The Cybersecurity Maturity Model Certification (CMMC) program has been in effect for almost a year now. In the face of rising cybersecurity threats, the program is meant to provide more robust security standards for defense contractors and a method of enforcement via third-party assessors.
But beginning a few months ago, agencies beyond the Department of Defense (DoD) have expressed interest in following the CMMC or CMMC-like programs, and now the Department of Homeland Security (DHS) has joined their ranks. Over the next year, it’s likely that more will follow, and small business owners are concerned about the potential impact of an increased compliance burden.
In this article, we’ll take a look at the DHS’s recent special notice, its potential effects on small government contractors, and how the landscape for CMMC compliance is likely to change over the coming year.
The DHS Special Notice
On August 10th, the DHS issued a special notice, announcing its intent to “advance our process in assessing industry compliance with Cyber Hygiene clause requirements”. Cyber Hygiene clauses were first adopted by the DHS in 2015 – but until now, the agency has relied on contractor self-assessment to enforce them.
Now the agency hopes to change that with a program modelled on the CMMC. It states: “our end goal is to have a means of ensuring a contractor has key cybersecurity and cyber hygiene practices in place as a condition for contract award.” Since then, the agency has been engaged in a pathfinder assessment to determine the best way forward.
The decision mirrors a similar move by the General Services Administration (GSA), which began reserving the right to survey awardees of the Streamlined Technology Application Resource for Services (STARS) III contract for “CMMC level and ISO certification” last October. But CMMC adoption is unlikely to end there.
CMMC: The Perfect Tool for Contractor Assessment
Government agencies are facing increased cybersecurity risk, especially from ransomware and supply chain attacks. This year alone, the SolarWinds and Colonial Pipeline incidents have drawn attention to the need for increased vigilance and higher accountability, culminating in an executive order that demands both.
In this context, it’s easy to understand why agencies are increasingly relying on the CMMC: they need a way to evaluate contractors for cybersecurity preparedness, and CMMC is already designed with this goal in mind. Among other key advantages, it is:
- Based on regulations from the National Institute for Standards and Technology (NIST), which are up-to-date, and designed to address emerging threats.
- Divided into five certification tiers, ranging from basic cyber hygiene to protection against advanced cyber actors
- Equipped with a ready-made enforcement mechanism through certified third-party assessment organizations (C3PAOs)
In order to cope with the federal government’s demand for increased cybersecurity, more agencies are likely to follow in the GSA and DHS’s footsteps, beginning with the largest. But how is this likely to impact contractors?
Impact on Contractors
Increased cybersecurity comes at a cost, and some businesses are concerned they won’t be able to fit the bill if civilian agencies decide to enforce the CMMC’s higher certification tiers. In June, small government contractors lobbied Congress for a more lenient certification process, asking the DoD to reserve Tier 1 certification standards for most companies in the defense industrial base (DIB).
With respect to financial impact, these concerns may be overblown: the DoD has long required compliance with NIST special publication (SP) 800-171 for all defense contractors. Under CMMC, most contractors will be required to meet Tier 3 certification or below, and Tier 3 is comparable to NIST 800-171 in cybersecurity level.
Outside the DIB, NIST 800-171 has also been adopted by the GSA, National Air and Space Administration (NASA) and other agencies on a contract-by-contract basis. For contractors of these organizations, CMMC-compliance will represent continuity with their existing cybersecurity burden.
Conclusion
Within the federal government’s service supply chain, even small businesses can represent a major cybersecurity risk: attackers can use them as an entry point for organizations further up the chain, and gain access to systems with classified information. As cyber actors become more sophisticated, a higher level of security becomes necessary across the board.
In the end, it makes a lot of sense for government agencies beyond the DoD to lean on CMMC standards. Civilian and non-DoD contractors should prepare by familiarizing themselves with the CMMC, conducting NIST 800-171 self-assessments, and partnering with experts who can help them to comply with the latest federal regulations.
Based on our years of experiencing conducting assessments for compliance with NIST regulations like SP 800-53 and SP 800-171 which form the basis of CMMC, Securicon can perform readiness assessments and mock audits to help your organization prepare for the real thing. With a DoD background, our world-class experts are ready to take stock of your IT assets and build a security response plan that is tailored to your organization’s needs. Contact us to learn more.