What we’re talking about:
● The DoD says “enough is enough” with faulty defense contractor cybersecurity
● CMMC (Cybersecurity Maturity Model Certification) now required before government contract can be awarded
● Change up: DoD now intends to make security “the foundation of the preexisting acquisition criteria”
We’ve heard all the acronyms: COBIT, COSA, CSA, NIST and the various iterations of CMMC. We know the frameworks. Typically a new version means a few more tweaks, a few more audits, and some not-much-changed in between.
A New Format – CMMC
Now, the industry is shifting from a flat compliance model to measuring cybersecurity maturity. It’s a different metric. Graded on a scale, the new method will evaluate not only the rigor of an enterprise’s security posture but its level of integration against achieving those aims. It presents a holistic picture of how developed the company’s security strategy is, revealing much more than a pass/fail audit.
Pre-Digital Transformation: It was easy to present a checklist of the required compliance standards and measure yourself against it. This presupposed that whoever made the standards had full visibility of threats and planned accordingly. The perimeter was marked, and compliance regulations were formed around it.
Current Digital Transformation: The perimeter has evaporated, and every company must become its own captain. The new CMMC levels look at how proactive and integrated the cyber stack is, instead of seeing how well it can follow orders. With threats too varied and prolific for any one set of standards to fully encompass, a model like the CMMC encourages cybersecurity maturity and autonomy.
CMMC: Required to Get Awarded a DoD Contract
So how will this play out? Beginning in the fall of this year, the Department of Defense is cracking down hard on holes in the cybersecurity supply chain of its contractors and making sure they attain a minimum level of maturity before they play. According to one report, “the [DoD intends] to make security the foundation of the preexisting acquisition criteria (cost, performance, and schedule).” MITRE findings released last year revealed that most defense contractors were not meeting the minimum security requirements of the current DFARS 7012, nor did they know how. The DoD said that’s enough.
Working with the John Hopkins University Applied Physics Laboratory (APL) and the Carnegie Mellon University Software Engineering Institute (SEI), the DoD combined, reviewed and synthesized existing standards (relying heavily on NIST 800-171) to create one unified whole against which all defense contractors, third parties and subcontracts will be measured. The CMMC requirements will be implemented this year, and this time – they’re more than best practice.
The kid gloves are off – whereas before you had the option of getting DFARS 7012 certified after the bid, this time, you can’t get awarded unless CMMC certifications are met beforehand. Before, it was a PO&AM (System Security Plan (SSP) and Plan of Action and Milestones) and a slap on the wrist if you weren’t entirely truthful (plus, some fines).
Now, it could cost you the bid.
Who Does CMMC Apply To?
The Cybersecurity Maturity Model Certification (CMMC) is for everyone – not just direct contractors, but anyone in the defense upstream. With more and more supply chain attacks, the DoD now requires certification from all third parties, subcontractors, and vendors doing business with the defense industry in any capacity.
“The CMMC level requirement will flow down to all subcontractors regardless of size or function,” although different levels of certification will be required. Future RFPs will require CMMC compliance regardless of your exposure to Controlled Unclassified Information (CUI).
For more information, check the FAQ page by the Office of the Under Secretary of Defense (OUSD).
This could level the playing field and weaponize a lot of defense industry hopefuls. The number of contracts you can bid on will be directly proportional to your CMMC certification level, and a well mechanized CMMC infrastructure could spell the difference between typical awardees and cyber-compliant competitors with an edge.
How Do I Prepare for CMMC? The Port53 Solution
As many contractors move to the cloud to facilitate CMMC frameworks, Port53 is the cloud security expert uniquely positioned to “make IT simple” and “cut out the noise” of the industry headlines – including this one.
Cloud or no cloud, we work within your enterprise to get you to the correct CMMC level by the time you bid, putting you ahead of the competition.
While simple, the steps necessary to become CMMC certified can be deep and labor-intensive.
Step 1: Assess & Benchmark: Identify a baseline. Figure out where you are on the CMMC roadmap and establish your position. We perform a comprehensive security posture audit to accurately assess your bearing.
Step 2: Decide & Plan: What CMMC level do I need to reach? This depends on the type of contracts you bid on. You will be told which CMMC level (1-5) is required for your contract in the RFP. Acquisition teams will determine this beforehand, and it will be a “go/no go decision.”
For example, contractors may be required to achieve a level 4 certification, whereas subcontractors, only a level 2.
Step 3: Deploy & Integrate: Fill the gaps. Now you assemble the team, enact the plan, find and integrate the solutions.
Step 4: Check & Measure: Time to reassess. It’s time to move away from the checklist approach to compliance and towards a proactive and adaptive approach to cybersecurity.
You could try to do it yourself. You could read through the 351-page documentation. You could attend the lectures, follow the labs, subscribe to the newsletters, and take the notes. Then, maneuver your way through the months-long process above. Or, you could allow Port53 to curate every step of your CMMC implementation.
At Port53, you’ll find everything you need to achieve and attest to your desired level of CMMC compliance. With us, you’ll be able to benchmark and assess your current security posture, determine what level you want to achieve, analyze gaps, create a roadmap towards success, implement the solutions needed to get you there, and then reassess to measure your progress.
Use our consultants to build your roadmap, double-check your work, keep abreast of the latest developments, and have a team of experts in your back pocket. With bids on the line and companies scrambling to meet the certification requirement, the enterprises that adapt their security posture the quickest will be best positioned to succeed.
Contact our CMMC Team to get set up.