One Defense cybersecurity initiative from the Trump era is gaining steam in the Biden. That would be CMMC, the Cybersecurity Model Maturity Certification Program. In a program with many moving parts, all aimed at making sure Defense contractors can be trusted with controlled, unclassified information. Two cybersecurity companies in that CMMC ecosystem, found in a survey earlier this year that the program will be costly and difficult for contractors. To further discuss, Federal Drive with Tom Temin welcomed Apptega’s vice president of marketing, Scot McLeod and the director of consulting at SecureStrux, Thad Wellin.
Insight by RavenTek: Explore how infrastructure visibility is the first requirement for maintaining best performance in this exclusive executive briefing.
Tom Temin: So this survey found that it’s kind of like prostate health, everybody wants it, but nobody wants to have the tests to go through what it takes to get there. So give us the highlights from what you found from, what about, 150 companies?
Scot McLeod: Sure, Tom. So to start, we found that over 80% of the contractors and subcontractors told us that CMMC is an important initiative to protect sensitive information in the DoD supply chain. And in fact, none of the participants indicated that it was not important. I think we’re very happy to see that there’s large, or broad scale agreement, that this is an important and necessary initiative.
Tom Temin: All right, but that’s where the ‘buts’ begin.
Scot McLeod: That’s exactly right. In conjunction with that, almost a third of the participants also indicated that while they feel like it’s important, that it will include unnecessary burdens and costs upon their organizations.
Tom Temin: And those costs would be what? In the obtaining of certification from a third party assessor, or the investments they might have to make in basic cyber? Thad?
Thad Wellin: Yeah. So that’s actually a combination of both. There is the investment that they need to make to be able to meet all the controls for whatever level of CMMC they’re going to require. And then there is kind of an unknown cost right now, what the costs will be to actually get the audit completed. The other huge challenge that CMMC imposes, it’s an all-or-none type of certification. So you either meet every single aspect of that level of certification — the levels one through five — and if you don’t meet every component of that — you don’t have every control that the auditor agrees is compliant — then you don’t achieve that certification. That’s one of the huge challenges is CMMC does not allow a plan of action — a milestone — for controls that aren’t completely met yet.
Tom Temin: It’s almost like hanging the shingle as a CPA. You’ve got to do all segments of the tests, you can’t have like a four-and-a-half, basically then?
Thad Wellin: Correct. 99.9%, that’s not good enough. And that’s one of the challenges that CMMC is and will impose, and is unlike a lot of the other type of certifications, such as the risk management framework that is used for the federal government and for the DoD to manage their own networks, they do allow POA&Ms, because they have what’s called an authorizing official that manages risk. And it says, okay, we accept the risk for this. We allow a POA&M. And there’s an actuable plan to be able to become compliant, but we’re still gonna award the ability to operate, while that POA&M action is happening. And that’s one of the huge challenges that CMMC will impose. And contractors will fill that pain.
Tom Temin: We’re speaking with Thad Wellin, he’s director of consulting at SecureStrux and with Scot McLeod, vice president of marketing at Apptega. And do you get the sense that at this point, there is a reference point here, and that is NIST 800-171 Special Publication that spells out the controls, do you get the sense that even before all of this apparatus is up and running, that companies are starting to compare their cybersecurity practices against what’s in 800-171 and starting to fill those gaps ahead of time?
Thad Wellin: Yes, absolutely. And one of the things that’s a huge difference between NIST 800-171 and let’s just say CMMC Level 3, because they’re basically apples-to-apples comparison as far as controls, so, all 110 controls that are NIST 800-171 are included in CMMC Level 3, plus 20 additional CMMC specific controls. The biggest issue isn’t the fact that all the controls are met for 171, it’s the fact that CMMC is a maturity model. So, maturity in your processes is a big part of achieving CMMC Level 3, versus being compliant with 800-171. And the simple fact is, is 801 71 compliance does allow POA&Ms.
Tom Temin: Got it, and just spell that for us.
Thad Wellin: Plan Of Action and Milestones.
Tom Temin: Okay. And, Scott, a question for you is, do you sense that companies anticipating this have faith that regardless of the assessor that comes in to certify them, that they’ll get even-handed treatment and the assessors, in effect, will be plain vanilla, it won’t matter who you get with respect to how ready you are to passing.
Scot McLeod: I think the process that’s taking place right now with the CMMC advisory board is expected to keep that playing field level. Do what they can to maintain consistency from one assessor to the next. But, even if the playing field is a little bit on level there, we’re seeing some other really interesting takeaways from the study related to that. One in particular is that assessments are not being done right now, they haven’t gotten that far in the process. But organizations that are being proactive and getting aligned to CMMC now, even though it may be some time before they’re officially assessed, in the study we saw that almost 50% of the organizations that participated indicated that they expect to see business growth opportunities coming from this. Even though they feel like it’s going to impose undue burdens and costs, there will be some opportunities created. And in fact, both Thad and I have had interaction with DoD contractors and subs that have told us. In one case, I was speaking with a subcontractor about a week ago, indicated that they have already signed new contracts with some of the larger primes. And they believe that it’s, in part, because they were able to show them evidence of what they’ve already done to become CMMC compliant.
Tom Temin: And a follow up to that is the perception that this will result in better business opportunities. Does that perception go across large and small businesses, and primes and subs? Thad?
Thad Wellin: Yes, absolutely. We have had organizations, that are clients of ours, that have indicated that they have definitely seen a difference in the way that they interact with their primes. And the bottom line is when CMMC becomes a reality, and the new DFARS clauses 252, 204, 7019, 7020, and 1721 are imposed, and they do have CMMC requirements, in order to be awarded that contract, or in order for a sub to be part of that contract, they have to have the CMMC certification. So primes right now are making sure that their supply chain, their subcontractors that they work with on a day-to-day basis on a lot of their contracts, they’re making sure that they are sending out checklists. They’re validating that their subs are in line with 800-171. They have a score in what’s called SPRS, which is the government repository for where CMMC certifications are stored. And what is required right now to self-attest against 800-171, contractors are making sure that their subs are aligned with that. Because when it comes time to be awarded the new contract that has CMMC requirements, that their supply chain is going to be available to perform on those contracts.
Tom Temin: Thad Wellin is director of consulting at SecureStrux. Thanks so much for joining me.
Thad Wellin: Thank you.
Tom Temin: And Scot McLeod is vice president of marketing at Apptega. Thank you as well.
Scot McLeod: Thank you very much, Tom.