4 steps to turn CMMC compliance into a competitive advantage
- By Elizabeth Niedringhaus
- Nov 30, 2020
The clock is ticking for defense contractors to ensure their systems and processes comply with the Department of Defense’s updated regulations, including Cybersecurity Maturity Model Certification (CMMC) requirements.
Chances are, most of the more than 220,000 contractors and subcontractors that conduct business with the DOD, have heard about the CMMC’s big changes. But what they may not realize is that increasingly over the next five years, contractors without CMMC certification will be ineligible to compete for DOD contracts without taking stock of their networks and physical IT processes and upgrading as required.
After years of development and discussion, the DOD will begin implementing a first step toward CMMC on Nov. 30, when the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Final Rule takes effect, requiring DOD contractors and subcontractors to complete scored self-assessments on their compliance with the National Institute of Standards and Technology’s 800-171, the precursor to CMMC security requirements.
As a long-time DOD contractor, we have been managing these regulations and supporting other contractors in achieving compliance. In our internal surveys of DOD contractors, we’ve seen substantial confusion and uncertainty regarding CMMC, with three-quarters of respondents indicating that they were unsure or unprepared to address compliance with internal resources, and more than half indicating that they have not yet started work to achieve compliance.
The time to start thinking about compliance is now. The good news is there are steps contractors can take to help alleviate the confusion.
1. Start with a readiness assessment. Adapting to these requirements starts with planning. Developing and executing a compliance plan could take six months or longer, so a readiness assessment should be the first step. What areas of the business could be impacted by cybersecurity threats? What contracts sit on the horizon that will drive timelines? Are the right IT tools and policies currently in place to meet requirements? Does the business have the right internal resources or will it need consultant and vendor support? How much budget must be set aside to assess the current situation, complete the audits and remediate as necessary? These are critical questions to ask when starting to address CMMC.
2. Prepare for gaps. A readiness assessment should also identify which level of CMMC requirements the business requires so it can begin preparing to address any gaps. The CMMC requirements build on NIST 800-171 and include five levels of compliance, based on the nature of the company’s work with DOD. These compliance levels vary dramatically, from level one, which focuses on basic cybersecurity hygiene covering 17 controls, to level five, which covers 171 controls for contractors focused on highly sensitive DOD projects.
This analysis is critical because if initial compliance efforts result in a failed audit, remediation could extend the process further. After determining the level of CMMC compliance required for business today and in the future, businesses should evaluate the current environment, processes and IT and physical security systems for gaps. Collect evidence and document current IT policies and procedures as well as hardware and software against all applicable CMMC requirements. At that point, the System Security Plan with Plans of Action and Milestones can be completed or updated.
This work will help in developing a prioritized plan for remediation as well as in submitting the scored DOD self-assessment to the Supplier Performance Risk System per the DFARS interim final rule.
3. Strategically remediate. With an understanding of the gaps, businesses can begin planning for server and workstation configurations, hardware and software installations and training for upgraded physical processes and cybersecurity awareness.
During this phase, they should consider cybersecurity-as-a-service solutions that help automate security processes for ongoing CMMC compliance. Experienced CaaS providers can often provide policy templates, as well as a vetted tech stack of IT tools mapped to specific requirements.
For small to medium-sized businesses, this is often the simplest way to manage the necessary investment and to ensure ongoing compliance and flexibility for adapting to new requirements. They should be sure to look for providers that have a track-record with the DOD and understand the nuances of defense contracting.
4. Monitor for performance. Once remediation is complete, action should be taken to ensure continuous monitoring and remediation of potential issues, along with ongoing auditing and collection of evidence to support policy compliance. Internal self-assessments should be conducted at least once annually.
CMMC compliance is a daunting task for many DOD contractors, but with proactive steps, it can provide a competitive advantage. Those who can demonstrate that they are actively working towards compliance under the interim final rule will be best-positioned to protect their existing business when contracts are up for renewal and push the CMMC standard over the next three years. Of course, they will also be well positioned to seize new DOD opportunities as they arise.
Combine technology + human experience
These steps provide a general framework for achieving CMMC compliance, but the complexity of initial remediation and ongoing compliance will vary widely. It is important to keep in mind that technology is only part of the solution. Technology standards account for about two-thirds of CMMC controls, with the other controls focusing on physical practices guiding employee efforts to protect sensitive information.
This means that, ultimately, there is no such thing as a one-size solution for businesses adapting to CMMC. Particularly for smaller businesses that lack in-house IT resources, do-it-yourself solutions can be risky as well. Experienced, trusted consultants can support complete CMMC gap assessments, remediation and ongoing compliance efforts can accelerate efforts to match a specific business’ needs. Contractors should seek partners with experience in both technology and physical security solutions along with the capabilities to support ongoing compliance as business opportunities evolve.
Elizabeth Niedringhaus is president and CEO of SSE.