Some Preliminary Steps Can Pave Way for CMMC Success
Media coverage and dialogue around cybersecurity are so commonplace that some people are becoming numb to how serious and pervasive the impact and damage can be. The cost of malevolent cyber activity is projected to hit $6 trillion annually by 2021. The average cost to businesses that experience a data breach is estimated at $3.86 million. Can any organization afford that?
The COVID-19 pandemic created massive transitions to remote work environments, presenting both increased flexibility and risk exposure, as demonstrated by the SolarWinds breach and hundreds of other hacks last year to federal agencies, private corporations and individuals.
Cybersecurity Maturity Model Certification (CMMC) is a crucial — and mandated — step for businesses working for the Defense Department. If an organization handles defense information or controlled unclassified information (CUI) — from data to maps, plans, models or manifests — CMMC relates to the business.
Certification could also mean the difference between company survival and closing shop as it becomes a key contract requirement.
Determining where to start can leave even the most adept organizations in a holding pattern. CMMC is structured like a nesting doll with 17 domains containing 171 practices, divided by 43 capabilities, categorized into five process maturity levels, which all culminate in one of five certification levels.
Here are five steps that will help launch a team’s momentum in a strategic direction.
Step 1: Gather your internal team.
Teams are the foundation of success, so know who is in your wheelhouse. For CMMC, this may include traditional cybersecurity-focused leaders as well as communications professionals, human resource directors or project managers. The project team’s structure is malleable, and leaders know their organization’s aptitude best. Start dialogue now, align expertise, delineate a leader, and host structured, regular meetings.
Doing so will empower a team to take ownership of the long-term process.
Step 2: Learn and keep learning.
When certifications are established, there is an information deluge spanning logistical necessities to infinitesimal “what ifs.” The con: information overload. The pro: information overload. Rely on your established internal project team to strategically read, review, interview and attend webinars so you collectively grasp the certification framework. Then, continue doing so as the framework will evolve.
Defense contractors need to understand the interim rule, NIST 800-171, which became effective Nov. 30, while also learning CMMC, which is rolling out in phases through September 2025. Each has already changed and is likely to continue doing so. Ensuring a team stays vigilant of new information strengthens its position.
An important and sticky detail is this: any organization submitting bids for defense contracts needs to already have submitted their 800-171 assessment and should be actively closing their “Plan of Action and Milestones” — explaining why most organizations need some form of external expert support.
Step 3: Find your holes.
Have you had a tire with a potential leak? The only way to fix it is to dedicate time to find the hole and determine the proper fill. It is mission-critical to discern a team’s capabilities, the certification’s requirements, and how the organization’s abilities match, and catalog gaps. These could be in a team’s knowledge base or in the deliverables it provides.
With CMMC, it means the difference between small businesses earning a Maturity Level 3 or 5, which translates to viably competing for contracts and overall business survival. Sometimes the greatest knowledge is knowing what you don’t know. Just like the tire, the gaps can be filled, but you need to know where they are.
Step 4: Collaborate with external experts.
There is value in seeking external support. This fresh brainpower and knowledge can amplify your internal team. The key is choosing the right-fit advisor. Consider the following: Does the organization have a track record for advisory services, and are they continually tracking this certification? For CMMC, cybersecurity advisory services actively monitoring the framework’s evolution make the strongest partners.
Does the organization offer fixed-pricing structures? CMMC advisors often conduct initial assessments at small fees, then, similar to other certificates, cost estimates vary depending on the extent of collaboration.
Is there more than one estimate? Take time to review options. It saves money and confirms you made the right decision.
Step 5: Prioritize your approach.
Success takes time, perseverance and work on competing tasks. Focusing to achieve excellence in specific areas is more efficient than spreading a team thin to attain broad lower-level compliance. If aiming for CMMC Level 5, consider concentrating on individual domains that need improvement and expand the breadth as each maximum maturity level is reached. This culture of excellence will institutionalize and permeate the broader organization, whether it is normalizing cybersecurity or another best practice.
No matter what certificate a company aims to earn, the key is to start now. Information is available and resources will be there as contractors craft their approaches. They may even find they are further along than anticipated.
Rick Hill is senior vice president of HumanTouch LLC, a PMP, computer engineer and government contracting expert.
