AFCEA hosted a virtual webinar April 23rd, gathering panelists and keynote speakers to address the Cybersecurity Maturity Model Certification (CMMC) model and the timeline for implementation of these standards.
Ardalyst was proud to be one of the sponsors of the event, which featured Katie Arrington, the Chief Information Security Officer for the Office of the Undersecretary of Defense for Acquisitions and Sustainment.
“The time is now” for companies to begin implementation of CMMC measures, Ms. Arrington told the assembled webinar participants. Many CMMC tenets constitute good practices that can—and should—be implemented even before the CMMC is formalized. She stated that the DoD remains on track to implement the CMMC program and release requests for information with its new requirements in June.
We’d like to offer some observations and other key takeaways from the webinar and the remarks by the panelists:
CMMC is Important
- The U.S. is losing money due to data loss every year: $600 billion, according to Arrington.
- Following this model keeps companies secure and in business. It’s the standard for cybersecurity maturity.
- Cyber security is a matter of national security. Not only is it worth the effort for companies to incorporate CMMC standards, but in doing so, they play a role in protecting our nation.
Audits
Defense Industrial Base (DIB) companies have been self-attesting to meeting these requirements already – so meeting them for CMMC should not be too hard or expensive. The key difference now is mandated submission to third-party audits of your system and compliance. The audits also play a key role in continuing to ensure your compliance.
Level 1
Practicing basic cyber hygiene methods mandated as part of CMMC Level 1 will help companies in their efforts to protect their networks and information. Arrington emphasized that 85 percent of the DIB will only have to achieve the CMMC level 1, which mandates only 17 basic controls that every business should have in place. The key to that level is effective password management, which can be achieved by following proper cyber hygiene. Basic Level 1 certification requires limiting access to systems that contain Federal Contract Information (FCI). Access needs to be role-based and restricted to authorized users and devices. Also, external information systems ranging from mobile phones and personal computers to websites or social media are prohibited from accessing FCI and CUI.
Costs
The DoD expects companies’ rates to go up in response to help mitigate costs. The DoD is willing to pay for this requirement. “The CMMC is there to lower the barrier to entry,” she declared. “We are making security clearly an [allowable] cost.” Specifically, Arrington commented on how this levels the playing field between companies that are investing in security today and those that aren’t. Companies that are doing the right thing can’t afford to cut prices as much as a non-compliant organization can. By ensuring everyone is investing in their cybersecurity, the standard means that compliant organizations won’t be unfairly compared to others in a bid competition.
Not All or Nothing
Companies can have multiple enclaves within their organizations that are certified at different levels of CMMC. While Level 1 is the very basic certification, it is possible (based on the company and its work) to hold different levels of certification. The system is meant to be flexible and help organizations. “We don’t want to lose anybody within our defense industrial base ecosystem,” Arrington said. “We want you to be safe.” In addition to allowing companies to have different enclaves with different levels, subcontractors may not need the same certification as their primes, provided they don’t have access to CUI or other sensitive information.
Reciprocity
Other agencies are looking at giving credit for the CMMC certifications in lieu of a new requirement or separate process. The DoD is evaluating that.
Driving Culture Change
Security for the company, for the industry and for the country is foundational. It is no longer seen as part of the potential trade-off between cost, performance and schedule. Cybersecurity must be foundational in the acquisition process, as today the adversary is de-valuing investments in defense capabilities by learning how to reverse engineer or counter those capabilities as they are being developed. Without sufficient cybersecurity the capabilities we are developing as a nation are obsolete once they arrive in theater, which puts our warfighters at risk.
Ms. Arrington stressed the need for both defense contractors and the DoD acquisition community to think of CMMC as a “culture change.” “It’s not a checklist; it’s about demonstrating the critical thinking skills” that we need as a nation to fundamentally change our approach to supporting the warfighter.
In the end, the defense community and all organizations bidding on work with the federal government should not wait for CMMC formalization to practice its security. Ardalyst understands companies are nervous about these requirements and certifications, and they are wondering about the financial and logistical investments and steps. We can help. We offer a free planning session to help you chart a course to compliance, and our vision, always, is to replace uncertainty with understanding.
