Defense contractors are getting a jump on Cybersecurity Maturity Model Certification (CMMC) compliance, completing assessments — or preparing to do so — to get a competitive advantage.
That’s according to a recent report from Deltek, an enterprise software company. Its Clarity Government Contracting Industry Study found that 55% of respondents expect CMMC to apply to their company, and of those, 69% plan to undergo an official CMMC third-party assessment this year. Assessments are required for most Level 2 contracts.
Companies are taking such steps even though CMMC requirements are not yet showing up in Department of Defense (DOD) contracts. That won’t happen until the final Defense Federal Acquisition Regulation Supplement (DFARS) rule — specifically the Code of Federal Regulations (48 CFR Part 204) — takes effect, which could be later this summer. But without CMMC compliance, companies can’t win DOD contracts, a reason, experts say, many suppliers are acting now.
Boeing is among companies that have completed their CMMC Level 2 certification. Boeing last year participated in the Joint Surveillance Voluntary Assessment, an initiative overseen by the DOD for organizations seeking early compliance with CMMC Level 2, said Brett Cox, Boeing’s DFARS Cybersecurity Program Management Office Lead.
“We were able to take advantage of that and give ourselves a little breathing room,” Cox said.
Now, Cox, who is also a cybersecurity and CMMC instructor at Saint Louis University, has turned his attention to Boeing’s supply chain, working to get CMMC information to suppliers who are not being proactive.
“There are too many suppliers out there that haven’t even heard of CMMC at this point, the 20-person companies, the ‘mom-and-pop’ shops, and they may be the only ones in the world who can do what they do,” he said.
That is supported in the Deltek survey, which found that 24% of respondents said they didn’t know if CMMC would apply to their company.
The DOD estimates that of the approximately 300,000 companies in the defense industrial base, 80,000 must qualify for CMMC Level 2, with most requiring third-party assessments conducted by a CMMC Third-Party Assessment Organization (C3PAO).
CMMC officially launched last December, enabling companies to complete Level 2 assessments. And Cox said defense contractors should move quickly to do so because there are just not enough C3PAOS to complete all those assessments at the tempo the contractor may need. There are currently only 74 C3PAOs and 429 CMMC Certified Assessors (CCA) according to the Cyber AB Marketplace. Each assessment of an Organization Seeking Assessment (OSC) will require 3 CCAs to complete for the anticipated 80,000 companies. “Demand is going to quickly outpace who’s available,” Cox said, making assessment slots extremely limited and valuable.
Visit the MxD Virtual Training Center for information on cybersecurity workforce training resources.