Topics: Cyber, Cybersecurity, Defense Contracting, Infotech
I really enjoyed the article Rick and agree with each of your steps. Steps 1, 2 and 4 sang to me. People are always the most important and having the right team working towards your goals is key. I also really like that you encourage folks to keep learning. Nothing is as certain as change and so learning along the way is critical. Step 4 is similar to step 1 in that finding the right external support - or the right people who just happen to be external to assist is pivotal. In agreeance with Vince too. Let's get Level 3 first and then work from there. Appreciate the awareness that with malevolent cyber activity still on the rise, organizations can't afford not to take cybersecurity seriously (with or without a requirement to do so).Jana Steen at 3:40 PM
Nice article. Agree completely about starting with the Team. People first. Too often in cyber we try to start with the technology first and that is a consistent error.Vince Scott at 11:32 PM
I do have one point of order and one comment, though
From step 2, NIST 800-171 did not go into effect 30 November. The requirement for its adoption by Defense contractors actually was final after a several-year implementation period 1 January 2018, so over 3 years ago. This is carried in DFARS 7012 which has been applied to nearly all contracts at this point. What went into effect 30 November under the interim rule publication were three new DFARS clauses 7019, 7020, and 7021. 7019/7020 are what require using the DCMA Basic Self Assessment Methodology, to score yourself on your current NIST 800-171 implementation. That guidance is here: https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf
I think this point is important and would like that 'DCMA methodology' to be mentioned as often as possible. Many companies out there I believe are responding to the SPRS submission requirement and do not understand that this specific method of scoring is what should be used. The more we can get that word out the better. There is a lot of confusion and misinformation on it.
My one comment is that I would submit almost no one today is aiming for Level 5, and indeed the DoD has said that they only expect a handful of contractors to ever require it. Particularly not smalls. A big part of this is that Level 3 is actually really hard to get to 100% on.
The more I dig into effective implementation at the level required to meet every assessment objective for Level 3 the more I find out it is exceptionally hard. The DoD interpretation and enforcement approach keep moving the bar higher. The DoD (heard Jim Ellis at DCMA make some comments on it recently) concept that full implementation at Level 3 against the 720 assessment objectives is "just basic security" is unfortunately not correct. When you stick your hand deeply into the 171 bucket, as one of my friends recently said, "you find a lot of razor blades." Even Level 1 is not without its challenges when you start to look at it through the lens of proving perfect, no fail, compliance against the assessment objectives in the Assessment Guides. This really only comes to light I think when you look at each control, and then the multiple assessment objectives for those controls, and say "how do I prove that?"
Some good examples are:
AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices.
Assessment Objective [f] system access is limited to authorized devices (including other systems).
Assume the system is defined as your network. In order to prove that I must have a perfect inventory (very hard), and only allow designated authorized systems to connect. For a network of almost any scale, this means a full NAC implementation with enforcement turned on. You might be able to get away with Mac address filtering, but if you have more than a handful of devices that connect to your network this gets very hard, fast.
Another might be:
CM.2.062 Establish and enforce security configuration settings for information technology products employed in organizational systems
[a] essential system capabilities are defined based on the principle of least functionality;
[b] the system is configured to provide only the defined essential capabilities.
Here I think the assessment objectives very significantly expanded the original requirement and made it much much harder.
Since this is a level 2 control, let's limit this to your Level 3 enclave solution that consists of some servers, and your Windows 10 endpoints. You now need a listing of EVERY function performed by W10 endpoints and every function performed by your servers, many of which are not truly available publically, and then you need from that list of let's say 500K functions, to decide which of those are truly essential. You then must limit the system functionality to just that list. Really not doable.
Sound extreme? Yes but... at every turn the DoD seems to be taking the ultimate literal interpretation on enforcement of controls. I think you could fail almost any company in the world (and the DoD of course) if you read this control literally and enforce it.
These are only a couple of the razor blades in the level 3 stack. There are more.
The "driving into impossible territory" is my top concern at the moment. For the sake of your article though.... I hope we just get through some Level 3 successful assessments first before we start talking level 5! I think a successful level 3 assessment is going to be way harder than most think today.
Thanks much for the article and the chance to comment. Working to get ready now is something every defense contractor should be doing.