Trying to wrap your arms around CMMC compliance in the DIB?
When it comes to cybersecurity and CMMC compliance in the DIB (defense industrial base), the government means business. And the more sensitive the data is that you handle, the more secure you need to be.
If you do business with DoD, you will need third-party verification that your products and processes meet Cybersecurity Maturity Model Certification (CMMC) standards by 2025. And if you don’t?
Deputy Attorney General Lisa Monaco says, “We will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds when they fail to follow required cybersecurity standards.” And that also goes for reporting breaches when they happen instead of “handling them discreetly.”
Most will seek a Level 3+ CMMC designation.
The CMMC model is built upon the rules and controls found in the Defense Federal Acquisition Regulation Supplement (DFARS) and NIST 800-171’s security controls, along with additional practices. There are five levels of CMMC compliance, ranging from basic cyber hygiene to optimized and advanced security. For example, at Level 3, you should practice good cyber hygiene and have a well-managed security process.
During a recent CS2 summit, nearly 1000 DIB members were polled via anonymous survey to state their CMMC intent. A full 87% indicated they intend to pursue CMMC Level 3 compliance. Many defense contractors are required to pursue Level 3 compliance because of the intrinsic requirements associated with the handling, storing, and protecting Controlled Unclassified Information (CUI).
The biggest challenge is having the resources to do the job.
In his address on DIB Cybersecurity, Deputy Assistant Secretary of Defense for Industrial Policy, Jesse Salazar, observes that each company has 200 tier one suppliers in the aerospace industry alone and 12,000 tier 2 and 3 suppliers. Additionally, Salazar states that “74% of the DIB are small businesses [and comprise]…the third and fourth-tiers of the supply chain.”
An environment of accelerating cybersecurity attacks opens the pathways to countless ways to exploit in a less than compliant environment.
The challenge is to determine how to delegate and prioritize limited resources to manage risk across the entire attack surface—from the DoD and prime contractors to subcontractors delivering robust weapons systems and small businesses that manufacture components. CMMC certification will help ensure that is happening, along with:
- Education on the whats, whys, and hows, and cybersecurity
- Information sharing among agencies and contractors
- Identifying cybersecurity tools and services at a reasonable cost
The CMMC challenges increase for small to mid-sized organizations because COVID-19 has taken its toll on their resources. Many have downsized or dissolved as a result. Those who remain need to pick up the slack while managing costs. These businesses are more likely to use cloud services, and NIST 800-171 requires clear guidance for these organizations.
Turning the CMMC jigsaw puzzle into a cohesive roadmap.
To fulfill their cybersecurity requirements, organizations attempt to seamlessly knit together regulations, cybersecurity standards, and best practices to meet each CMMC maturity level in order and reduce their risk against threats. Here are some tools that can help:
- NIST 800-128 outlines the National Checklist Program (NCP) that helps you find the specific controls you need to target to get your organization and its products and services secure and compliant
- Security Technical Information Guides (STIG) and Center for Information Security (CIS) controls are long-established pathways to help you get where you need to go
Automation is key to achieving compliance in a timely, affordable manner. SteelCloud’s ConfigOS is the STIG and CIS hardening and automation standard in the DoD
You will need specialists to understand all the best practices, how they interlink and how to identify all the controls. You are also going to need much aspirin for all the headaches CMMC compliance causes. But with a little knowledge, a little automation, and some determination, you can beat your 2025 deadline and show your customers you are just as dedicated to cybersecurity as they are.