All DoD Suppliers that want to work with the Department of Defense (DoD) will eventually need to be ‘cybersecurity certified’ after the DoD publishes the official version of CMMC in January 2020. Known as the Cybersecurity Maturity Model Certification, CMMC makes it compulsory for contractors to adhere to the NIST 800-171 standards (with a few additions) which were originally required as part of the DFARS 252.204-7012 regulation that was adopted several years ago.
The new cybersecurity mandate requires all suppliers in the DoD supply chain to implement certain controls of the NIST 800-171 on their internal networks, depending on which Level of certification they will need to achieve, based on the type of data they handle or the type of program they work on for the DoD.
The CMMC will include a third-party audit component that was lacking in the DFARS regulation and will be administered to certify that suppliers have successfully implemented the security controls outlined in NIST SP 800-171. The certification process will be conducted by third-party auditors (C3PAO) that will be trained by the CMMC Accreditation Board. The CMMC AB is currently being formed as a separate entity that will work with the DoD to implement the certification process and is hoping to be in place in January 2020.
The CMMC potentially applies to 300,000 suppliers and many of them have been working to update their security controls over the last several years. Larger suppliers with the resources appear to be pretty well down the road with complying with the new cybersecurity requirements, while some smaller suppliers with less internal resources, have struggled with the costs and complexities of getting compliant. One of the ways some of the smaller suppliers have been able to affordably make progress is by outsourcing the work to Managed Service Providers (MSP’s) that have certified cybersecurity professionals on staff that really understand the process and can reduce the timeframe and effort required to compliance.
“For many small companies, supplying the defense industrial base (DIB) is a significant part of their business. Therefore, it’s critical that they begin to implement these controls in 2020 or they could find themselves on the outside looking in,” says Tim Brennan, CEO of SysArc, an MSP that manages IT systems for DoD suppliers throughout the United States and helps them prepare for CMMC certification. “That’s why we encourage suppliers to get an assessment of their network to discover what their current security posture is and create a Plan of Action & Milestones (POA&M) in preparation for getting certified to the appropriate CMMC Level required for their business.”
More information on the CMMC is available on the Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification website here: https://www.acq.osd.mil/cmmc/.
For more information on how DoD suppliers can get started towards certification, please see SysArc’s resource page on the CMMC here: https://www.sysarc.com/services/managed-security-services/cybersecurity-maturity-model-certification-cmmc-guide-for-dod-contractors/