Are DoD Contractors Asking The Right Questions About CMMC Compliance?
Confusion about deadlines, CMMC compliance, and the ramifications exist in the DoD supply chain. It's crucial businesses get answers and take proactive measures.
Request A CMMC Readiness Assessment
5 Questions That Could Make Or Break Your CMMC Compliance
Confusion about deadlines, CMMC compliance, and the ramifications exist in the DoD supply chain. It’s crucial businesses get answers and take proactive measures.
Department of Defense supply chain contractors are under considerable pressure to implement the Cybersecurity Maturity Model Certification (CMMC) mandate, but uncertainty looms about how it impacts their business.
There’s no denying the fact the federal government is wise to bring together elements of the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) under one cybersecurity roof. Foreign entities and cybercriminals recognize that the vast majority of Controlled Unclassified Information (CUI) is housed on private-sector networks. What is even more concerning is that too many DoD supply chain outfits were not in cybersecurity compliance.
“If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level-set because a good portion of our defense industrial base doesn’t have robust cyber hygiene,” DoD official Katie Arrington reportedly said. “Only 1 percent of DIB (Defense Industrial Base) companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation-state attacks.”
The CMMC aims to rectify these issues. Still, organizations that generate profits by providing the DoD and affiliates with goods and services are not asking the most pertinent questions. If you are a decision-maker for a DoD contractor or supply chain outfit, these are questions you may need to be answered.
1. Does CMMC Compliance Apply to Your Organization?
There has been some misunderstanding about which businesses are required to meet the new cybersecurity threshold. In the past, peripheral companies that were not fully immersed in DoD work may not have brought cybersecurity measures up to snuff. The conventional thinking was those stringent measures were just for direct DoD contractors. Those days are quite over.
The latest version of the CMMC creates five levels of cybersecurity controls. Depending on how sensitive the data your outfit maintains will determine which level you are required to meet. The DoD is far more determined to ensure that every operation that participates in the supply chain adheres. So, the short answer is: Yes, your organization must comply.
2. How Soon is CMMC Compliance Required?
If you own, operate, or lead a DoD supply chain operation and have not brought the cybersecurity into compliance, consider yourself behind the curve. The rollout officially began in January 2020, and there are several fast-approaching deadlines.
As of June, CMMC requirements are expected to be listed in Requests for Information (RFIs), and third-party audits are set to begin. By September, DoD contractors will have to be certified to submit bids. Perhaps the most significant challenge affected organizations will face is a log-jam of competitors enlisting the limited number of cybersecurity specialists that can help bring them into compliance on time.
3. How Do I Know Which CMMC to Meet?
It wouldn’t be surprising for the average company to at least meet the Level 1 threshold, which the mandate considers “Basic Cyber Hygiene.” But the deeper into the supply chain your products, goods, and services go, the more enhanced the controls. If your outfit stores, creates or transmits any government data, it is increasingly likely that Level 3 compliance is required, at minimum. The best way to know the appropriate compliance level is to have a third party assessment conducted by a cybersecurity expert.
4. Does CMMC Apply to Cloud Usage?
Again, the short answer is yes. Given the hot trending migration to the Cloud, supply chain operations may run into some difficulty in this area.
For supply chain outfits that use Software-as-a-Service (SaaS) solutions, it will fall on your shoulders to determine whether your utilization is considered “in-boundary.” After that, the question remains whether it meets the CMMC mandate. It’s not uncommon for the major providers to offer government-approved versions. It’s also in your best interest to check thoroughly that these options stand up to NIST 800-171 or NIST 800-53 scrutiny. Cloud platforms that do not pass muster could derail your CMMC audit.
5. What are the Ramifications for Not Complying on Time?
The DoD used to circle back and level high fines for contractors that engaged in work without meeting the standards. Such will not be the case going forward. Compliance is now a prerequisite for securing profitable DoD work. Those who are not CMMC certified will be cut off. Losing that lucrative work to competitors will undoubtedly prove painful.
Contact our IT experts today to get a professional service quote.