Global cyber-attacks on the US Department of Defense (DoD) supply chain from foreign adversaries, industry competitors, and international criminals are at the forefront of US national security concerns. Countries like China, Russia, and North Korea exfiltrate over $600 billion in the US (1% global GDP), according to Ellen Lord, Undersecretary of Defense for Acquisition and Sustainment. Even today, these bad actors are using the COVID-19 pandemic as cover for their nefarious actions while organizations are distracted as they extend their business operations from physical offices to individuals’ homes.
The United States’ strategic competitors and adversaries are conducting cyber-enabled campaigns to erode U.S. military advantages, threaten our infrastructure, and reduce our economic prosperity. This constitutes one of our most critical national security concerns.”
Department of Defense
Small, medium, and even some large defense suppliers, universities, and research labs, which make up most of the suppliers, are among the nation’s most vulnerable and face the highest risk of data exfiltration. Many organizations have not made the required information protection investments, do not have the necessary cybersecurity skills or maturity, and do not perceive themselves as likely targets. Only because of a corporate data breach or public disclosure will senior leadership begin to make the necessary investments. But that is too late for many organizations and leadership, small and large.
The DOD response intended to reduce unauthorized Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) exfiltration is to increase cybersecurity requirements, non-compliant penalties, and supply chain enforcement for defense contractors, including many in the aerospace industry. Chief legal officers, compliance officers, and senior leadership are responsible for understanding and enforcing these US laws, regulatory requirements, and compliance standards within their respective organizations and ensuring these current and future business risks are mitigated.
Defense and commercial suppliers already must comply with US federal regulatory laws and requirements for securing data that are controlled by the International Traffic in Arms Regulation (ITAR), the Export Administration Regulation (EAR). They’re also responsible for compliance with contracting requirements in the Defense Federal Acquisition Regulation Supplement (DFARS). However, since the current self-attestation and trust approach continues to result in information loss, suppliers will be required to adhere to the new DoD Cybersecurity Maturity Model Certification (CMMC) requirements for DoD contracts starting in the second half of 2020.
CMMC is a critical element of the DoD’s overall strategy; it is designed to improve information protection and cybersecurity. The DoD intends to facilitate an industry-wide cultural shift with significant and far-reaching impacts, not least of which are elevated penalties for non-compliance — including the loss of current and future DOD business, personal and corporate liability, and negative corporate brand impact.
This sweeping plan requires companies to demonstrate CMMC-level practice and process effectiveness, governance, and cybersecurity maturity with independent audits and certification as a “pre-qualification” requirement prior to contract award.
Kate Arrington, CISO, Office of the Under Secretary of Defense for Acquisition and Sustainment, put it this way: “Every DoD contract that goes out for proposal, will have a CMMC pre-qualification requirement and every vendor on that contract must have a CMMC certification!”
CMMC is already being included in other U.S. civilian federal contracts and will most likely become a new cybersecurity standard for future U.S. and international commercial and government business. A CMMC certification is planned to be valid for 3 years.
Key Steps for Getting Ready for a CMMC Audit
The CMMC certification process should be considered a lifetime journey, with multiple milestones along the way to secure and protect the DoD, other customer information, and your intellectual property.
It begins with senior leadership recognizing that CMMC is designed to be a catalyst to drive the defense supply chain to make fundamental changes to data governance and protection across the enterprise that will meet the higher level of physical and digital information protection defined in the CMMC model.
The journey may take an organization months or years to meet CMMC-level requirements and achieve certification. The level of effort will depend on several factors, including desired CMMC level, the complexity of current business and technical infrastructure and operations, and current physical and digital cybersecurity maturity.
A high-level CMMC Journey consists of:
- Preparation: Learn and understand the CMMC Model, applicable requirements, and impacts to your organization
- Identify and Assess Gaps: Identify and assess every process and internal system that “accesses, manages, collects, develops, receives, transmits, uses, or stores” regulated data (e.g. FCI & CUI) including cloud, on-premise, or a home office
- Remediate Gaps: Develop and implement a gap mitigation plan with compliant processes, solutions, and documentation
- Prepare for Audit: Prepare and package CMMC documentation, evidence, and artifacts prior to the audit with a CMMC Third Party Approved Organization (C3PAO)
- Audit: Engage with the C3PAO and conduct support audit package and on-site activities reviews to achieve certification
- Post Audit: Perform ongoing practice and process compliance and resilience activities
CMMC Certification Requires Immediate Action from Executive Leadership Teams
Executive leaders, in-house counsel, and compliance officers that do not embrace CMMC are at significant business risk of costing their company DoD business. CMMC will be a critical challenge for most organizations and must be managed effectively to ensure enterprise risk mitigation and cost optimization to achieve CMMC certification.
Some of the most common challenges businesses face include:
- Leadership lacks alignment and understanding of non-compliance penalties
- They don’t have a compliance program in place
- They don’t understand the gaps in the compliance program
- They lack security-centric architecture and compliance management tools
- They don’t have the skills and experiences in-house to develop a compliance program and implement solutions
To reduce the risk of CMMC audit failure, an organization will need to invest in elevating its cybersecurity profile, including the development and implementation of a robust compliance program. HyperProof is designed to assist organizations in effectively developing, managing, and achieving their regulatory compliance objectives, including the CMMC certification and ongoing compliance resiliency.
Tools for Managing the CMMC Certification Readiness Process
HyperProof should be considered by all Defense suppliers. It is a cloud-based tool compliance officers can use to effectively develop and manage their CMMC compliance program as well as others such as ISO, SOC 2, etc. Hyperproof can reduce the time and complexity required to get audit-ready because it breaks down the CMMC requirements into smaller pieces, enables control stakeholders to better manage remediation items and evidence requests, and provides a CMMC program dashboard that makes it easy for compliance officers to gauge progress. For savvy organizations, a strong compliance program and leveraging HyperProof will be a competitive advantage and will assist in winning future commercial and government contract rebids and new business.
Live CMMC Webinar on 7/30/2020
Companies that contract with the DoD will start to see CMMC requirements as part of RFIs as early as Fall of 2020. Covered entities will need to pass a third-party assessment and receive certification prior to contract award. A live webinar will cover the impacts of CMMC on your industry and organization, your internal cybersecurity processes, and third-party due diligence processes, as well as practical considerations for getting ready for the CMMC certification. Watch On Demand.
About Author
Jerry Leishman is the Vice President of Regulatory Business Advisory for CORTAC Group. CORTAC Group helps the US Department of Defense supply chain and commercial contractors with end-to-end guidance and services to deliver risk-based and cost-optimized CMMC compliance solutions for small, medium, and large suppliers. CORTAC considers the people, process, and technology across sales to shipping processes to provide a complete solution; giving organizations a competitive business advantage while reducing the contracting risks from meeting ITAR, EAR, DFARS, CMMC, cybersecurity, customer requirements, and associated incident reporting regulatory requirements. CORTAC is there for the whole journey. Learn more about CORTAC Group at https://cortacgroup.com/services/security-and-compliance/ or contact Jerry at [email protected].
Monthly Newsletter