Cybersecurity Maturity Model Certification requirements have officially descended upon the defense industrial base, the global network of businesses that produce materials, components and services to support the Defense Department, setting off something of a witching hour for a huge number of companies.

With DoD’s September publication of final rules, it could formally include CMMC requirements in its solicitations and contracts starting Nov. 10. It will be a phased-in scenario: within three years, nearly all DoD solicitations will stipulate that contractors must conform to one of three levels of cybersecurity requirements.

A number of forward-thinking companies are proceeding as if third-party certification of CMMC compliance for themselves and subcontractors is already a must today. In fact, that will be the case for a big chunk of the DoD contracting ecosystem over the next 12 months, as supply chains recognize both the risks of waiting and the advantages of racing forward.

Yet industry estimates suggest that only around 200 companies have been assessed so far by authorized third parties — even though up to 80,000 firms, plus many of their subcontractors, will be required to be officially vetted soon under Level 2 cyber hygiene certification.

A crisis brewing

Given the small number of early adapters, it’s reasonable to assume that a CMMC crisis is brewing at many companies, with some panicking, some in denial that a certification requirement is really here, and some underestimating what compliance and certification really entail.  Others are travelling a complex, expensive path toward compliance that may lead to success, or may lead to more complexity and expense.

We know of many, many companies that have backburnered taking action on the latest phase of CMMC because there had been no firm timetable for roll-out for so long. That approach has undoubtedly created significant risk and disadvantage for many businesses — because there is now very little time to act.

Taking a step back, the CMMC framework aims to ensure that defense contractors can adequately protect controlled unclassified information and federal contract information. Several hundred thousand companies have been self-reporting at Level 1 CMMC certification level, which does not involve third-party assessment. Level 2 not only demands an assessment, but it also requires compliance with 93 more practices than Level 1 does.

The challenges

We convened some of our counterparts in the IT and compliance world, including cybersecurity risk management expert Gray Analytics, to discuss CMMC compliance issues percolating for defense contractors. Here are some of the collective observations:

• Limited qualified resources: As mentioned, nearly 80,000 firms will need Level 2 certification. But there are only about 70 firms authorized to provide assessments and certification. These companies are known as certified third-party assessor organizations (C3PAOs), and they are accredited by the cyber accreditation body. They, along with a subset of CMMC certified assessors who work under them, may be among the only sources of truly effective gap analyses and guidance for Defense contractors and subcontractors needing to succeed with Level 2 CMMC certification.
• Too many unqualified resources: Many companies are relying on or bringing in in-house capabilities to conduct a gap analysis and then address the subsequent remediation. Or they’re entrusting work to consultants that may not be well-versed and experienced enough with CMMC. Accordingly, many of their customers could fail the certification assessment and have to go back to the drawing board — and thus lose more time, money and contracts, both current and prospective ones.
• Narrowing opportunities: Many big Defense contractors are starting to weed out their subcontractors — sticking with those that have been assessed by a C3PAO and are certain to be in Level 2 compliance. In these contractors’ view, it’s critical to be well along in preparation, as remediation takes time and waiting will be costly.

And then there’s the challenge of a company’s actual IT environment: hardware, software, processes, procedures, workflows and continuous updates. CMMC puts pressure on that function. Some companies may be best served finding a qualified provider of an external IT platform they can use as a service or utility. That raises the questions of whether it’s feasible and which one to go with.

Important steps

Given this daunting, time-compressed backdrop, what’s a company to do? Here are key steps to consider:

• Review contracts carefully. Companies with DoD contracts or subcontracts should review what they’ve signed, or are planning to sign, extremely carefully. If there’s Defense Federal Acquisition Regulation Supplement language in the contract, it means you’ll probably need to be CMMC compliant, perhaps at Level 2.
• Understand CUI. If that’s the case, then you’ll need to do the work to really understand CUI and whether you’ll be working with that kind of information. The National Archives offers the detailed information, and DoD offers free CUI training, which may be mandatory for you.
• Assess business impact. Look at the company’s book of business and pipeline to determine whether it will be worthwhile to move toward assessment-proof CMMC compliance. If Defense work involving CUI is only a tiny part of the corporate strategy, it may not be and make more sense to forego certain contracts. Or it may be extremely worthwhile — an imperative.
• Identify internal expertise. If the latter, determine if there’s someone at the company well-versed in CUI and what CMMC compliance entails who can spearhead the process and gather the right resources.
• Choose the right partner. If there’s not a superb internal resource, look for outside help. But that’s easier said than done. As noted, there’s only a small group of firms that qualify as C3PAOs. Some outfits that are CCAs are also effective; others may have less — or no — experience doing the work.
• More due diligence. If you cannot engage a C3PAO and must turn to the cyberab.org marketplace for a list of CCA firms, it’s critical to ask the ones you speak with for references at companies they’ve helped successfully pass the assessments. If they have not done so yet, it’s probably best to move on.

These steps should help you get through a gap analysis to understand the necessary actions to successfully pass an assessment.

From there, you’ll need to make sure your IT environment can handle all the requirements. If the company uses a managed service provider or cloud service provider, you’ll need to evaluate — with the help of a C3PAO or reliable CCA — whether your service provider is CMMC-focused enough and will stay ahead of evolving requirements and updates.

If you need to switch service providers, it may be worth searching for one with a compliant, CMMC-ready platform that amounts to IT-as-a-service. This would probably be a service provider moving rapidly toward FedRAMP certification. That would signal that the program continuously evolves its approach to the security requirements of federal agencies.

An existential challenge for the whole defense industrial base

Looking at the big picture, CMMC compliance represents an existential challenge not just to companies that know they’ll be subject to Level 2 certification; companies in the Level 1 category — where they simply have to self-report — may, in actuality, need to pass assessments. If there’s a data breach at the firm, DoD will automatically assess with Level 2 standards what was self-reported. If the company doesn’t live up to what it reported, it will, at best, need to scramble. At worst it could be a business-destroying problem.

The bottom line: The reality of CMMC compliance is accelerating and demanding, impacting the defense industrial base with force and speed. Be prepared.

Rob McCormick is CEO of Avatara.

The post CMMC compliance reckoning for defense contractors arrives first appeared on Federal News Network.