It’s been over a year since the initial announcement of the upcoming Cybersecurity Maturity Model Certification (CMMC) implementation plan.
Since then, thousands of blog posts and videos on the topic now exist (some of which came from us).
Although that’s a great strategy if you’re a business that’s trying to help those that serve within the Defense Industrial Base (DIB), it can sometimes lead to misinformation. One inaccurate piece of information or rumor provided about CMMC’s rollout could lead to a snowball effect of confusion.
Of course, the best source of information for all CMMC updates is the CMMC-AB and the Department of Defense.
Luckily, we had the opportunity to hear from the CEO of the CMMC-AB, Matthew Travis, when he visited Walsh University in North Canton, Ohio. He was on campus as the keynote speaker for the 2021 CMMC Summit, hosted by Rea & Associates.
As the CEO of the nation’s sole authorized provide of cybersecurity certification credential for the DIB, he provided a lot of insight to those who attended.
Since we were in the audience, we had the opportunity to hear his speech. As such, we’re going to provide you with the biggest takeaways.
Table of Contents
CMMC is the first attempt to have the DIB do something about cybersecurity.
The government is asking the DIB to change how they do business for the safety of America.
CMMC isn’t made up, it’s based on real threats trying to steal sensitive information.
Theft of intellectual property is the biggest driver of CMMC’s existence.
Most companies didn’t take NIST as seriously as the DoD originally wanted.
OSC’s who haven’t started need to learn about your organization’s environment.
Accreditation means that the CMMC-AB trusts C3PAO’s to give assessments.
If you a DIB contractor, your data security is the most important factor to the DoD now.
CMMC-AB is working on a new website that’s catered to what DIB contractors need via an assessment.
CMMC-AB will cover how to lower the cost burden on SMB’s this fall.
Even with the Biden administration, CMMC is still “walk, crawl, run”.
Virtual assessments and readiness reviews help decrease costs.
As currently designed, prime and subcontractors will need a CMMC certification.
1. CMMC is the first attempt to have the DIB do something about cybersecurity.
Experts in the cybersecurity space could argue that CMMC is the second attempt to have the DIB do something about cybersecurity. Those who say that are technically correct. Yet, so is Travis in what he stated.
You see, CMMC is the first real attempt at making sure the DIB ensures that its information is safe.
If the contractors within this ecosystem don’t take this regulation seriously, they’re no longer going to win bids after 2025.
2. The government is asking the DIB to change how they do busness for the safety of America.
The DoD isn’t implementing CMMC as a way to make doing business with it harder. Although that’s arguably a side-effect, the regulation’s main purpose is to place protections on Controlled Unclassified Information (CUI).
It’s also not a regulation that only deals with a small section of the DIB. It affects every contractor and subcontractor, other than those that provide commercial off-the-shelf products. To put it in numbers, that’s over 300,000 contractors.
3. Cybersecurity is the battlefield of this century.
Although true, this might actually be the understatement of the century.
I’m being facetious. You see, cybersecurity threats aren’t slowing down anytime soon. In fact, many experts tell their clients that it’s not a matter of if your organization gets attacked but when.
4. CMMC isn't made up, it's based on real threats trying to steal sensitive information.
We thought that this was one of the more inspiring parts of Travis’ keynote.
If you talk to any cybersecurity expert, they’ll tell you there’s an ever-growing threat of cybercriminals getting into your system. Of course, they get paid to tell you that. Even so, though, the threat is real.
Travis went on to mention the real-world threats he alluded to including the more recent attacks that affected SolarWinds and Colonial Pipeline in his speech.
5. Theft of intellectual property is the bigest driver of CMMC's existence.
Controlled Unclassified Information (CUI) isn’t the most sensitive information that exists within the government.
Even so, it’s information that directly impacts the nation’s defense.
It was just a few years ago when a Chinese national admitted to hacking DoD contractors, leading to the creation of an aircraft that mimics the USAF F-35.
6. Most companies didn't take NIST as seriously as the DoD originally wanter.
Many certified third-party assessors (C3PAO) will attest that there are direct correlations between the controls listed in NIST 800-171. In fact, the CMMC-AB’s own guidance packet mentions “NIST” 13 times...so it’s no secret.
Even though it’s an important compliance measure to pursue for all DIB contractors, it never required third-party attestation. Thus, the unfortunate result was “check a box” compliance.
In other words, organizations would approach the controls more casually than the DoD expected them to...leading to cybersecurity vulnerabilities.
7. CMMC is non-trivial, but not impossible
What a relief.
There are so many moving parts in the CMMC ecosystem that it has left a lot of confusion and frustration in its initial wake.
It’s relieving that the CEO of the CMMC-AB acknowledges that fact while encouraging those within the DIB that it’s possible to achieve.
8. OSC's who haven't started need to learn about their organization's environment.
Since CMMC’s requirements are so overwhelming and are still under debate in Washington D.C., many organizations seeking certification don’t have any idea where to start.
In a perfect world, every organization within the DIB would’ve started their cybersecurity journey years ago with the announcement of NIST 800-171. But that’s not the reality.
You see, cybersecurity is still a relatively foreign concept for the smaller contractors and subcontractors within the CMMC ecosystem. They don’t know where to start.
Travis attested that all OSC’s that haven’t started yet should do so by learning about their environment.
9. Accreditation means that the CMMC-AB trusts C3PAO's to give assessments.
This takeaway might seem obvious at first.
Of course, if the CMMC-AB trusts those third-party assessors that it certifies. Third-party attestation is one of the biggest differentiators from this requirement.
