What’s New in CMMC | Column 2
“What’s New in CMMC” is a regular column from MxD explaining aspects of the just-launched CMMC 2.0 framework.
The timeline for the Pentagon’s Cybersecurity Maturity Model Certification (CMMC) 2.0 remains fuzzy. But the advice from experts is clear: Don’t wait.
“We recognize that there’s ambiguity. We recognize that the CMMC 2.0 rule-making is not complete. But if you are a manufacturer who hasn’t started on cybersecurity readiness, start now,” said MxD’s Senior Director of Cybersecurity Laura Élan.
When it launched CMMC 2.0 in November, the Pentagon said it could take as long as two years for rule-making to be completed and for the new cybersecurity requirements to be included in Department of Defense contracts.
That’s lulled some manufacturers into thinking they have plenty of time. But, Élan and others said, that kind of thinking could put a company way behind — or out of the game.
Rule-making, experts have said, may not take the full two -years. Just a month after CMMC 2.0 was announced, for example, a CMMC 2.0 Model Overview was available. At the same time, the Department of Defense released CMMC Self-Assessment Scopes for Level 1 and Level 2 as well as Self-Assessment Guides for Level 1 and Level 2. Guidance for Level 3, the top CMMC 2.0 tier, is still being developed.
Plus the Pentagon won’t be alone in putting cybersecurity requirements into contracts to limit risk. Companies up and down the supply chain are starting to require cybersecurity assurances.
For those motivated by carrot over stick, the Pentagon is reportedly also considering financial incentives to get contractors to work on their cybersecurity before CMMC 2.0 is fully in place.
To get started, manufacturers are advised to determine their current level of cybersecurity maturity. There are plenty of tools available to do such self-assessments, Élan said. But it’s crucial to remember that self-assessments are not as easy as they sound and take more time than is usually anticipated.
Self-assessment requires attention to detail. For example, to meet a requirement that employees have cybersecurity training, it’s not enough, Élan noted, to say, “Yeah, we train people.”
Companies must provide precise information on the types and frequency of training being done, such as good password management, identification and protection of sensitive information, or not letting people tailgate workers as they head into the factory.
If training isn’t completely where it needs to be, companies could create a roadmap, or a plan of action and milestones (POA&M), a new feature in CMMC 2.0. These action plans would let contractors demonstrate that they are working on compliance instead of having achieved it. There are going to be cybersecurity requirements that won’t be negotiable, Élan said, but training could be one CMMC 2.0 area where such action plans may be allowed.
Getting an early start also will give manufacturers the time they need to build the cross-functional teams required for a robust cybersecurity plan. This isn’t a job just for IT, Élan said.
For instance, CMMC 2.0 rules may require a company to demonstrate that the people it’s made responsible for cybersecurity have certain experience, background, and education. Those background checks and hiring initiatives are likely a job for the Human Resources Department.
Companies may have to guarantee that their procurement process assesses the maturity of any software, hardware, or firmware being used for cybersecurity. And, Élan said, firms shouldn’t forget to have executives on the team, as they are key to getting policies in place.
Most important on the cybersecurity front, though, is to get going.
“Don’t wait,” Élan said, “Start now.”
Register your interest in a free assessment for Cybersecurity Maturity Model Certification (CMMC) and other cybersecurity protocols by filling out this form.