4 steps to turn CMMC compliance into a competitive advantage

Gap assessments, remediation and ongoing compliance efforts can accelerate a company’s strategy to meet Cybersecurity Maturity Model Certification requirements.

The clock is ticking for defense contractors to ensure their systems and processes comply with the Department of Defense’s updated regulations, including Cybersecurity Maturity Model Certification (CMMC) requirements.

Chances are, most of the more than 220,000 contractors and subcontractors that conduct business with the DOD, have heard about the CMMC’s big changes. But what they may not realize is that increasingly over the next five years, contractors without CMMC certification will be ineligible to compete for DOD contracts without taking stock of their networks and physical IT processes and upgrading as required.

After years of development and discussion, the DOD will begin implementing a first step toward CMMC on Nov. 30, when the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Final Rule takes effect, requiring DOD contractors and subcontractors to complete scored self-assessments on their compliance with the National Institute of Standards and Technology’s 800-171, the precursor to CMMC security requirements.

As a long-time DOD contractor, we have been managing these regulations and supporting other contractors in achieving compliance. In our internal surveys of DOD contractors, we’ve seen substantial confusion and uncertainty regarding CMMC, with three-quarters of respondents indicating that they were unsure or unprepared to address compliance with internal resources, and more than half indicating that they have not yet started work to achieve compliance.

The time to start thinking about compliance is now. The good news is there are steps contractors can take to help alleviate the confusion.

1. Start with a readiness assessment. Adapting to these requirements starts with planning. Developing and executing a compliance plan could take six months or longer, so a readiness assessment should be the first step. What areas of the business could be impacted by cybersecurity threats? What contracts sit on the horizon that will drive timelines? Are the right IT tools and policies currently in place to meet requirements? Does the business have the right internal resources or will it need consultant and vendor support? How much budget must be set aside to assess the current situation, complete the audits and remediate as necessary? These are critical questions to ask when starting to address CMMC.

2. Prepare for gaps. A readiness assessment should also identify which level of CMMC requirements the business requires so it can begin preparing to address any gaps. The CMMC requirements build on NIST 800-171 and include five levels of compliance, based on the nature of the company’s work with DOD. These compliance levels vary dramatically, from level one, which focuses on basic cybersecurity hygiene covering 17 controls, to level five, which covers 171 controls for contractors focused on highly sensitive DOD projects.

This analysis is critical because if initial compliance efforts result in a failed audit, remediation could extend the process further. After determining the level of CMMC compliance required for business today and in the future, businesses should evaluate the current environment, processes and IT and physical security systems for gaps. Collect evidence and document current IT policies and procedures as well as hardware and software against all applicable CMMC requirements. At that point, the System Security Plan with Plans of Action and Milestones can be completed or updated.

This work will help in developing a prioritized plan for remediation as well as in submitting the scored DOD self-assessment to the Supplier Performance Risk System per the DFARS interim final rule.

3. Strategically remediate. With an understanding of the gaps, businesses can begin planning for server and workstation configurations, hardware and software installations and training for upgraded physical processes and cybersecurity awareness.

During this phase, they should consider cybersecurity-as-a-service solutions that help automate security processes for ongoing CMMC compliance. Experienced CaaS providers can often provide policy templates, as well as a vetted tech stack of IT tools mapped to specific requirements.

For small to medium-sized businesses, this is often the simplest way to manage the necessary investment and to ensure ongoing compliance and flexibility for adapting to new requirements. They should be sure to look for providers that have a track-record with the DOD and understand the nuances of defense contracting.

4. Monitor for performance. Once remediation is complete, action should be taken to ensure continuous monitoring and remediation of potential issues, along with ongoing auditing and collection of evidence to support policy compliance. Internal self-assessments should be conducted at least once annually.

CMMC compliance is a daunting task for many DOD contractors, but with proactive steps, it can provide a competitive advantage. Those who can demonstrate that they are actively working towards compliance under the interim final rule will be best-positioned to protect their existing business when contracts are up for renewal and push the CMMC standard over the next three years.  Of course, they will also be well positioned to seize new DOD opportunities as they arise.

Combine technology + human experience

These steps provide a general framework for achieving CMMC compliance, but the complexity of initial remediation and ongoing compliance will vary widely. It is important to keep in mind that technology is only part of the solution. Technology standards account for about two-thirds of CMMC controls, with the other controls focusing on physical practices guiding employee efforts to protect sensitive information.

This means that, ultimately, there is no such thing as a one-size solution for businesses adapting to CMMC. Particularly for smaller businesses that lack in-house IT resources, do-it-yourself solutions can be risky as well. Experienced, trusted consultants can support complete CMMC gap assessments, remediation and ongoing compliance efforts can accelerate efforts to match a specific business’ needs. Contractors should seek partners with experience in both technology and physical security solutions along with the capabilities to support ongoing compliance as business opportunities evolve.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.