Making Sense of CMMC: What You Should Know Right Now

The Department of Defense (DoD)’s long-awaited Cybersecurity Maturity Model Certification (CMMC) program is finally nearing implementation, poised to impact tens of thousands of defense contractors in a short amount of time. Failure to achieve certification from a certified third-party cybersecurity assessment could result in losing eligibility to win defense contracts.  

CMMC is a critical mandate from the DoD to increase the enforcement of protecting sensitive data across the complex and expanding defense contracting supply chain of businesses that handle controlled unclassified information (CUI). Contractors and their service providers must comply with CMMC requirements or risk losing access to lucrative U.S. government defense contracts. 

To help government contractors understand what they need to know, I will be presenting at this year’s Deltek ProjectCon event. My session, titled “CMMC is launched: What Now? Then What?” is designed for executives and decision-makers and will cover the impact of this new requirement on DoD contractors, their external service providers and the challenges companies may face in balancing compliance and security with investment and product quality.  

As a preview of what I’ll be discussing in November, I wanted to share some of the CMMC questions that DoD contractors are asking and offer my insights on each. 

How does CMMC differ from previous cybersecurity requirements for defense contractors?

CMMC, unlike prior DoD cyber requirements, requires verification of a defense contractor’s cybersecurity through the use of accredited third-party assessors. In the recently released 48 CFR CMMC Proposed Rule, the DoD makes it plain and clear. Once a solicitation, contract, amendment, or option includes the new CMMC requirement, contracting officers may not award unless the contractor has the necessary self-assessment or certification assessment.   

Contractors who host, use or transmit Controlled Unclassified Information must pass the certification assessment as a condition to receive new DoD business. Since eligibility for future defense work depends on validated cybersecurity, many more suppliers will invest to accomplish and sustain security. Defense contracts have included obligations to “safeguard” CUI and to report on cyber incidents for many years. Before, however, DoD would accept just the self-attestation of companies, without any means to verify. CMMC intends to elevate actual accomplishment of cybersecurity by putting contractors through the test of independent third-party assessment.   

How will CMMC impact small and medium-sized businesses (SMBs) in the defense supply chain?

The impact will be substantial. In its latest 48 CFR CMMC Proposed Rule, DoD estimates that 29,543 entities will be subject to CMMC Level 1 or Level 2 requirements per year; of these, 20,395 (or 69%) are small businesses. For those companies who’ve already prepared and made the investment, satisfying CMMC demands will still be a challenge but shouldn’t imperil opportunities for future Pentagon business.

However, many companies have avoided or postponed cyber compliance obligations. For those who hope to remain defense suppliers, there is no better time than the present to get underway to become more secure and assure CMMC compliance. While DoD envisions a 3-year roll-out, after the CMMC rules are final and effective early in 2025, companies need to know that it can take several years of well-planned effort to get to the “pass” line when the time comes for a third-party assessment. In the latest Proposed Rule, DoD is clear that it expects each and every contractor information system, which hosts, uses or transmits CUI, to pass CMMC requirements. It predicts that suppliers typically will have five (5) such systems.  

How do you see CMMC evolving in the coming years, and what should businesses be aware of in terms of future changes or updates?

CMMC is a baseline, from which DoD will seek improvement. CMMC today uses the 110 security controls from NIST Special Publication (SP) 800-171 Rev 2. These cover 14 distinct security families. Rev 3 to SP 800-171 was published in May 2024. The DoD has already signaled that it will move to Rev 3 within the next several years, but there’s much work to be done both for DoD and industry to prepare. Rev 3 adds three new security families (Planning, System and Services Acquisition, and Supply Chain Risk Management), includes more detail for many controls, and likely will be more effective against nation state “advanced persistent threats” as well as ransomware actors and other cyber criminals.

Even now, there are several levels of CMMC compliance. Level 2 deals with CUI and that’s where the largest number of contractors will face required assessments. An even higher level of CMMC, Level 3, deals with critical technologies and high impact programs. Level 3 raises the security bar substantially, and relies upon a different NIST publication, SP 800-172. There’s much to be learned from the Level 3 security methods. Further, defense contractors should become informed about “zero trust” solutions and learn how they might use AI to enhance cyber defense.  

What advice would you give to businesses just starting their journey towards CMMC compliance?

First, CMMC compliance must be elevated to C-level decision makers regardless of enterprise size. Second, companies should do a realistic assessment of what CUI they now host, use, or transmit – and what business they hope to do with DoD in coming years. Companies who sell to the federal government, but not to DoD, should know that civilian agencies are watching CMMC and may implement parallel measures to protect CUI.  

The next step is to assess capably the present information systems which act upon CMMC. Here, expert consulting advice often is recommended, so that the self-assessment isn’t skewed by institutional biases. Once you know what information you need to protect, where it resides within your organization, and the present security safeguards, that is the basis to compare against the NIST SP 800-171/172 cyber controls and build a plan of action to meet (or exceed) CMMC requirements. It is absolutely necessary to have sufficient resources for the job – and these include people, technology and budget. CMMC isn’t either a “do it quick” or “do it cheap” proposition, but it can be done “right” – as an investment, over a period of implementation, with executive commitment and good governance.   

What are the common challenges businesses face when working towards CMMC certification and how can they overcome these obstacles?

Many companies are worried about the adequacy of the resources they need to prepare for CMMC assessment and certification. These concerns are especially acute with smaller businesses. The DoD, as well as NSA, offer a number of programs and services that can help solve cyber challenges and reduce financial demands. The Office of Small Business Programs within the DoD can help. Many prime contractors seek to assist their smaller suppliers. And there is a diverse marketplace of private sector sources of cyber assistance.  

While companies should be discriminating, before they choose suppliers, selection of a capable adviser can help smaller companies make the most cost-effective choices to achieve security. It is especially important to look at managed service providers because these resources can help spread the costs of high-level security across a sizable business base. 

These questions are just the tip of the iceberg. Be sure to join me for Deltek ProjectCon this November, to learn more about the impact CMMC will have on your government contracting business. 

Register today before prices increase on October 12, 2024. This can’t-miss event will bring together members of Deltek Project Nation from across the globe to learn the latest about Deltek products, services and information from our partners.