If you do anything with Department of Defense (DoD) contracts, you are probably already familiar with the new Cybersecurity Maturity Model Certification, or its abbreviation CMMC. The DoD is rolling out the program in phases over the next several years. For DoD Fiscal year 2021 (FY21) only about 1% of the contracts will require CMMC certification, but by FY26, it is expected that all new DoD contracts will require all primaries and subs to be certified.
CMMC is layered into 5 levels – from 1 (Basic Cyber Hygiene), to 5 (Advanced/Progressive Cyber Hygiene). However, a firm that reaches level 3 (Good Cyber Hygiene) will be able to qualify for about 98% of all DoD contracts.
The great thing about the CMMC model, is that it is largely based on a well-known and fairly straight forward security standard, the National Institute of Standards and Technology (NIST) standard 800-171. This standard relies on a self-assessment of 110 security controls that an organization should implement. Once a firm reviews how they measure up against the standard, they can then develop a System Security Plan (SSP) that documents their existing systems and processes, and details how they plan to correct those out-of-compliance findings.
The mere act of completing a self-assessment and writing the SSP will allow a contractor to work on most CMMC required contracts for 3 years. So doing the NIST 800-171 self-assessment and putting together the SSP, is almost always the first step in getting qualified to work on CMMC contacts.
By the end of the 3-year window, a firm is expected to have implemented its SSP and be compliant with its target CMMC level (again largely, but not entirely, based on NIST 800-171). At that point, an outside firm known as a CMMC Third Party Assessment Organization, or C3PAO, must certify the organization as compliant. This is mandatory for all CMMC certifications, but the DoD has cost allowances for the certification.
The step from NIST 800-171 to CMMC compliance should be a comparatively small one – the main hurdle will be the initial NIST 800-171 compliance. While assessing and developing an SSP may be somewhat straight-forward, straight-forward does not equate to easy. Documenting your systems and processes, comparing how well they hold up against the 110 security controls, and designing a plan to get compliant is a detailed and laborious process.
While large firms will likely already have a security plan and team in place that will be able to handle this as an incremental load on their duties, small firms may be challenged to find not only the resources to implement NIST 800-171, but also the capable staff to undertake this effort. Fulfilling that need will certainly see many new businesses sprouting up over the next few years to help with CMMC implementations.
From a future looking perspective, there are a couple interesting aspects to the NIST 800-171/CMMC requirement. First, NIST 800-171 is a general standard that can be applied to most small, medium and large businesses. This compares to a patchwork system of industry specific standards that are often confusing and ill defined, which, in turn, do not lend themselves to commonality. So NIST 800-171 may fit the need for a common standard. Second, this broad implementation of the NIST 800-171 by over 200,000 DoD contractors in the United States, could evolve into a standard for non-DoD businesses as well. It would not be surprising to see cyber insurance companies, lenders, or contracting businesses inquiring as to how compliant a firm is with NIST 800-171 (or its successor) before conducting business.
SpotLink, with over 20 years as a technology infrastructure and security expert, has executed many high-level security compliance implementations and supported even more outside audit verification processes. We stand ready to help our DoD contractor clients, and any other clients who want to implement a security program along these standards, get through this new requirement and rejuvenate them into a more mature and capable organization.
Robert Hood
CEO & Founder
SpotLink