesses?

The recent emergence of the Cybersecurity Maturity Model Certification initiative essentially ups the ante for its Defense Industrial Base.

As a small business, you have an area of expertise, and then there are a lot of departments where you just don’t have the manpower or bandwidth to give it adequate consideration. That is certainly the case when it comes to concerns like payroll, accounting or HR. Now consider how significant your records are and how you keep and secure your computer documents and policies. The security of your organization’s data and that of your clients is going to be essential to your survival. One data spill can shutter your doors, ruin your reputation, and cost you staggering fines. Now more than ever, businesses do not have the luxury of ignoring the implications of inadequate data management and security.

What It Means, and Why

The recent emergence of the Cybersecurity Maturity Model Certification (CMMC) initiative, which effectively builds off of the tenets of the DoD’s existing DFARS 252.204-7012 regulation requiring contractors to at a minimum “self-certify” their implementation of proper security practices, essentially ups the ante for its Defense Industrial Base by now independently verifying that they have the proper controls in place to protect the government’s data before doing business with them.

Translation: If you currently do work for the DoD or plan on doing work with them in the future, from mowing the lawn to handling freight, you have some digital hygiene to do – NOW.

In response to the growing numbers of cyber-attacks, the CMMC initiative has updated its requirements. An interim rule that takes effect November 30 states that there is an “urgent need for DoD to immediately begin assessing where vulnerabilities in its supply chain exist and take steps to correct such deficiencies.”

The rule in the Defense Federal Acquisition Regulation Supplement (DFARS) requires defense contractors to undertake specific data security corrections through the DoD’s Basic Assessment process, which are submitted to the Supplier Risk Management System. Additionally, defense contractors are required to have certification under the CMMC framework, which assesses security processes and practices. These assessments are now to be carried out by CMMC Third-Party Assessment Organizations, rather than through self-certification.

What should SMBs do?

What that means for small businesses is they need to start the process for getting their CMMC certification. By starting now and spending incrementally, SMBs can use advisory services that charge fixed prices and help steer clients in stages.

Everywhere you look, there are CMMC service providers hawking their wares. It’s beginning to look like a bakery section. What do you need to consider when you’re looking for an advisor to support your organization in this certification?

  1. Go with an organization that has a track record for cybersecurity advisory services and staff who actually are tracking CMMC. The challenge is that it keeps evolving so what was a proposed agenda in July is not necessarily the same in November.
  2. Get fixed price options for CMMC advice. What role and services do the team provide? An initial assessment should be a small fee in order to understand your business and level of work within the DoD, as well as what kind of data you handle. Estimates will vary depending on the work and risk.
  3. Don’t sign with anyone without getting at least two estimates. It’s worth your time to do some reference checking or at least compare prices.

The reason for these increased security measures around CMMC is simple. If you work for DoD, in any capacity, you likely store some form of information that could be exploited as a vulnerability to our government’s defense. To shore up our defenses the CMMC requires all vendors that work for the DoD to take responsibility for their data and how it is managed. Verizon’s 2020 Data Breach Investigations Report indicates small businesses account for 58% of data breaches. The adage that “it’s not if, but when” an attempted data breach occurs is in play here.

There is no better time than the present for businesses to start evaluating your business’ cyber roadmap and developing a risk management protocol. In the face of a national transition, the process of meeting new requirements is a collaborative one.

The necessary resources, tools and subject matter expertise are plentiful and accessible within the federal ecosystem. Not only is this the cost of doing business but it’s our responsibility as citizens. We are all on the same path of continually ensuring the security of our data, the compliance of our businesses, and contending with the implications of cyberthreats. Together with a trusted advisor, your small business can manage CMMC and continue to work for the DoD.

Les Buday is the director for cybersecurity at HumanTouch, LLC in Tysons, Va.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    (Getty Images/iStockphoto/peshkov)Creative binary code and digital padlock background. Programming and password concept. 3D Rendering

    Defense companies asking for leeway with CMMC compliance

    Read more
    (AP Photo/Charles Dharapak)FILE - This March 27, 2008 file photo shows the Pentagon in Washington. In a first for the Pentagon's push to develop defenses against intercontinental-range ballistic missiles capable of striking the United States, a missile interceptor launched from a U.S. Navy ship at sea hit and destroyed a mock ICBM in flight on Tuesday, officials said. (AP Photo/Charles Dharapak, File)

    Pentagon reveals first contracts to serve as pathfinders for CMMC

    Read more