How CMMC changes the path to contracts
The security of the United States increasingly depends on the security of its data. That means almost every government agency – and almost every tech contractor – could be a point of potential attack.
In fact, a recent report from the US Government Accountability Office said that “although the federal government has made selected improvements, it needs to move with a greater sense of urgency commensurate with the rapidly evolving and grave threats to the country.”
The Department of Defense (DoD) took action to standardize and strengthen its cybersecurity last year, publishing the Cybersecurity Maturity Model Certification (CMMC) guidelines. The CMMC combines multiple cybersecurity standards and best practices into one map of progressive security levels that protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) within the Defense Industrial Base (DIB) systems and networks. CUI is a broad category that encompasses many different types of sensitive, but not classified, information. FCI includes information provided by or generated for the Government under contract and not intended for public release. CUI requires CMMC Level 3 Certification, while FCI requires CMMC Level 1 Certification. Commercial organizations contracting with the DoD must comply with the new CMMC, and the DoD will gradually start requiring CMMC compliance as part of its contracts.
An “estimated 7,500 companies will be certified in 2021,” said Katie Arrington, Chief Information Security Officer in the Office of the Undersecretary of Defense for Acquisition and Sustainment.
The path has changed
Entities managing government data are already subject to a variety of standards, like the National Institute of Standards and Technology (NIST) 800-53, NIST 800-171 or DFARS 252.204-7012 that served as the basis for the CMMC standard. Many government contractors understand those standards and their requirements but may not understand how CMMC is different.
Unlike previous standards which were mostly self-administered, CMMC will require an independent assessment by a CMMC Third Party Assessment Organization (C3PAO).
Many government contractors have not grasped the full details of the CMMC requirements – or the significant effort that is usually required to get CMMC certified. Beyond establishing processes and practices (controls), certain organizations require significant investment in technology (including redesigning certain elements of their IT Architecture) and people.
Given the urgency to further address cybersecurity threats, indications are that CMMC requirements will be expanded beyond the Department of Defense, to other government agencies.
An efficient path to compliance
Recognizing that CMMC poses some significant new requirements on government contractors, CMMC has also defined Registered Provider Organizations (RPOs) that are accredited to help contractors prepare for and implement the necessary measures before their CMMC evaluation.
RPO accredited consultants (such as Grant Thornton) can be essential to preparing for the CMMC certification and ongoing compliance, but it is important for organizations to choose consultants that have the experience and understanding to help target specific needs and address them efficiently.
It is also helpful to choose consultants with a multidisciplinary team that focuses on CMMC, including specialists in the public sector, cybersecurity and attestation. This multidisciplinary team can help establish a program for ongoing certification, through the right mix of controls and procedures based on how important factors apply to your unique people, process and technology.
6 factors for your CMMC journey
To understand the CMMC requirements and the preparation required, start by considering 6 factors.
1. Data-level scrutiny
The CMMC requirements look beneath the system level, at the data level. That level of security can be harder to establish than organizations realize. One of the key things in the journey to CMMC compliance is making sure that the company has defined a boundary around government data. Many organizations do not yet have the necessary technology to identify where specific data resides, and to subsequently limit the movement of such data to a specific enclave within the organization.
2. Comprehensive documentation
A CMMC evaluation requires the C3PAO to review extensive and detailed documentation prepared by the organization. Beyond documenting processes and practices (controls), organizations should have comprehensive documentation to provide context and support for how they defined the boundary around CUI and how management ensures that data will not go beyond the boundary.
Organizations should also establish a process to ensure that all necessary documentation is prepared and retained in a comprehensive package to allow the C3PAO to perform the assessment.
3. Dedicated Project Management Office (PMO)
With the level of complexity in CMMC compliance, various departments are typically involved, including but not limited to security, IT, procurement, legal, third party vendor management and the various business units involved in the services and products using the relevant CUI. The need for ongoing management and compliance is one of the reasons some organizations are establishing a dedicated project management office for CMMC compliance and government data security. This ensures the right level of oversight and understanding for the security architecture and engineering that define and manage CUI boundaries along with other CMMC compliance.
4. Preparation time
Planning for CMMC compliance can be a journey, and some large government contractors have already made progress along that journey. However, many subcontractors will need to invest more work than they might expect.
Preparation time is an important consideration as organizations plan to bid on or renew government contracts in the future. A critical first step for most organizations is to conduct an initial CMMC readiness assessment that identifies the level of effort necessary to meet the framework’s minimum requirements.
5. Internal collaboration and financial investment
For organizations that view data security as an IT issue, CMMC will require new collaborative efforts across a wider range of stakeholders. While the security, IT and compliance organizations are usually the most involved, CMMC compliance needs to be assessed from an overall organizational perspective to determine the cost, benefits and overall strategic changes potentially needed for compliance. Organizations embarking on the CMMC journey are very often challenged with meeting requirements due to the lack of commitment and understanding across the organization.
As organizations prepare for more internal collaboration to achieve CMMC compliance, they might also need to prepare for more financial investment to support the required changes across the various departments involved in transmitting, processing and storing CUI. Based on the complexity of processes and internal infrastructure, some organizations have considered establishing a separate sub-entity dedicated to governmental contracts and managing government data.
6. All or nothing
Perhaps the most important difference between CMMC and other standards is that organizations are not given much leeway. The CMMC certification is currently not a risk-based assessment where an organization can be partly compliant or fail certain requirements as long as the overall objective is achieved. Based on the current evaluation process, if any requirement is not implemented or fails, the certification cannot be issued by the C3PAO. A lost certification, if not restored, means a lost contract or the inability to bid for a new contract with CMMC requirements.