Several developments in the last couple of weeks have stood out as harbingers of the future – a future that involves the Defense Department’s Cybersecurity Maturity Model Certification (CMMC). For months, representatives from the CMMC Accreditation Body (CMMC-AB) and the CISO for OSD(A&S) Katie Arrington talked about the Summer of 2020 being marked by forward progress in the CMMC program. And here it is.
Earlier this month, the CMMC-AB advertised the course for becoming a cybersecurity assessor. The course is the first from the CMMC-AB to push certification for certain roles in the program forward. The first class of graduates will deploy into the industry and start to figure out how the assessments will work in practice. Federal News Network (FNN) declared these opportunities for businesses to become assessors as a “CMMC bonanza.”
“Assessors who can examine a contractor’s cybersecurity posture will form a linchpin in the complicated apparatus DoD has devised to, in theory at least, guarantee the safety of its supply chain,” according to FNN. “Given that some level of security maturity will become a requirement for doing business with any component of DoD, the third party assessors — whether they are sole practitioner consultants or working in larger organizations — will have a captive and willing set of potential clients.”
Couple this with last week’s announcement from Ellen Lord, the department of defense top acquisition official, that the Pentagon has started its first “pathfinder” to pilot its new cyber security contracting standards, assessing an existing Missile Defense Agency (MDA) contract, with plans to begin expanding efforts over the next several months.
According to Defense Daily, Lord said DoD’s Office of the Chief Information Security Officer for Acquisition (OCISO-A) is working with MDA on the CMMC pathfinder for the unspecified existing contracts to ensure the new program’s accreditation body is able to properly assess vendors’ supply chain security standards.
“The pathfinder encompasses acquisition tabletop exercises, training of mock assessors, conducting mock assessments, that are non-punitive, of a prime contractor and three sub-contractors on an existing contract and the demonstration of CMMC-AB processes,” Lord said.
DoD is also discussing CMMC implementation efforts with international partners, according to Lord, who said there’s interest in going after similar standards from Canada, the U.K., Denmark, Italy, Australia, Singapore, Sweden, Poland, Israel and the EU’s cyber security body.
“There is potential for these countries to adopt U.S. standards, which is really very exciting,” Lord said.
The Pathfinder programs and the Assessor training simply show that CMMC continues to gain momentum … it is moving forward despite random whispers and criticisms of the efficacy of the program. Ardalyst has been writing about CMMC for months, and we emphatically believe that aligning your company’s networks for better cyber hygiene and readiness now is the smart move, no matter what the final disposition is of CMMC going forward. The processes and steps required are not as difficult as you may think, as long as you plan ahead and work with a good team.
Obtaining certification as an assessor involves a four-day class, and interested parties need at least 10 years’ experience “conducting evidence-based assessments in cyber” or “proven experience” in cybersecurity for at least 20 years. And the CMMC pathfinder approach is intended to show the improvement of supply chain security by assigning vendors a cyber security certification on a five-point scale, with the program expected to include a total of 10 pilot programs as part of DoD’s phased rollout.
According to Ms. Lord and the CMMC-AB, the Pentagon is working with another DoD agency to initiate a second CMMC pathfinder in September “that conducts an additional non-attribution, non-punitive mock CMMC assessment for a subset of the contractors,” as well as assisting the services on identifying new contracts that could be used for potential pilots.
“These pilots will be implemented on new DoD contracts to further reduce the risk of the CMMC phased roll-out by focusing on the flowdown of controlled, unclassified information and CMMC requirements through the supply chain and conduct of mock assessments,” Lord said.
While CMMC may seem daunting, it doesn’t have to be hard or expensive to achieve. We recommend that organizations take a formalized and structured approach to their cybersecurity posture and consider three significant points about the importance of their investment:
- CMMC standards help curb financial losses, and the government is willing to pay for that. The U.S. government is losing $600 billion a year because of data loss. CMMC demonstrates the DoD’s motivation and willingness to help companies recoup their investment in cybersecurity. Ms. Arrington has backed this up in numerous interviews and webinars: “We understand that there’s going to be a cost to this, but when we’re losing $600 billion a year, if I have to put $1 billion in to make sure that we protect ourselves, it’s a huge return on investment,” she said. “More importantly, [we’re] investing in ensuring our supply chain remains whole.” The DoD will allow contractors to include the costs of certification in the rates they charge the department.
- Achieving cyber maturity makes your business stronger. Having a robust cyber program makes your organization more productive and more resilient. Ardalyst customers have stated that without the move to modern secure platforms, COVID closures would have caught them flat footed. Your investment can do double duty – meeting compliance requirements for bidding on and receiving federal government contracts while making your business better.
- We’re all in this together. CMMC certification safeguards our national security, which is in everyone’s best interest. It is simply the right thing to do for our nation.
We offer a free planning session to help you chart a course to compliance and replace uncertainty about CMMC with understanding of the program and the benefits of achieving certification.