We listed this remark as a takeaway because it’s still a good reminder as to the “chain of command” within the ecosystem.
You see, there are a lot of organizations and consultants out there that already exclaim that they’re experts on the regulation. Yet, when it comes to brass tax, the only organizations that ascertain that you’re compliant are the C3PAOs.
10. If you're a DIB contractor, your data security is the most important factor to the DoD right now.
This comment from Travis checks out.
If you’ve been paying attention to the news over the course of the past year, you’ve seen the headlines of massive organizations falling victim to hacker groups. Of course, one of the attacks I’m referring to is the ransomware attack on Colonial Pipeline Co. that lead to infrastructure shortages across the US.
But, the reality is that there’ve also been successful hacking attempts on DoD contractors that led to sensitive information leaks as well.
11. Train your employees on cybersecurity.
It’s reassuring to see the CEO of the CMMC-AB advocating for cybersecurity training.
Your employees are your biggest risk. I don’t need to source some sort of knowledgeable source on that statement, it’s practically common knowledge within the cybersecurity realm at this point.
As the owner of an organization, you need to ensure that your team knows the threats that they may encounter on any given day. That can only happen through training.
If you don’t train your employees on the cyber threats that exist, it’s only a matter of time before your business falls victim to an attack.
12. Level 1 is easy, it covers basic stuff.
There are only 17 controls that DIB organizations need to implement at Level 1. Thus, Travis isn’t wrong with his statement.
To achieve a Level 1 certification, you only need to prove what the CMMC-AB defines as practicing “Basic Cyber Hygiene”.
For example, one of the requirements within Level 1 is that you escort your visitors through your building and monitor them closely. Easy enough.
However, another requirement is that you verify and limit connections to and use of external information systems. That’s not a terribly difficult requirement, but it could sound like a foreign language to an organization that isn’t familiar with cybersecurity practices.
Although basic, Level 1 could still be difficult.
13. Non-trivial challenge equals non-trivial cost.
Gulp.
The reality of CMMC is that it’s a big challenge for hundreds of thousands of organizations. Since there’s so much involved, it’s going to cost a lot of money from effort, product and service perspectives.
Thus, some organizations have a hard business decision to make.
Does your organization do enough business with the DoD to justify the cost of pursuing the CMMC certification?
14. CMMC-AB is working on a new website that's catered to what DIB contractors need via an assessment.
Travis was very excited about this announcement.
I’ll admit that the CMMC-AB website does look a little bit outdated, but it’s not terrible.
However, if the new site is as helpful as he described, it’ll make the assessment process much easier for OSCs.
He stated that it’s going to help guide OSCs to organizations they should contact regarding achieving CMMC based on their specific needs. Sounds exciting.
15. The more organized you are ahead of time, the less money you'll have to spend on consultants, C3PAO's, etc.
This is one of the golden nuggets that Travis dropped during his speech.
As I alluded to earlier, the cost associated with achieving CMMC is one of the biggest factors that OSCs want to know so that they can budget accordingly.
However, if you’ve already made some progress toward the certification prior to reaching out to a consultant, they won’t need to implement as much. Thus, your overhead costs toward certification will be significantly less.
16. CMMC-AB will cover how to lower the cost burden on SMB's this fall.
Another encouraging remark from Travis.
Within the same portion of the speech when he spoke about the non-trivial cost associated with pursuing CMMC, he also acknowledged the fact that the AB plans on addressing how to lower it for small and midsize businesses.
Hopefully, the plans the CMMC-AB comes up with to lower-cost burdens works as that’s the biggest impediment for smaller contractors.
17. Even under the Biden administration, CMMC is still "walk, crawl, run".
Administrations within the government change all the time...that’s nothing new, we all learned that in grade school.
Yet, new presidencies can sometimes mean resource re-allocation and policies fizzling out. Since that’s exactly what we just went through with the introduction of the Biden administration, it only added to the speculation surrounding CMMC.
Luckily, Travis reassured us that not only is CMMC still a focus with the new administration, so is the gradual approach.
18. Assessments happen based on what you need from a C3PAO.
Similar to a takeaway from earlier, this one might also seem like it’s obvious.
Yet, it’s actually a great point that connects back to cost.
A consultation that finds tons of vulnerabilities and requires the creation of hundreds of new policies is going to cost a lot more than one that checks boxes.
That also holds true for C3PAOs and Travis just admitted to it.
19. Virtual assessments and readiness reviews help decrease costs.
If you mentioned the phrase “virtual assessment” to a cybersecurity expert a couple of years ago, you would’ve gotten a weird look.
It’s safe to say that things have changed quite a bit since then. Today, virtual cybersecurity assessments continue to grow in popularity across the nation.
It’s great that the CEO of the CMMC-AB acknowledged them as a cost-saving option.
20. As currently designed, prime and subcontractors will need a CMMC certification.
This is another big takeaway. Travis was referring to the “flow-down” aspect of CMMC.
If you’re a part of a massive government contractor (i.e. Lockheed Martin), your organization will need to pursue and achieve the highest level of CMMC.
As part of the requirements for the prime contractors, they need to ensure that their subcontractors also achieve the level laid out within the regulation.
For this to work, prime contractors will place the requirements within their orders and specifications. They’ll also need to have visibility on their subcontractors’ progress toward certification.
Organizations should identify the roles assigned to each statement within the policy. Mapping policy commitments to requirements and roles creates a shared responsibility matrix.