As reported in National Defense Magazine last week, the Defense Department anticipates that by next year 7,500 companies in its industrial base will hold certifications indicating they meet the new cybersecurity requirements laid out in the Cybersecurity Maturity Model Certification (CMMC). Katie Arrington said, “That doesn’t seem like a lot but if you think about the interconnectivity of the [defense industrial base] it’s a certification that’s good for all DoD contracts for three years.”
Will you be one of those 7,500 companies? CMMC is coming, and we continue to encourage companies to get ahead of the curve by starting to prepare now – not 18 months from now.
The version 1.02 requirements are part of the Pentagon’s push to protect industrial base networks and controlled unclassified information (CUI) from cyber-attacks. The CMMC rules will require contractors to be certified by third-party auditors to ensure that contractors are adhering to certain standards.
In fact, CMMC standards were included in the General Services Administration’s $50 billion STARS III contract, posted earlier this month. GSA says it “reserves the right” to require CMMC certifications for small businesses awarded spots on the government-wide IT contracting vehicle.
According to a FedScoop article covering the contract posting, the contract states, “STARS III contractors should begin preparing for CMMC,” adding that GSA could require STARS III small businesses to meet CMMC level 1 when it comes time for the contract’s five-year option. GSA also says in the contract it “reserves the right to survey 8(a) STARS III awardees from time-to-time in order to identify and to publicly list each industry partner’s CMMC level and ISO certifications.”
Couple that with the fact that DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to implement the National Archives and Records Administration (NARA) Controlled Unclassified Information (CUI) program of Executive Order 13556 of November 4, 2010. As the executive agent designated to oversee the government-wide CUI program, NARA issued implementing regulations in late 2016 designed to address federal agency policies for designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI.
The NARA rule, which is codified at 32 CFR 2002, affects contractors that handle, possess, use, share, or receive CUI. This FAR rule helps to ensure uniform implementation of the requirements of the CUI program in contracts across government agencies. The comment period is from Oct 2020 to Dec 2020.
CMMC is an excellent opportunity to create a competitive advantage by demonstrating that your organization takes cybersecurity seriously. Recognition of the program is spreading, and you can take advantage of that in both your Defense and other government business.
While CMMC may seem daunting, we firmly believe that it doesn’t have to be hard or expensive to achieve. As Ardalyst’s president and chief technology officer have both stated in various interviews, we believe organizations must take a formalized and structured approach to their cybersecurity posture and consider three significant points about the importance of their investment:
- CMMC standards help curb financial losses, and the government is willing to pay for that. The U.S. government is losing $600 billion a year because of data loss. CMMC demonstrates the DoD’s motivation and willingness to help companies recoup their investment in cybersecurity. Ms. Arrington has backed this up in numerous interviews and webinars: “We understand that there’s going to be a cost to this, but when we’re losing $600 billion a year, if I have to put $1 billion in to make sure that we protect ourselves, it’s a huge return on investment,” she said. “More importantly, [we’re] investing in ensuring our supply chain remains whole.” The DoD will allow contractors to include the costs of certification in the rates they charge the department.
- Achieving Cyber Maturity Makes Your Business Stronger. Having a robust cyber program makes your organization more productive and more resilient. Ardalyst customers have stated that without the move to modern secure platforms, COVID closures would have caught them flat footed. Your investment can do double duty – meeting compliance requirements for bidding on and receiving federal government contracts while becoming more productive and flexible. .
- We’re all in this together. CMMC certification safeguards our national security, which is in everyone’s best interest.
We offer a free planning session to help you chart a course to compliance and replace uncertainty about CMMC with understanding of the program and the benefits of achieving certification.