Defense industry suppliers know โ or should know โ that the time has come to achieve Cybersecurity Maturity Model Certification (CMMC) compliance. Deadlines set by the Department of Defense (DoD) and enforced by prime contractors are real. As of Nov. 10, CMMC can appear in contracts.
Getting right with CMMC is a time-consuming, paperwork-driven, and (red alert!) competitive process. Most defense suppliers handling controlled unclassified information (CUI) must pass an official CMMC Level 2 assessment conducted by a Certified Third-Party Assessor Organization (C3PAO). There are an estimated 118,000 defense contractors that need to achieve CMMC Level 2 C3PAO compliance, but as of mid-November there were just 83 C3PAOs to choose from, according to Cyber AB, the accreditation body for third-party assessors.
This means booking a C3PAO may not be easy. During a recent MxD webinar discussion about navigating the CMMC certification journey, experts reported a six-to-eight-month wait for an assessment after a company has signed up. The delays are significant because companies run the risk of losing out on business while they wait. Though there is a phased roll-out process for CMMC, prime contractors are pushing their suppliers to get going now. This explains the growing backlog.
โYou have suppliers โฆ telling their entire supply chain, โWe strongly recommend you get a CMMC Level 2 third-party assessment if you want to continue doing business with us,โโ Fernando Machado, managing principal and chief information security officer for Cybersec Investments, a C3PAO, said in an interview. Machado said prime contractors must get their supply chains in compliance with CMMC โbecause ultimately the government is going to hold them accountable.โ During MxDโs webinar, Brett R. Cox, Boeingโs DFARS/CMMC Cybersecurity Program Management Office Principal, agreed the message from the Pentagon and prime contractors is clear: โGet into the assessment pipeline. Engage with your C3PAO early.โ
How to proceed? We spoke to Machado, Cox, and MxD Senior Project Engineer Scott Kruse about becoming CMMC-certified and choosing a C3PAO.
Here are six tips:
1. Understand CMMC rules and requirements: CMMC is a new defense contract requirement, but it doesnโt introduce a new set of operational procedures. In effect, CMMC is third-party validation of the existing NIST 800-171 standards, which provide a set of 110 cybersecurity requirements a defense contractor must follow if it handles CUI. โThe only thing that the DoD added on top of that was the CMMC Level 2 scoping guide,โ said Machado. The Level 2 scoping guide helps organizations recognize what parts of their businesses come under CMMC auspices. DoD instituted CMMC because it determined too many companies were coming up short on meeting NIST standards. Now a third-party assessor will certify whether a supplier is handling CUI responsibly. โIn NIST 800-171, about 60% of the assessment objectives are about paperwork,โ said Cox. โThey’re about your policies and procedures. So, it is largely about how you operate as a business.โ An organizationโs controls, safeguards, and countermeasures must be backed by strong administrative controls to protect CUI.
2. Do a gap assessment: The road to achieving CMMC certification involves hiring the C3PAO, but to make sure you are ready, companies should work their way through the NIST 800-171 to make sure they are prepared to face official scrutiny. Find the gaps, in other words, and consider hiring a consultant for the gap assessment. Or at least use an outside professional to check your in-house expertsโ work. Think of the gap assessment as a low-cost trial run for the real thing, said MxDโs Kruse. โTheyโre going to make sure your documentation is right,โ he said. โThey’re going to ask you a bunch of questions about your environment, about your access control, and make sure everything is lined up the way it’s supposed to be. So, when you do go through your assessment, you’re set.โ
Machado, from the C3PAO, agreed that getting outside support early is common. And wise. โMost of the folks we work with have either worked with a consultant or a managed service provider that has helped them bridge the gap and actually implement the requirements,โ he said. Sure, some companies do their own gap assessment, Machado added, but โwhen companies take them on themselves, they usually miss the mark.โ
3. Shop early for an assessor: CMMC assessors are accredited by Cyber AB, a nonprofit that works on behalf of the DoD to help implement and oversee the CMMC program. Cyber AB operates a marketplace that lists all accredited assessors, so thatโs the place to start looking. With 83 to choose from, experts recommend having discussions with numerous C3PAOs. โThe first step is going to be interviewing someone who matches and has the technical knowledge of your organization,โ said Boeingโs Cox. โWeโre very complex so we needed a C3PAO who can handle a more complex environment. Not everybody needs that, so itโs about saying, โHereโs my environment. How would you assess me?โโ C3PAO costs vary, depending on the size and complexity of an organization, and whether the assessment can be done via paperwork and virtual inspection or requires on-site visits. Experts said small to mid-size manufacturers (SMMs) can anticipate costs in the low tens of thousands of dollars to $100,000 or more.
4. Stay on target: Scheduling an assessment isnโt like booking a beach vacation. C3PAOs wonโt confirm a booking until it seems certain the supplier will be ready to pass. It does neither party any good for a company to get to the big moment and fail. Suppliers can expect to have a detailed meeting with the C3PAO to check signals and peruse documentation well in advance. C3PAOs donโt want companies to go through an assessment and fail it. They want to claim a high success rate among clients, while suppliers that need to reschedule because they arenโt ready can anticipate a cancellation fee. Bottom line: Connect early with a C3PAO and work together closely to avoid pitfalls.
5. Avoid the pitfalls: Machado identified several specific reasons suppliers fail their CMMC assessment. The biggest risk, he said, is not understanding there are two sets of documents that detail the requirements. There is NIST 800-171 and there is NIST 800-171A. โOn paper, it looks like you have 110 controls, but in reality, you have 320 different assessment objectives you have to meet,โ he said. This is why suppliers need to communicate with their C3PAO in detail. Other reasons for failure include a company not having a System Security Plan or lacking government-approved FIPS-validated cryptography. Another reason is not establishing multi-factor authentication across all systems and components. โItโs not just the laptops,โ Machado said. โIf it protects CUI, or contains CUI, you have to implement the requirements across the board.โ
6. Understand that itโs about national security. In effect, the CMMC journey is continual. Bad actors and foreign states will never stop trying to infiltrate the defense industrial base, so cybersecurity requires a 24/7/365 commitment. Suppliers need CMMC certification every three years and must reaffirm annually that they meet the requirements. โYou canโt just do it and forget about it,โ Cox said. This means there is an ongoing cost to maintain an organizationโs security posture. โHopefully, youโre going to be winning more than that in contracts,โ he said. And by fulfilling CMMCโs requirements, he added, suppliers are doing their duty to protect national security. โIf our adversaries get the CUI, they may find ways to defeat our war fighters,โ he said.
MxD Learnโs CAPITAL program offers free, virtual training that equips workers with the skills to ensure compliance โ and to protect manufacturers and the systems that power the U.S. economy. To learn more and enroll, visit MxDโs Virtual Training Center.
