It has been more than two years since the Defense Department first rolled out the Cybersecurity Maturity Model Certification. The basic premise of CMMC is that all contractors and subcontractors in DoD’s supply chain, with the exception of commercial off-the-shelf product providers, would have to obtain a third-party certification of their cybersecurity proficiency before performing an awarded contract.
From the time of the rollout, a lot of significant work has been accomplished by DoD and its industry partners: a detailed cybersecurity hygiene model was rolled out, the accreditation body (AB) was established, training was created and, seven contracts were identified as the first DoD contracts that would require CMMC. Further, numerous providers have undergone the time and expense to become a registered provider or certified assessor in the AB ecosystem. Contractors have also spent significant funds to review their systems against the CMMC model to prepare for certification.
The establishment of CMMC was for good reason: Cybersecurity threats are increasing and growing more sophisticated and DoD has compelling evidence that contractor compliance with existing cybersecurity self-certifications is deficient. The specter of CMMC as a future requirement in all DoD contracts, coupled with near-term requirements for Supplier Performance Risk System (SPRS) score reporting, has gotten the attention of many Defense industrial base (DIB) members. They are taking a hard look at their cybersecurity posture, and are finding, in large numbers, that they are deficient. This means that they were not sufficiently motivated by the pre-CMMC regulations.
Because of CMMC, these companies are taking action and are undertaking security remediation projects, IT transformation projects and cloud migrations. They are implementing security technology and services to address holes in their cybersecurity defenses. These companies were spurred into action by CMMC, and the security improvements they are undertaking are addressing longstanding risks that were otherwise being ignored.
Insight by ProPricer: During this webinar James Woolsey, the president of the Defense Acquisition University, Frank Kelley, the vice president of the Defense Acquisition University and Michelle Currier, the professor of contract management at the Defense Acquisition University, will discuss the future of DoD contracting, pricing and acquisition. In addition, Michael Weaver, the professor of contract management at ProPricer will provide an industry perspective.
In April, Federal News Network reported that DoD was undertaking a review of the CMMC program. A review is welcome because as much as DoD has accomplished, there is still room for improvement:
Even so, the DoD’s internal review has lasted more than four months and many contractors are waiting on the sidelines to commit to the CMMC program until the review is complete to ensure that are not needlessly investing in an ecosystem. To be clear, while contractors we speak with have prioritized instituting robust cybersecurity controls, there are a number of different paths to accomplish robust cybersecurity hygiene. Many contractors will not buy into the CMMC path until they can be confident that DoD will continue to support that path.
What we have seen validates the basic premise behind the necessity of CMMC: Implementation of current Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity requirements, such as DFARS 252.204-7012, which requires compliance with NIST Special Publication 800-171 (among other things), has been largely incomplete and inconsistent. After meeting with hundreds of companies about CMMC, Ed did not find a single company outside the ranks of the “majors” that was “good to go” in terms of cyber before CMMC. Perhaps DoD would be able to release some aggregate statistics on early SPRS score reporting to back this up. And of those who have submitted 110 scores, it’s likely few would have achieved that same perfect score if spot checked prior to CMMC being announced.
There is great interest in CMMC outside the DoD. Other agencies have expressed interest. The recent executive order on cybersecurity emphasizes common cyber standards across agencies. Insurance companies are vetting cybersecurity posture to support underwriting decisions and will likely welcome a recognized standard for cyber hygiene.
All of this leads to the inevitable conclusion that CMMC is here to stay and once some simple changes are made, the time for implementation is now.
Eric S. Crusius is a partner with Holland & Knight government contracts group. Among other things, he regularly counsels contractors regarding cybersecurity compliance issues and helps clients work through breach notification requirements.
Ed Bassett is the chief information security officer at NeoSystems, a cybersecurity managed services provider. He has been building and delivering managed security services for 20+ years and consults on cybersecurity operations strategy to government and commercial organizations.