What Business Leaders Need to Know About CMMC
CMMC, or the Defense Department’s Cybersecurity Maturity Model Certification, is the chosen accountability mechanism for broad cybersecurity implementation across the supply chain.
Despite a rocky start and delays, it continues to move forward. Expect accountability in the form of third-party assessments “soon.”
Along with understanding third-party assessments, business leaders need to understand the threat and their role in ensuring their organization mitigates threats to sensitive defense information residing on or passing through their systems.
First, leaders need to understand this is not just an information technology problem. IT cannot deliver full implementation of this standard for any organization.
Business leaders cannot simply say, “It has ‘cyber’ in the requirement, so IT can take care of it.” IT alone is incapable of meeting all CMMC requirements. Implementing CMMC is fundamentally a business operations requirement because an IT department solution depends on knowing and understanding how business operations ingest, create, store, transmit and discard sensitive defense-related information. Without active leadership and collaboration from business leaders, info-tech will fail the CMMC implementation challenge.
As a business problem, the second thing every business leader needs to know is that effective implementation is really difficult. CEO of Defense Cybersecurity Group Vincent Scott contends, “CMMC as constructed by the DoD is the hardest certification standard in industry. It is the only one requiring 100 percent compliance to every sub-objective of every control.”
Some commentators describe CMMC as “just the basics,” insisting implementing the requirements is simply “good cyber hygiene.” Some Defense Department officials claim they have implemented CMMC in their homes in 30 days, perhaps leading some to conclude that IT with a modest effort could meet all requirements.
This is misleading. Ryan Heidorn, CTO at C3 Integrated Solutions, expects even small organizations could need as much as 12 to 18 months to go from “zero” to assessment ready.
“Building an IT environment that supports the technical requirements in CMMC is the easy part,” he said. “We find many of our clients need significant assistance with compliance program fundamentals — everything from documenting how [controlled unclassified information] flows through the organization to authoring and implementing corporate security policy. Many organizations have never formally tried to understand what risk management should look like for their business prior to these exercises.”
Implementing CMMC requires updates to business operations, followed by changes to the information systems to enable new ways of doing business. A cybersecurity program for your business that integrates business operations, sales, finance, human resources and IT to ensure government-mandated protection of information across all those areas needs senior leader engagement to drive successful design and implementation.
Some leaders, based on recent reporting, may believe they can delay the work necessary to implement CMMC because the requirement for third-party assessments may get delayed. Any delay will stem from a Defense Department decision to conduct additional rule-making around CMMC, including establishing it in Title 32 of the Federal Code of Regulations, the principal set of rules and regulations issued by federal agencies of the United States regarding national defense.
CMMC will not disappear, but when the requirement for passing a third-party assessment will first appear in contracts depends on the completion of rule-making. Completion could occur as early as this summer, but many predict it could stretch into 2024 or 2025. As a reminder, the delay will impact the requirement for a third-party assessment, reported in a system that department acquisition personnel will use to determine eligibility for federal contracts.
What have not been delayed are existing Defense Department cybersecurity requirements, nor the continuous cyberattacks on U.S. defense industrial base companies. Since 2017, the Pentagon has mandated compliance with the National Institute of Standards and Technology Special Publication 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” in nearly all contracts.
While these requirements are contractual obligations, many companies made little serious effort to implement them because the government did not evaluate compliance, instead depending on companies’ self-assessment. With the planned move to third-party assessments, companies began more accurately assessing their NIST SP 800-171 compliance, highlighted in a recent CyberSheath report that found less than 30 percent of companies self-reported a score of 70 out of a possible 110. Most experts believe these statistics likely underestimate compliance.
And lack of compliance poses a threat to our warfighters. Foreign adversaries attack company systems daily, stealing intellectual property.
Many years ago, a telecom company led the world in manufacturing and selling telecom equipment. Between 2000 and 2010, the company went from a world leader to out of business, replaced by Huawei. Significant evidence indicates the company’s decline was due in part to the company’s lack of effective information security. Today, you cannot find the company name in an internet search.
Do not mistake emerging CMMC third-party assessment requirements as an “IT problem.” CMMC implementation to drive accountability will impact operations. Protecting sensitive business information, potentially advantage-driving information, is a business problem requiring business leader attention and ownership.
Rachel A. McCaffrey is senior vice president of Membership and Chapters at the National Defense Industrial Association.