Southwest Manufacturing News • April 21 • Achieving Cybersecurity Standardization for New DoD Contracts

Starting now, several new Department of Defense (DoD) contracts will be released with an updated contractor compliance criterion: the Cybersecurity Maturity Model Certification (CMMC). This go/no-go contract award requirement will be expanded each year, until late 2025, when every new DoD contract will demand that prime and subcontractors be certified as having at least a basic level of cybersecurity rigor in their organizations.

Alec Hall, Vice President for Cybersecurity at Alluvionic, recently noted: “The Pentagon is right to be concerned when it comes to the cybersecurity of the businesses it relies on.” Roughly 70% of DoD data resides on the networks of contractors, while at the same time adversary activities in cyberspace cost the U.S. an estimated $600 billion annually. With several recent high-profile losses of defense data, the department is convinced that now is the time to implement CMMC. They recognize that the dangers in cyberspace are substantial, intolerable and growing. Additionally, the Defense Industrial Base shares an unhealthy cyber ecosystem overall since a vulnerability to one company is potentially a risk to all companies. By reshaping the defense industrial cybersecurity ecosystem, the Pentagon hopes to drive down cyber vulnerability at a national scale, thereby lowering the likelihood of successful attacks.

Mark Boothe, Owner of TeamLogic IT, Dallas, TX, said: “This new policy shift should not come as a surprise. Cybersecurity requirements are nothing new for defense contractors.” Since 2017 the DoD has leveraged its buying power through Defense Federal Acquisition Regulations to compel companies to self-attest to their compliance with cybersecurity standards such as NIST SP 800-171. By adding CMMC to existing procurement language, the federal government has made it clear: cybersecurity will be treated as foundational to acquisition, and it will not be traded in favor of cost, schedule or performance when making contract award decisions.

Achieving cybersecurity standardization everywhere in such an aggressive timeline is going to take a concerted effort— for every contract and from every contractor.

Scott Wiles, Owner of TeamLogic IT, Melbourne, FL, described the challenge this way: “CMMC will impact more than 300,000 companies, all who want to remain competitive for a part of the $381 billion prize spent by the DoD just last year. And companies must have their certification in hand at the time of contract award or risk not winning the bid.”

Key to knowing how to meet the government’s challenge is to start with an understanding of what the CMMC framework is all about. The objective of CMMC is to evaluate the handling of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) while it is in the possession of, created by or entrusted to defense contractors. Government agencies define CUI as government created or owned information that requires safeguarding consistent with laws and regulations. Wiles explained: “CUI is not classified information. And it is not corporate intellectual property unless that IP has been created for requirements related to a government contract.” Since there are fewer controls over CUI as compared to classified information, CUI is considered the path of least resistance for adversaries—and the DoD has identified the loss of aggregated CUI as one of the most significant active risks to national security.

Drilling down to the details, you will find that the full CMMC framework is a compilation of 17 capability domains, five process levels, 43 capabilities and 171 practices distributed across five distinct maturity levels. It brings together several previously discrete national and international cybersecurity standards into one unified structure and has adopted best practices from numerous other compliance guidelines.

Knowing that not all businesses are the same when it comes to the volume of FCI or CUI in their care, the DoD has opted to deliberately prescribe the requisite maturity level that is needed to perform certain work. The five levels of CMMC certification range from Level 1, representing a “basic” level of cybersecurity hygiene, all the way up to Level 5, which is reserved for exquisite capabilities involving advanced or progressive cybersecurity maneuvers. Maturity Level 1 is projected to apply to 60% of the 300,000 defense industry companies, and requires that companies be assessed against only 17 of the 171 CMMC practices. Alternately, Level 3, representing “good” cybersecurity hygiene, entails compliance with 130 unique security practices and will be prescribed to roughly 30% of defense contract bidders. As more advanced capabilities are added with each progressive step, it is clear that Levels 4 and 5 are expensive to implement and maintain. The Pentagon will be reserved in applying the top two levels and only a very small percentage of the contracting base will need to meet these requirements.

From the contractor’s perspective, the journey toward earning CMMC certification starts with knowing the appropriate maturity level to target. In some cases, the objective maturity level will be clear based on their current contract portfolio. Though many times, this determination becomes a “best guess” with consideration given to the scope of current work, projected contracting efforts, and affordability. Earning a CMMC certification also means being assessed by a Certified Third-Party Assess Organization. These licensed third-party assessors, or C3PAOs as they are called, will in turn inspect all the areas of your computing environment where FCI or CUI is generated, processed or stored. Once a C3PAO has determined that you are fully compliant with all the practices at your target level, they will recommend you for a certification that will need to be renewed every three years. It is easy to imagine how the pressures of identifying your FCI/CUI environment, preparing for a “perfect” assessment score and finding the right C3PAO can quickly overwhelm everything else your business hopes to achieve.

Establishing and maintaining a robust cybersecurity program requires time, resources and active governance— all things of which there is never enough.

Boothe sees it this way: “Not all manufacturers have IT staff that can check the boxes needed to meet CMMC requirements. Picking the right IT partner is critical to remain eligible to win DoD contracts.” Wiles agrees: “Cybersecurity consulting partners like Alluvionic and TeamLogic IT can help you stay competitive.” Hall noted: “Alluvionic is a CMMC Accreditation Body Registered Provider Organization that can help companies understand the CMMC requirements, identify target maturity levels, conduct a pre-assessment and develop a roadmap to success to generate a mature cybersecurity program that gets and stays certified.” Hall concluded by saying: “Your work as a defense contractor helps secure this nation. Alluvionic and Team- Logic IT can help contractors secure future DoD contracts.”