The Defense Department’s implementation of the Cybersecurity Maturity Model Certification (CMMC) has been met with mixed feedback, but not all negativity is as prescient as it seems. There is valid concern surrounding cost-demands for small businesses hoping to win contracts with the DoD, but talk has been more reactionary than strategic. Do not be overwhelmed by fear, uncertainty and doubt — consider instead that CMMC is part of the larger need for a cybersecurity program within your organization.
Managing cyber risk is a cost of doing business in today’s digital world. Embracing cybersecurity as part of the business’s overall risk management strategy will better position you to remain a viable member of the DoD’s ecosystem.
No one needs to be reminded of the severity of this past year’s cyber-attacks, signaling an imperative strengthening of security measures across the federal government. National security is at stake and CMMC seeks to place some security responsibilities with prime and subcontractors, depending on the degree of vulnerable data with which they work.
In light of attempts to exploit the expansion of the federal government’s threat surface, a standardized security model should be non-negotiable for all that handle government data. Server message blocks make up more than 50% of the targets of cyberattacks in the U.S. Having and handling major government data, yet often lacking up-to-date and robust cybersecurity measures, small business contractors are a natural target for hackers and bad actors.
While achieving CMMC certification seems daunting, there are reasonable steps businesses can take now to start the process and manage their compliance journey for maximum effectiveness, to include designing a cyber risk program that balances security with the needs and capabilities of your business.
Consider your business model in the context of what work and services you provide to the government. Where does your business fit on the supply chain for the federal government? A business tasked with providing landscaping services to federal properties, for example, likely handles no CUI therefore their cyber risk will be significantly lower than a business that is tasked with developing weapons systems.
Between 70-80% of the defense industrial base will only need CMMC Level 1 — ever. For organizations needing to meet CMMC Level 3 and above, the costs associated with both the resources and automation required to manage your company’s cyber risk posture will rise. Achieving higher levels of maturity under CMMC requires on-going management of the day-to-day operationalization of your cybersecurity capability; as it becomes more robust (i.e., mature), the cost of maintaining that capability also increases. It is, however, nowhere near the cost of a data breach in terms of litigation, ransoms, disaster recovery, reputation and/or fines. That is expensive.
Not sure where or how to start? Hire an advisor. This is where hiring an agnostic services advisor for a set goal can really help your organization. Agnostic services providers prioritize what best serves your business needs, as opposed to selling one partner’s formula of wares and services. It is not as counter-productive to cost savings as you might think. Consider the whole cyber landscape of your organization and from which point you are starting. Where and how are your business needs located from an IT perspective — on-premises, in the cloud, or both? Are you spending more than you need to on storage and security?
CMMC is definitely not a one-size-fits-all formula, so it helps to have an expert opinion on the best course of action for your specific business and business model. Even if you are unsure of what your business’ target CMMC level needs to be to bid on DoD contracts, it is important to begin the certification process in any way you can. At the very least, start at CMMC Level 1 and strive for performing basic cyber hygiene regardless of whether your company will ultimately have to meet a higher-level certification — better to act now than to do nothing at all.
From there you can gain a better understanding of where you will fit into the CMMC framework and establish more robust cyber hygiene goals accordingly. Meeting this compliance standard is not a single event, but a process — a continuing process that involves certification measures to be overseen on a day-to-day basis.
Implementing the requisite CMMC measures will create an additional cost burden — but think about it as a crucial part of your organization’s overall risk management strategy. Start by understanding your cyber risk to determine where to focus your efforts. Leverage this knowledge to shape your cybersecurity program, to include prioritizing tasks and expenditures. At this point, you can begin making reasonable assurances to your customers and partners that you are making informed decisions related to the security of the information you are managing. Doing nothing is certainly more costly in terms of time, reputation, security and lost opportunities.
Les Buday is a cybersecurity expert and Director of Cybersecurity at HumanTouch, LLC in Tysons, Virginia. He is also a PMP and a Registered Practitioner (RP) under the CMMC Accreditation Body.