The Office of the Secretary of Defense released CMMC (Cybersecurity Maturity Model Certification) version 1.0 on January 31, 2020 to verify contractors of the Defense Industrial Base (DIB) are operating with effective cyber hygiene. In order to bid on, maintain, and win future DoD contracts, all organizations will need to prove their required level of cyber maturity. We covered CMMC basics and Draft 0.7 in this webinar and will be discussing CMMC 1.0 and how to prepare in this upcoming webinar.
The good news for DOD contractors is that there were not any drastic changes from CMMC Draft 0.7 and CMMC 1.0.
One could argue some of these were consolidated for the sake of simplification, which makes sense. Perhaps in the future, practices and processes like this will be added in future versions/enhancements of the CMMC as the DOD supply chain matures. The CMMC's purpose, after all, is to drive maturity at all times as threats evolve, right? We would love to see more accountability type practices and processes added in the future. Putting focus on practices and processes that go beyond anything a technology or security professional can do is always recommended.
As mentioned above and reinforced during the CMMC 1.0 announcement video, there is still a lot of work to do and lots to learn as the roll-out continues. The released schedule is subject to change but given how the CMMC team has met most of their goals to this point, it is best to assume these deadlines are accurate. Ms. Arrington talks about the roll-out as a "crawl, walk, run" approach in order to make the CMMC effective for everyone.
Key schedule dates to be aware of:
From a crawl, walk, run standpoint, these dates make sense. They allow for some room to make minor changes to the program.
Given that no Third Party Assessment Organizations (C3PAO's) currently exist, every DOD supplier and contractor should be laser focused on completing their Plan of Actions and Milestones (POAM), if they currently have one. If no POAM exists, contractors need to create a System Security Plan (SSP), which includes information for each system in their environment that processes, stores, and transmits Controlled Unclassified Information (CUI).
As for POAMs, the current format of milestones taking place two, three or four years down the road will no longer be allowed. Any organization doing business with the DOD will need to have the CMMC maturity level requirements fully implemented by the time of contract award. If your organization is looking for help creating a SSP and POAM, we can help.
The announcement of the CMMC back in the Summer of 2019 caused a flurry of activity within the DOD supply chain. Over the past seven months, much of the activity was caused by fear. Many small to medium size businesses in the DOD supply chain are not ready – and they know it. Others were taking the proactive approach so they don't lose their competitive advantage and don’t want to put their business at risk. This is more than cybersecurity risk and supply chain risk. It’s financial risk, intellectual property risk, innovation risk, personal risk, and so on. This is about overall risk management.
Just because certifications are not going to take place right away, that does not mean DOD suppliers get "breathing room." The DFARS 252.204-7012 clause is still the requirement. Primes have the right, today, to ask how their sub's POAM completion progress is going.
Is your organization ready for that question? Is your organization ready for when your customer starts looking for potential suppliers to replace yours?
Keep in mind, there is a lot of risk on prime contractors as well. If primes have to replace a supplier because they are a cybersecurity risk, they will. In fact, they have to in order to meet the CMMC requirements.
Many DOD suppliers and contractors have told their customer(s) they are "working on" their POAM. This used to be allowed because there was no way to verify if they were being true to their word. What happens if an organization suffers a CUI data breach tomorrow? Next week? Next Month? What is the excuse going to be? "We were waiting for more clarification about CMMC 1.0 before making a plan" will not work.
In order to achieve compliance with DFARS 252.204-7012 by implementing all 110 controls of NIST 800-171, DOD suppliers and contractors handling CUI will need to provide proof via audit artifacts. There is no technology that meets all 110 controls. There are a large portion of requirements within NIST 800-171 that are non-technical, many of which require policy and procedure being created, implemented and documented.
Technology cannot perform those requirements. Administration, understanding CUI data flows, and other non-technical requirements require the business to proactively implement and manage. This is much easier to accomplish when working with subject matter experts who understand NIST, CUI, cybersecurity and information security. We can help your organization identify the best path for your business.
Is your organization looking for the answer to completing your POAM? CUICK TRAC combines both the technical and non-technical controls of NIST 800-171 into a single programmatic process.
Does your organization need to better understand if they handle CUI or not? And if so, where it does CUI reside? How can an organization develop and execute an effective plan if it doesn't understand where sensitive data resides within the business?
Don't drag your feet and get left behind. Our national defense depends on the lower tier suppliers in the DOD supply chain!