The Department of Defense (DoD) is set to include Cybersecurity Maturity Model Certification (CMMC) 2.0 requirements in its contracts by the middle of 2025. This means suppliers must get started now to become CMMC certified if they want to continue doing business with the DoD and DMG MORI Federal Services.
CMMC represents a new required set of actions to protect national security by making sure companies in the defense supply chain protect controlled unclassified information from foreign adversaries and cyber criminals. The heart of CMMC is a new mandate that all DoD contractors must prove compliance with NIST 800-701 security regulations for sensitive government data by passing a third-party verification process. For some suppliers, becoming CMMC-ready could require making significant changes to the way they handle some data.
CMMC has been in the works for years. DMG MORI began the process of becoming certified by creating a new U.S.-based entity, DMG MORI Federal Services. This means all DMG MORI employees and vendors working on DoD contracts need to make sure they are communicating with DMG MORI Federal Services, the company’s only entity certified to work on CMMC-related contracts.
“There is some complexity to this,” said Akbar Khimani, General Manager, Information Technology, at DMG MORI Federal Services. “All suppliers, from leadership and executive boards to factory floors, need to understand what CMMC requirements really involve, and then they need to decide how to pursue certification. There are different levels.”
Jerry Leishman, CEO of CMMC Advisors, said companies that commit to seeking CMMC status will be successful, but it takes effort. Some suppliers, especially those that haven’t kept up with investments in cybersecurity and are not NIST-compliant, may decide to exit the defense industrial base rather than pursue CMMC because it’s a long-term commitment.
“CMMC is not a ‘one and done’,” said Leishman. “It’s a program, not a project, because it’s going to continue to evolve. Being CMMC compliant requires having the right people, the right processes and the right tools. If you can’t meet those demands, DMG MORI and other suppliers won’t be able to use you anymore.”
INTERVIEW
“Don’t wait. Hire a third-party assessor.”
CMMC expert Jerry Leishman and DMG MORI’s Akbar Khimani give DoD suppliers the lowdown on the new regulations. This interview has been edited for clarity and length.
What is CMMC?
Jerry Leishman: CMMC is essentially verification of regulatory compliance for government contracts in place today through the DFARS clause (Defense Federal Acquisition Regulation Supplement). This relates to DoD contracts that say suppliers must meet the NIST 800-171 set of requirements. So CMMC takes that existing requirement and adds a third-party verification or a self-attestation with higher levels of compliance to be able to qualify for DoD contract awards. CMMC represents an assurance that contractors and suppliers are actually protecting their controlled, unclassified information, like technical drawings for fighter jets used to develop parts. The DoD wants to make sure that information is protected from adversaries like China and North Korea.
Is becoming CMMC compliant about proving you do things the right way, or is it about mandating that suppliers change how they do business?
J.L.: It depends on a supplier’s overall investment in cybersecurity. CMMC is based on the NIST framework. If a company has been making the investments, then there are really no changes. All they have to do to meet CMMC requirements is get a third party to come and audit what you say you’ve been doing through self-attestations and your Supplier Performance Risk Scores (SPUR).
But if a company has not invested in, say, productivity, the only way to meet CMMC may be to get some new tools. They’ll have to make strategic decisions. They will have to adjust their processes and the management of their data.
Why is this necessary?
A DoD official did a review of some companies that said they were meeting the NIST 800-171 requirements and SPUR scores and found that most suppliers overstated their scores. This means they lied about it, didn’t understand it, or were trying to fake it ‘til they make it. That’s what triggered CMMC, because people weren’t able to self-assess. They need third-party verification. What this means is organizations now will really have to understand their posture against NIST 800-171. They can’t guess anymore because when it’s audit time they’ll fail, and then they won’t be eligible for contracts.
Are there any options to make this easier?
Companies have four options. They can say, “I’m not going to do this. I’m getting out of this business. I’ll just let my contracts expire.” The second option is to sell their DoD business. Third is to do the minimal amount of work, which might get suppliers to the first checkpoint. But know that the DoD is going to continue to improve the requirements. The final alternative is to make the right investments to become more competitive, and to be able to grow your CMMC business. With CMMC, it’s not just about DoD contracts. It’s going to quickly be moving to the Department of Homeland Security, NASA, and anywhere else in the federal government where there’s control of classified data and critical infrastructure. It’s a huge, huge opportunity.
What should DMG MORI subcontractors do first?
Akbar Khimani: Don’t wait anymore. For us it took at least a year to get everything in place. Hire a third party to do an assessment to see how ready you are. Get going. But also, understand what CMMC is. There are resources out there from the DoD and elsewhere to help.
J.L: This will take time. There are individuals that say, ‘You can be CMCC certified in two weeks if you buy our product.’ That’s just not possible. Becoming CMCC certified is not about one product. It’s about people, processes, technology, assessment and looking strategically at your business. It’s about ensuring you are protecting the government’s data. It’s not overreach. It’s something we should all be doing for national security.
LEARN MORE ABOUT CMMC
The federal government has resources available to help defense contractors, subcontractors and suppliers to understand the new CMMC requirements. Here are some places to turn:
- The DIB Cybersecurity Portal (look under “DoD DIB Cybersecurity-as-a-Service [CSaaS] Services and Support”).
Visit the MxD Virtual Training Center for information on cybersecurity workforce training resources.