Is CMMC something my company needs?
On December 26th, 2023, the CMMC Program Rule was published for public commentary in the Federal Register by the Department of Defense (DoD). This only shows further determination by the DoD to protect Federal Contract Information (FCI), and Controlled Unclassified Information (CUI), as the next step to formalizing the CMMC process.
As important as this step is, it does not change the DoD’s current mandate for manufacturers and service providers in its supply chain to meet NIST SP 800-171r2 cybersecurity requirements. This was made effective in December 2017 under DFARS 252.204-7012.
However, the momentum CMMC is gaining is leading many to ask what role CMMC (Cybersecurity Maturity Model Certification) will play in their business once it becomes a requirement.
In its current form, CMMC 2.0 (further referenced as CMMC), is an initiative launched by the DoD to objectively gauge the robustness of cybersecurity protocols and align them with the nature and confidentiality of the DoD supplier data they safeguard. Based on the NIST 800-171 framework; it’s a unified assessment process to be done by CMMC 3rd Party Assessor Organizations (C3PAOs) under a specific set of guidelines, that will ultimately result in DIB companies achieving CMMC certification, and therefore qualifying them for future DoD contracts.
Put simply, NIST SP 800-171r2 is the framework of controls that CMMC will assess against to assure compliance with protecting FCI and CUI.
Meeting these cybersecurity requirements naturally increases the cost and knowledge burden on DIB manufacturers and suppliers that are already experiencing regulation fatigue, compared with non-DIB companies.
So, the question remains, and what we are often asked by existing and potential clients, “is CMMC truly something my company needs to be prepared for?”
Our many conversations with business owners and our own experience have revealed the following realizations:
Is My Company Committed to DoD Business?
First, choosing to do business within the Defense Industrial Base (DIB) is ultimately a business decision.
The question must be asked if the company is generating (or will be generating) enough revenue to justify the costs necessary to produce products or services for the DoD. Or, philosophically, if the company desires (for whatever reason) to provide products for national defense at all? The metrics to this are internal and unique to each company, but at some point, a decision must be made to be part of the DIB, or not. It is a binary decision. Choosing to be part of the DIB takes focus and funds. Choosing not to be part of the DIB may be a prudent (perhaps the best) decision for your company. Only leadership can determine its motives and what path to take.
FNI’s experience in the marketplace has shown how three general types of companies respond when facing the CMMC question. We’ve called these companies, Staying Commercial, Wanting to Sell, or Fully Committed:
- Staying Commercial: Companies who have done some DoD work but are deciding not to do any further DoD work and therefore focusing only on the commercial sector.
- Wanting to Sell: Companies who are doing significant DoD work but are not willing or able to fully meet the compliance requirements and are thus preparing their organization to be sold.
- Fully Committed: Companies that are well invested in doing DoD work, or for other reasons have decided to commit to meeting the cybersecurity (and other) requirements because they see a growth opportunity. Many of these companies are seeking to purchase supplier or competitive companies who are deciding to sell in this environment.
Of course, there is a far greater spectrum than the simplified description of the 3 model company types above, but we have consulted firsthand with numerous companies matching these general examples.
Does your organization fall into any of these categories? If the answer is either a Staying Commercial or Wanting to Sell company, then CMMC compliance is not a priority, and should not be a focus (though we always recommend good cyber hygiene). Companies that approach this without a full commitment are likely to spend time, energy and resources that will not accomplish the ultimate compliance goal, thus the time, energy and resources they put into are wasted, and could be better spent elsewhere. The most challenging position here is the Wanting to Sell company, who thinks getting closer to compliance will increase the value. It may, or it may not. Though becoming fully compliant definitely will, given the right capability to meet DIB contracts.
Full Commitment
Second, given the answer is “yes“ to example 3 above, and the company is Fully Committed, rest assured that cybersecurity compliance is a requirement that will not go away.
The reason is, highly important defense information has been leaked and stolen over the years, greatly reducing our combat advantage. The main threat is China, whose primary R&D focus is stealing the intellectual properties of others and building on them. Their 5th generation fighter craft, their Burke-class destroyer copies, their Blackhawk knockoff helicopters, their new well-armored tanks, their Humvee knockoffs, etc., are obvious examples of how they copy US equipment. What’s worse, they’re learning how to counter our advanced weapons systems by stealing our submarine sonar signatures, anti-ship missile plans, etc., ultimately putting our warfighters at increased risk. The DoD’s goal is to slow down and stop this information theft.
Third, cybersecurity compliance is fully required today for companies who are part of the DIB. It’s in the defense acquisition regulation, DFARS 252.204-7012. Additionally, DFARS 2019-D041, known as the DFARS Interim Rule, requires suppliers enter an accurate Supplier Performance Risk System (SPRS) score within the Procurement Integrated Enterprise Environment (PIEE), and sets the groundwork for implementing CMMC, which is to be officially required at a future date. This score, with a 110 point maximum, clearly shows where a company stands with its protection of certain information. The DoD gauges the cybersecurity risk of its suppliers based on this score.
In line with the DFARS Interim Rule, the Cybersecurity Maturity Model Certification (CMMC) will be in force after the DoD’s rulemaking process, likely to be issued late-2023 and enacted in late-2024 or early-2025. Afterwards, once in force, passing a CMMC Certified Assessment will likely be necessary by suppliers under DoD contracts that have Controlled Unclassified Information (CUI).
Though there will probably be a roll-out period for DoD contracts requiring CMMC assessments, meaning a limited number of contracts in FY24 will require CMMC Certified Assessments, contracts will be won or lost based on a company’s SPRS score or CMMC Certified Assessment. The DoD is very serious about this.
Flow-Down, Target
Fourth, cybersecurity compliance is a flow-down requirement, meaning that all subcontractors to a DoD contract must meet the necessary cybersecurity requirements, and that companies issuing subcontracts are responsible for the compliance of their subcontractors. That means, technically, today all DoD contractors and subcontractors must meet the current cybersecurity requirements that will be assessed by CMMC. This is under DFARS 252.204-7012.
Fifth, and perhaps most importantly, if the company is working with CUI, then it is a nation-state target – meaning China, Russia, Iran, North Korea, etc. are very interested in the weakest information link to defense information. It behooves companies to protect themselves appropriately.
What is the Takeaway?
First, a company must ask the hard question, “are we committed to providing products or services to national defense?”
If your answer is yes, then under DFARS 252.204-7012 it is mandatory to meet NIST SP 800-171 requirements, and it has been since December 2017.
CMMC is simply a 3rd party assessment of those requirements, which should already be met.
And last, even if your organization does not want to be part of the DIB, your company should, at the very least, follow good cyber hygiene practices to help reduce the chance of a data breach.