Insight by Summit7

Risk and Compliance Exchange 2024: Summit 7’s Jacob Horne on why CMMC 2.0 is ‘the finish line, not the starting line’

Misconceptions about CMMC 2.0 pervade the Defense contracting world, leaving some contractors underprepared, the Summit 7 chief cybersecurity evangelist says.

One specific clause in the Defense Federal Acquisition Regulations, DFARS 252.204-7012, has required important cybersecurity measures from defense contractors since 2013. But until a series of consequential contractor data breaches affected major U.S. weapons systems, no one had thought to verify that those measures were in place.

So in 2020, when the Defense Department first began talking about the Cybersecurity Maturity Model Certification to verify compliance, many contractors who weren’t aware of the DFARS clause thought DoD was imposing new cybersecurity regulations. While that’s not true — CMMC only verifies DFARS’ existing requirements — the misunderstanding has persisted.

As Jacob Horne, chief cybersecurity evangelist for Summit 7, often reminds people, “CMMC isn’t making you do the requirements. It’s making sure you did the requirements.”

Now that CMMC 2.0 is here, the window for defense contractors to implement the DFARS requirements and get ready for CMMC verification is quickly closing. But because of this misunderstanding that CMMC requires contractors do something new, many have not yet begun to prepare.

“People associate the CMMC program with imposing these requirements as net new things and that causes them to hesitate” said Horne during Federal News Network’s Risk and Compliance Exchange 2024. “It makes them slow to prepare for CMMC because they think that when the CMMC program is final, that’s the day to start. CMMC being finalized is actually the finish line, not the starting line. That misunderstanding has caused massive issues in terms of people’s readiness.”

DoD’s response to the initial backlash against CMMC in 2020 did not help matters. After the department rescinded CMMC, its fate was considered largely up in the air throughout most of 2021. Then, DoD announced a new round of rulemaking to codify the process — a lengthy and nuanced bureaucratic exercise that took around two years to complete.

During that time, CMMC “went down the memory hole,” Horne said, as many contractors took an out-of-sight, out-of-mind approach.

But Horne called that precisely the wrong tack. A new round of rulemaking is a significant investment in time, effort and money and was a clearer signal of DoD’s commitment to CMMC as a program. Betting against it starting was always a losing bet, he said.

CMMC verification: Show your work

That’s why CMMC 2.0 is DoD actually telling contractors that it’s time to show their work and verify that they’ve met already established cybersecurity requirements, Horne said. Contractors who can’t do that will essentially be locking themselves out of Defense contracts until they can meet those requirements, which for sizeable organizations could be a multiyear process.

Combine that with concurrent efforts to reduce procurement action lead times — the amount of time between solicitation and contract award — and Horne said defense contractors will only have on average three months after solicitation to meet CMMC’s conditions for contract award.

“After the CMMC 2.0 rule has come out, if you wait for a solicitation to be your signal to get started on something that might take you 12 months to do, you have to be a robust and resilient enough company from a cash flow perspective to be able to go without work for several months,” he said.

There’s one other major misconception around CMMC that a number of contractors are laboring under: On the surface it seems that all they have to do is check off the 110 cybersecurity controls in the National Institute of Standards and Technology’s Special Publication 800-171. But that’s not how CMMC verification works.

On CMMC, ‘we know what the test looks like’

NIST SP 800-171 has a little-known companion document, NIST SP 800-171A. This companion document consists of a series of 320 determination statements that verify whether the requirements in 800-171 have been met, Horne explained. In other words, to prove they have met the 110 requirements in 800-171, each contractor must correctly answer the 320 questions in 800-171A. In fact, DoD even combined the two documents into one, which then became three CMMC assessment guides, one for each CMMC certification level.

“The advantage here is that we know what questions are on the test. We know what the test looks like,” Horne said. “There isn’t this huge jump for a lot of companies to go from where they are right now to proving what they’ve told the DoD — unless they have never heard of 800-171A.”

He added that it’s not unusual for contractors to give themselves a perfect score of having fulfilled all 110 requirements, only to have third-party assessors show up and determine it was actually closer to 10 because they didn’t use 800-171A. DoD has learned the hard way to adopt a “trust but verify” approach to self-attestation Horne said.

“The CMMC program is not an anomaly. This is a leading indicator of the way that cybersecurity policy at a national level is heading. What DoD has discovered ahead of other agencies is that if you don’t have an external verification mechanism, you cannot rely on self-attestation about the level of cybersecurity implementation in contractors,” he said. “Although CMMC seems like a weird Defense-space niche, I would say that it’s more like the canary in the coal mine.”

According to Horne, programs modeled after CMMC are coming to the broader federal ecosystem soon. The work within DoD is only the beginning.

Discover more articles and videos now on Federal News Network’s Risk & Compliance Exchange 2024 event page.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories