People like to say that cybersecurity threats are constantly evolving. So perhaps it’s fitting that cybersecurity compliance is undergoing a significant evolution of its own this year, too.
That evolution is the arrival of the Cybersecurity Maturity Model Certification, more commonly abbreviated as CMMC. CMMC is a new standard for cybersecurity that the U.S. Defense Department is rolling out to defense contractors, requiring companies to enforce new oversight across their operations and down their supply chains.
The Defense Department’s goal is to make CMMC a standard clause for all defense contracts by 2026, including higher education institutions that do government-sponsored defense research; and professional services firms that provide consulting to the Defense Department.
Even if you are not a prime defense contractor, CMMC is still likely to join your list of compliance obligations sometime soon.
Before we begin to consider the challenges to implementing CMMC into your risk management and compliance programs, let’s address some of the most commonly asked questions about CMMC.
What does CMMC replace?
CMMC replaces the current government contracting rule known as DFARS, the Defense Federal Acquisition Regulation Supplement. DFARS requires government contractors to implement the cybersecurity standard known as NIST Special Publication 800-171, which spells out privacy and security standards for “controlled, unclassified information” (CUI).
Does CMMC have an entirely new set of controls to implement? Will I need to reinvent the wheel?
Not exactly. CMMC pulls together security controls from a variety of cybersecurity standards. NIST 800-171 is one of those standards, but others are involved too, such as NIST 800-53 and certain aerospace defense standards.
CMMC then establishes five levels of cybersecurity “maturity.” The more controls you implement, the higher your maturity level, and the more contracts your business would be eligible to bid on.
Who determines that maturity level?
Your security program will need to be assessed by certified third-party assessment organizations (3PAOs). The Defense Department recently established a board that will certify those independent assessors. Ultimately, they’ll be the ones who confirm that your security program meets expectations for each maturity level.
Does my business need to achieve the highest maturity level?
Not necessarily. If you only bid on defense contracts with low-security risks (say, supplying foodstuffs), you might need only the “basic” (level 1) maturity level. If you want to bid on projects with high-security risks (say, mission-critical technology for satellite imagery), you would likely need the “advanced” maturity in level 5.
How quickly will CMMC go into effect?
The Defense Department is starting CMMC compliance only with a select number of large “prime” contractors this year. More and more contractors will be subject to CMMC over the next five years until all defense contracts require CMMC compliance in the fiscal year that starts on Oct. 1, 2025.
The U.S. government has no plans right now to expand CMMC beyond the Defense Department — but “right now” is the crucial phrase here.
How to Begin CMMC Compliance
The first step in CMMC compliance is to understand what level of maturity your business wants to achieve. One part of that task is to review the CMMC standard itself and the controls associated with each level. Another part is to ask senior executives how much of their business strategy depends on defense contracting or working within the defense industrial base.
For example, will your business only ever pursue defense contracts with relatively few security issues, so a lower maturity level is all that’s necessary? Is the business likely to merge with a prime contractor sometime soon, where preparing for a higher maturity level might make you a more attractive acquisition target? The compliance maturity you want will depend on the strategic objectives that senior executives set. Understand those objectives and explain to senior leaders that their objectives will have implications for CMMC compliance.
Then will come the true challenge of assessing your current cybersecurity regime and implementing remediation steps necessary to bring your program to the CMMC level you want to achieve.
Effective technology will be indispensable because of the sheer volume of work likely to be involved. You will likely need to juggle pieces of several cybersecurity frameworks to identify policies, procedures, and other controls that need attention; and you’ll need a way to monitor that all mitigation work is done in a timely manner; and you’ll need to document your progress to pass the independent assessment that awaits at the end of your program update.
Perhaps the most critical step you can take for CMMC compliance is to establish the understanding that CMMC is inevitable and will be a complex undertaking throughout senior executives, the board, and other executives in the First and Second lines of defense of your business.
Expect some back-and-forth among risk managers, the CISO, your data privacy team, your procurement function if you have one, and leaders of other business operating units. Expect thorough work to develop effective controls, test them, and document them.
It’s going to be a long journey, with the occasional bump along the way. On the far side of CMMC compliance, however, your business will have a better cybersecurity posture and be able to bid on contracts from one of the biggest customers around – the U.S. Defense Department. Not too many boards and CEOs would be unhappy with that.