Balancing cost and security in preparing for CMMC certification
The recently announced Cybersecurity Maturity Model Certification (CMMC) is the standard companies will have to meet in order to do business with the Federal Government – as early as this summer. Depending on your proficiency level and depth of knowledge, this reality may be causing your team stress and anxiety.
Don’t let it. With the right guidance and support, you can turn this new reality into an opportunity and a win for the larger national security industry.
CMMC requirements will start appearing in DoD Requests for Information (RFI) as soon as this June. While actual certification is not required until a contract award, companies that use their time and resources wisely now will be better positioned for future business and future threats.
The CMMC program includes five levels of certification, ranging from “basic cyber hygiene” at Level 1 to advanced security practices at Level 5. The certification program combines several existing cybersecurity standards, most notably the National Institute for Standards and Technology Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”
Katie Arrington, the Pentagon’s Chief Information Security Officer and lead voice on CMMC, estimates that most companies in the DoD’s supply chain – approximately 285,000 – will only require Level 1 certification, and she expects the cost to be no more than $1,000 per year to implement Level 1 security practices and obtain a certification (companies must recertify every three years).
At a recent Bloomberg government webinar she placed the costs in perspective: “$3,000 once every three years is less than it costs to have a business license per quarter in most places,” adding, “we really have reigned in the pricing.”
In preparing for CMMC, organizations must take a formalized and structured approach to their cybersecurity posture and consider three significant points about the importance of their investment:
- CMMC standards help curb financial losses, and the government is willing to pay for that. The U.S. government is losing $600 billion a year because of data loss – CMMC shows DoD’s motivation and willingness to help companies recoup their investment in cybersecurity. As Ms. Arrington said in last week’s webinar, “We understand that there’s going to be a cost to this, but when we’re losing $600 billion a year, if I have to put $1 billion in to make sure that we protect ourselves, it’s a huge return on investment,” she said. “And more importantly, investing in ensuring our supply chain remains whole.” DOD will allow contractors to include the costs of certification in the rates they charge the department.
- Two birds – one stone. Meeting the demands of a model like CMMC will help companies stay in business by making their systems and business operations more secure and resilient. They can do this while meeting the compliance requirements for bidding on and receiving federal government contracts in the future.
- We’re all in this together. CMMC certification safeguards our national security, which is in everyone’s best interest.
With 17 CMMC security domains, the five levels of CMMC certification involve multiple areas of risk that should be regularly reviewed by any company, and especially those supplying goods and services in the interest of national defense.
Consider even just the basic Level 1 certification. It requires limiting access to systems that contain Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Access needs to be role-based and restricted to authorized users and devices. Also, external information systems ranging from mobile phones and personal computers to websites or social media are prohibited from accessing FCI and CUI.
Ardalyst understands companies are nervous about these requirements, and they are wondering about the financial and logistical investments and steps. We can help. We offer a free planning session to help you chart a course to compliance, and our vision, always, is to replace uncertainty with understanding. With this in mind, Ardalyst is proud to sponsor the Virtual CMMC Symposium hosted by AFCEA International April 23rd from 8:15am to 12:00pm, where Arrington will be one of the keynote speakers.