Cybersecurity threat has never been higher, with headline-making attacks hitting government organizations and key pieces of critical infrastructure like the Colonial Pipeline. With no indication that this risk is slowing down anytime soon, the U.S. Department of Defense (DoD) is rolling out the Cybersecurity Maturity Model Certification (CMMC) to help standardize cybersecurity processes for defense contractors and other vendors working with the DoD.
The defense industrial base includes more than 300,000 companies in its supply chain. The CMMC, first introduced in early 2020, is an attempt to create a unified standard for protecting controlled unclassified information (CUI) — essentially, any government-owned or -created information that is not fit for general consumption — across the DoD supply chain. Incidents like the SolarWinds breach are a perfect example of why something like the CMMC is necessary, said Ryan Heidorn, co-founder and managing partner at Steel Root, a national leader in helping U.S. government and defense contractors meet cybersecurity and compliance requirements.
“The CMMC is really necessary because the United States and U.S. industry are losing intellectual property to adversaries and competitors at really an insane rate,” Heidorn said. “From the Department of Defense’s perspective, our adversaries — Russia, China, etc. — are literally walking out the door with billions of dollars in intellectual property (IP) and sensitive info.”
And smart hackers aren’t just targeting the larger vendors — the Raytheon’s and Lockheed Martins of the world — they’re looking for vulnerabilities wherever they can find them.
“They’ve been able to go after these easy targets in the supply chain,” Heidorn said. “They’re going after small machine shops and parts suppliers. These are companies that, generally speaking, probably don’t have a really sophisticated cybersecurity practice. And yet if you’re doing work on a DoD contract, you could be handling really sensitive drawings or contract info or other sensitive info that maybe isn’t classified, but the government still needs to protect it.”
CMMC certification might seem like an onerous process for companies in the DoD supply chain, but many of these requirements have existed in DoD contracts for years to help safeguard sensitive data. The CMMC simply acts as a kind of enforcement mechanism for these standards.
“Whereas in the past, you may have had these requirements and had a way to say, ‘Yeah, yeah, yeah, we’re compliant because we understand the requirements are there, and we’ve got a plan to do something about them,’” Heidorn said. “That worked in the past, but the problem was that people kept kicking the can down the road indefinitely and operating business as usual. CMMC is basically saying, ‘Nope, you need to implement all of these requirements, you’re going to get assessed and certified, and you’re going to have to be certified before you can be awarded a contract if you’re doing business with the DoD.’”
The CMMC model is arranged into five different levels, ranging from basic cybersecurity hygiene all the way up to the ability to defend against nation-state attacks. According to Heidorn, the vast majority of companies in the DoD supply chain will need either Level 1 or Level 3 certification. Organizations that interact with CUI will require Level 3, which features 130 security practices and three process maturity requirements. Not only do companies have to implement these good security practices, they have to be able to demonstrate that they are managing them effectively within their organization. Level 1 is a much lower bar most vendors should be able to clear without much difficulty.
Heidorn said the DoD has authorized a CMMC body that is tasked with the training and accreditation of all the third-party assessor organizations. These are the organizations that will go out and perform the assessments on companies that are seeking certification.
While it’s important for the defense industrial base to start planning toward CMMC certification, Heidorn was clear that no one is CMMC certified yet. The accreditation process still needs to be rolled out, and the third-party assessors in the private market still need to be trained and accredited themselves. This is a phased rollout, with the ultimate goal of having all DoD contracts include CMMC certification by 2025.
“There are a handful of programs and contract vehicles this year that the DoD has signaled will include CMMC requirements, and they’re really viewing this first phase of the rollout as kind of a pathfinder phase,” Heidorn said. “From where I sit as a service provider, I really don’t see any of my clients getting assessed this year, 2021. Most are really planning toward an assessment next year or maybe even beyond that. But I will say a lot of them are seeing it as a competitive advantage. Especially in the short term, if you can get assessed before your competitors, that might be something that tips the scales for you as a company competitively.”
Though CMMC certification is not currently necessary, it’s essential defense contractors not get complacent and assume they have years to take care of it. Now is the time to start making a plan and learning what is required to continue working with the DoD.
“For those organizations that maybe haven’t taken those requirements so seriously, or maybe just didn’t even realize they were in their contracts, they’ve got a relatively long road ahead of them to come into full compliance,” Heidorn said. “If you’re a small business, education is key. You need to understand what the requirements are. You really need to understand what is the sensitive data you might be interacting with today and start making a plan toward rolling out the security practices and capabilities.”
Keep an eye out for Part 2 of our interview with Ryan Heidorn, where he will offer some advice on how to begin implementing a CMMC certification plan. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.