By Les Buday, Managing Director
“Streamlined. Flexible. Secure.” This is the tagline listed on the CMMC website managed by the Office of the Under Secretary of Defense (OUSD) Acquisition & Sustainment (A&S). On this website you can find all of the information regarding the newly redefined Cybersecurity Maturity Model Certification (CMMC) program. More commonly referred to as “CMMC 2.0”, this program represents the DoD’s second attempt at defining the cyber protection requirements for its supply chain (aka Defense Industrial Base, or “DIB”). Its creation is a direct reflection of the DoD’s heightened awareness concerning data security at the highest levels as a matter of national security. And this awareness extends to the on-going collaboration and exchange of sensitive information between the DoD and its contractor community.
As the tagline implies, CMMC 2.0 portends to incorporate a number of changes and enhancements to the framework that make it easier for the DIB – especially small and medium size businesses therein – to achieve and maintain compliance from both a cost and implementation perspective without sacrificing the secure manner in which they are required to safeguard sensitive government information. And while many in the DIB will rejoice at the changes incorporated into CMMC 2.0 that seemingly provide more latitude in the way companies can satisfy the requirements (e.g., fewer model tiers, self-attestation, acceptance of POA&Ms, CMMC waivers), the primary goals set forth by the DoD upon CMMC’s inception have not changed:
- Safeguard sensitive information
- Dynamically enhance DIB cybersecurity
- Ensure accountability
- Instill a collaborative culture of cybersecurity and cyber resilience
Something else that has not changed from CMMC 1.0 is the ever-increasing number of cyber threats to the DIB, with the estimated cost of losses resulting from successful cyberattacks to the DoD’s supply-chain approaching $600 billion annually. CMMC is representative of a growing list of tightened regulations (see White House Executive Order 14028, DOJ’s Cyber-Fraud Initiative) that underscore the government’s urgency and expectation that the practice of Cyber Risk Management becomes a permanent fixture both within and across its supply-chain.
As accountable members of the federal government ecosystem, the time to act is now, even as the government is working to finalize the roll-out of CMMC 2.0. With the recent release of both the CMMC Scoping and Assessment Guides for Levels 1 and 2 (with Level 3 soon to follow), there is enough clarity, guidance, and established industry experience to draw upon to help all of us begin meeting this requirement. Working towards CMMC compliance serves as a perfect opportunity to take stock in where we stand with respect to managing cyber risk within our organizations. Here are a few ideas to consider as you begin your CMMC compliance effort:
- Avoid falling into the mindset that CMMC is just a one-time cyber compliance prerequisite that, once initially achieved, satisfies the requirement
- To be successful, organizations must change the narrative that meeting cyber compliance requirements is an IT problem
- Understand the strategic business impact associated with delaying, underfunding or altogether circumventing CMMC
The most commonly shared viewpoint within the DIB is that CMMC represents another barrier to entry for business with the DoD. And yes, that’s certainly one way to look at it. The federal government, however, is a rapidly growing target of data breaches and cybersecurity incidents that are threatening our national security. In that light, a more meaningful way to view CMMC is that it’s one of many emerging federal initiatives aimed at enhancing the cyber protection standards and risk management capabilities of its supply chain. Understanding that we are all a part of that collective target, taking steps to employ these standards and developing new capabilities seems like a worthy endeavor. Let’s get to work!
Not sure where to begin? SecureIT is a trusted security, audit and compliance firm with certified cybersecurity professionals that provide practical, efficient solutions. If you’re planning a CMMC compliance effort and want an advisor to help ensure your success, please contact us. We’d love to talk and show you how we can help