MxD Cyber Webinar CMMC Level 2 Roundtable

Are you a supplier currently pursuing — or considering — CMMC Level 2 certification? Wondering what it’s like to navigate an assessment and what OEMs expect?  Watch this roundtable discussion featuring CMMC leads from The Boeing Co. and Rolls-Royce along with other experts in the field. The webinar includes a moderated discussion followed by Q&A, designed to give you practical guidance for achieving compliance.

4 CMMC Insights: Webinar Panelists Describe Cybersecurity Certification Journey 

There’s a new date on the calendar that may represent a shock to the system for defense industry contractors: November 10.

From that day forward, defense suppliers may expect to see a requirement in various contracts that they achieve Cybersecurity Maturity Model Certification (CMMC) 2.0, the new cybersecurity standards from the Department of Defense (DoD) for defense contractors who handle controlled unclassified information. Without certification, they can lose work. 

CMMC 2.0 has been a long time coming. But its arrival doesn’t have to involve a worrisome journey in isolation for small and medium-size (SMM) suppliers who haven’t yet moved toward certification. Recently, MxD, the National Center for Cybersecurity in Manufacturing as designated by the DoD, brought together three industry experts for a webinar on CMMC. The trio offered advice and took questions from an eager audience. 

One major takeaway from the roundtable: Getting CMMC certification in a timely fashion is competitive because it’s a numbers game. There are as many as 118,000 defense contractors that will need to achieve Level 2 certification, but at this point there are just 81 Certified Third-Party Assessor Organizations (C3PAO) authorized through Cyber AB, the accreditation body, to conduct the necessary assessment required for the certification. Note that very few companies will be able to do self-assessments as a first step.

The full supplier ecosystem won’t all go through the assessment process at once, but there are already wait times of six to eight months for assessments, so companies should not delay. 

“Get yourself ready as soon as possible,” said Brett Cox, DFARS/CMMC Cybersecurity Program Management Office Principal at Boeing. “Engage with your C3PAO early. Get in the pipeline because I foresee a backlog.” 

While this sounds alarming, not every organization is expected to have certification completed on Day One, said Amit Chaudhary, Vice President – Head of Cybersecurity, North America and Defense for Rolls-Royce. And there is help to manage the journey. Achieving certification is both a process and a partnership between suppliers and prime contractors, with guidance and support available from the DoD.

“Work with your commercial and contracting officer,” Chaudhary advised.

During MxD’s one-hour CMMC webinar (watch above), Cox and Chaudhary, along with Michael Tanji, Director of Cybersecurity at MxD, discussed the CMMC certification process in detail. 

Here are four key insights from the roundtable to help suppliers navigate their way to CMMC 2.0 certification. 

1. CHOOSE THE RIGHT C3PAO: Tanji said MxD recently hired its C3PAO and has an assessment scheduled for April 26. “We reached out to four different firms,” he said, with price quotes ranging from the high $30,000-level to nearly $70,000. “We ended up picking someone in the middle, not just because of price but because of the questions they asked and approach they took. You could do a mass-produced sort of thing if you wanted to churn through it like some sort of maniac, but it was clear they took a different approach. They said, ‘We’re going to do this properly. We’re here to help you achieve this status’.” 

2. DETAILED DOCUMENTATION MATTERS: CMMC is a new, unique certification program, different from DCMA DIBCAC High Confidence on-site assessments, so get ready to dive into a deeper level of policy descriptions requiring more authoritative statements about practices and procedures. That paperwork may exist somewhere, or it may not. It’s one of many surprises contractors may discover when going for CMMC. For example, Cox said, Boeing had various anti-virus procedures, but “just because we’ve always done it that way, the question is: ‘Where is it defined?’ We were caught a little by surprise.”

3. IT’S A TEAM GAME: While CMMC is all about cybersecurity, the assessment process also requires that companies gather evidence related to how the organization operates as a whole. This means getting buy-in from everyone, not just IT. “Getting folks who deal with legal, administration and finance to make their contributions to the whole process can be challenging because they don’t do security,” said Tanji. 

4. PLUG THE GAPS: Panelists strongly suggested companies work first with a consulting firm on a gap analysis to identify ASAP the tasks required to assure a successful assessment. Cox is a certified CMMC assessor and Boeing still felt the need to get an independent consultant involved. Today the company has CMMC Level 2 certification for its enterprise organization and two subsidiaries. Boeing continues to build its internal bench of experts. The point, Cox said, is to do as much preparation as possible to boost other subsidiaries’ chances of successful assessments. “We try to simulate that environment as much as possible so they know what to expect,” he said. “It’s not always going to be 100% because every assessor is different, but I want to get them close.”