If you work in the cybersecurity sector, you know that the U.S. Department of Defense (DoD) is rolling out a Cybersecurity Maturity Model Certification program, or CMMC, to create stronger cybersecurity standards for contractors working in the DoD supply chain.
Over 300,000 firms either currently do business within the Defense Industrial Base (DIB) or intend to, according to ClearanceJobs.com. To be compliant, they’ll need to prove they can protect sensitive data, including Federal Contract Information and Controlled Unclassified Information.
And if they want to remain compliant, they must implement and follow the guidelines for the duration of their contracts with the Department of Defense.
Furthermore, if a contractor hires subcontractors to work on a project, the subcontractors must also measure up to CMMC standards.
Why CMMC Now?
It’s no secret cybercrime is on the rise.
According to “The Economic Impact of Cybercrime – No Slowing Down,” a report released in 2018 by the Center for Strategic and International Studies in partnership with McAfee, as much as $600 billion may be lost to cybercrime each year.
Think about it for a moment. That is nearly 1% of the Global Domestic Product!
But the report contains other revelations. In the Executive Summary, the authors state, “As crimes with global impact go, cybercrime ranks third behind government corruption and narcotics as a global economic scourge.”
CMMC and the DIB
Recognizing the federal government is particularly vulnerable to cyberattack, the Department of Defense introduced the Cybersecurity Maturity Model Certification in 2019.
As the Cybersecurity & Infrastructure Security Agency explains, the Defense Industrial Base enables research and development as well as design, production, delivery and maintenance of military systems and equipment to meet U.S. requirements.
For every large contractor like General Dynamics, Lockheed Martin and Northrop Grumman, there are many, many smaller companies providing products and services to the DoD.
Some contractor trade associations have expressed concern on behalf of their members regarding the transparency of the program and the expense smaller companies will face to integrate the CMMC model. FedScoop reports some companies estimate it could cost them up to $100,000 or more.
This, the associations claim, might drive up the price of goods provided to the government, or force smaller contractors out of the market altogether.
CMMC Certification
Until recently, contractors were responsible for evaluating their own readiness. But DoD found a number of them were not ready to effectively deal with a cyberattack.
Under the new system, companies will be encouraged to do self-assessments. However, contractor compliance will be determined by authorized and accredited independent CMMC third-party assessment organizations, or C3PAOs.
Before C3PAOs can perform assessments, though the CMMC Accreditation Body must approve them. C3PAOs may then assess the contractors’ unclassified networks and issues certificates. CMMC-AB will not make detailed assessments public, only the fact that a company is CMMC certified.
By October of 2025, DoD will require all contractors to become fully compliant.
A CMMC certificate is generally valid for three years.
Cybersecurity Compliance: the Reality
Did you know there are 130 CMMC practices?
They are mapped across the five levels for all capabilities and domains.
Due to the complexity, many technology companies solve for portions of CMMC, rather than the whole. Consider choosing a Registered Provider Organization equipped with the necessary tools, documentation and reporting. You’ll also want to ensure the RPO has a team with the right skills and experience.
At SP6, we take a holistic approach, enabling us to fill any gaps you may have. Whether it’s security policy, compliance tracking, cybersecurity end-user awareness training, or buyer’s guides, we can help you become CMMC compliant. Get in touch with us today and let’s talk!
We’re also a Splunk partner. Splunk’s customers include the Army, Navy, Air Force and Marine Corps, DoD agencies and defense contractors. Here are some insights from Splunk on CMMC.
