The Cybersecurity Maturity Model Certification implements IT requirements for DOD vendors. How can small businesses stay competitive under the new rules?
In addition to performance, costs, and scheduling, prospective Department of Defense contractors now will have a new metric to consider: cybersecurity.
The Cybersecurity Maturity Model Certification changes — and strengthens — the process for defense contractors to certify their digital security. Rather than submitting plans for system security and related actions after contract awards, the new certification requires evaluation of contractor cybersecurity measures before contract awards. Contractors receive security rankings, with higher rankings offering the opportunity to bid on more contracts.
If you serve as a contractor or subcontractor for DOD, what should you know about the CMMC process, and what steps can you take to ensure compliance?
History Behind the Certification
In recent years, cybersecurity has gained prominence — in part due to anticipation of future warfare. As technological tools become more sophisticated, a variety of international players can inflict significant damage — with much lower financial and human costs — by attacking infrastructure and other targets through cyber warfare.
To respond to the threat, DOD has worked to mitigate technical risks in several ways, including stricter cybersecurity standards for government contractors. The government found that the majority of contractors were not complying with the cybersecurity requirements outlined in the Defense Federal Acquisition Regulation Supplement — or DFARS. Correctly, as of 2019, many vendors had not implemented the requirements of NIST 800-171, which regulates the protection of controlled unclassified information among non-government organizations and systems.
The new CMMC process intends to give enforcement power to the previous rules by adding a requirement of advance certification before working with DOD.
Understanding the Ranking Process
Officials have noted that any companies that are part of the DOD supply chain — including both prime contractors and subcontractors — must be certified under the new rules to work with DOD.
To develop CMMC, department officials have worked in conjunction with several universities to combine multiple cybersecurity standards into one unified set of requirements intended to strengthen the entire DOD supply chain.
The new standard includes five levels of certification, including:
- Basic Cyber Hygiene, which includes 17 security controls.
- Intermediate Cyber Hygiene, which includes 46 controls.
- Good Cyber Hygiene, which includes 47 controls.
- Proactive, which includes 26 controls.
- Advanced/Progressive/State-of-the-Art, which includes 30 controls.
Each level also includes all the security controls at lower levels.
Under previous rules, small business contractors — including printers and metal manufacturers — had to comply with the same standards that DOD used for more extensive, prime contractors. The high costs of meeting those stringent requirements posed challenges for small companies. However, the new CMMC introduces semi-automation and cost-effectiveness, allowing smaller businesses to achieve the lowest CMMC level, while prime contractors must meet Level 3.
Potential Impacts and Steps for Compliance
Going forward, requests for proposals will specify which CMMC level is required. DOD contractors of all sizes will need to provide sufficient documentation on their IT and information security protocols — overseen either by internal employees or external partners.
CMMC likely will pose significant new challenges for DOD contractors, who must go through the RFP process to show adherence to the new requirements, even on existing contracts. Companies that achieve higher CMMC levels than competitors may see benefits when bidding on contracts.
To comply with the new requirements and begin securing DOD contracts, vendors should first ensure that they have a System Security Plan and Plan of Action and Milestones — both required under the old rules — in place. The two plans serve as a baseline for the new certification. Within the plans, nonfederal vendors are expected to explain how their organizations will meet the new requirements.
Also, contractors should ensure that their IT environments comply with the new rules. An experienced managed services provider can help determine a budget and implement the right cloud-based security solutions to meet CMMC requirements. For more information, please contact HRCT, a managed IT services company serving the Hampton Roads and Virginia Beach areas.