<img src="https://ad.doubleclick.net/ddm/activity/src=11631230;type=pagevw0;cat=pw_allpg;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};ord=1;num=1?" width="1" height="1" alt=""> Webinar Recap: Experts Help Chart Path for CMMC 2.0

Webinar Recap: Experts Help Chart Path for CMMC 2.0


    See Virtru In Action

    { content.featured_image.alt }}

    The time for self-assessment is over. This time, the federal government wants to ensure that defense contractors can be trusted with the nation’s most sensitive data. Enter CMMC 2.0, a revised version of the defense contractor’s rigid cybersecurity guidelines. 

    It’s no secret that the onset of CMMC 2.0 has been cause for confusion and frustration within the Defense Industrial Base (DIB), for what some perceive as a lack of guidance and unclear timeline. 

    That’s why we gathered a group of CMMC experts from all sides of the equation: Advisors, consultants, and defense contractors. We wanted to hear directly from those on the front lines of CMMC, including the paths they have taken toward compliance, and what other DIB businesses can do to ensure they're ready for CMMC 2.0. 

    CMMC Panelists:

    David London, Managing Director, Chertoff Group

    Stuart Itkin, VP CMMC & FedRamp Assurance, Coalfire Federal

    Patrick O’Brien, CIO, Summit Federal Services

    Moderator: Matt Howard, CMO, Virtru

    Watch the Webinar


    CMMC: Why It’s Important and What It’s Protecting

    Cybersecurity Maturity Model Certification, or CMMC for short, is a rigorous certification model that enforces cybersecurity standards on contractors within the DIB. CMMC takes direct influence from NIST 800-171, an extensive list of cybersecurity practices published by the National Institute of Standards and Technology. In 2021, the U.S. federal government announced their changes to the requirements outlined in CMMC, calling the new version CMMC 2.0. 

    All of that explained, why is enforcing data security through CMMC so important? 

    “Critical defense information is stolen every single year from members of the supply chain to the DoD, and it's not being stolen from Lockheed Martin or Northrop Grumman,” said Stuart Itkin of Coalfire Federal. “Their cyber maturity is exceptionally high. Their cyber defenses are exceptionally strong. It's those that are two, three, four tiers down within the supply chain that don't have the cyber maturity, who are more vulnerable and from whom this information is being stolen by the Chinese, by the Russians, by the Iranians and others. And, you know, what's the impact of this? Well, it really diminishes the technological advantage that the United States has enjoyed for quite some time.”

    CMMC 2.0: It’s Time to Put Up

    Before CMMC, NIST was the standard for federal defense contractors' data security efforts, and would primarily be self-assessed. In reality, this resulted in many DIB organizations “grading their own homework” according to Itkin, or setting Plans of Actions & Milestones that were never followed through on. 

    Now as a result of the impending CMMC 2.0, “There'll be a third party that is going to come in and verify that every one of the 110 controls [and] 320 requirements under those 110 controls have all been satisfied. And ultimately what this does is creates a minimum threshold of cybersecurity that the DoD believes is required for any organization to be entrusted with sensitive defense information,” said Itkin. 

    As a DIB contractor, O’Brien acknowledged that, despite the ambiguity surrounding its implementation, CMMC 2.0 isn’t simply a fleeting regulation possibility. 

    “We're on the receiving end of this—and we're availing ourselves of services like David and Stuart's organizations provide … We now believe that this is the real deal—it's not another fire drill,” said O’Brien. “Even if you're pessimistic about the outcome, it's a win-win. You're going to get your arms around 800-171, you're going to be in a good place with [Defense Federal Acquisition Regulation Supplement, or] DFARS. Your security posture is going to be better. You will be ready when CMMC does come of age and everybody's on the hook for it.”

    Getting Started on CMMC 2.0: A Small Business Perspective

    Howard asked the panel about what small businesses should do today to get ready for CMMC 2.0 compliance. O’Brien’s experience in the federal government and the big business DIB realm led him to Summit Federal Services, where he offers three-part advice for getting started with CMMC.

    1. Make sure you’re on top of all 110 controls mentioned within NIST 800-171.
    2. Completely knock out your Plans-of-Action and Milestones (POA&Ms).
    3. Cozy up to a great CMMC consultant (two of which are included in the webinar). 

    Summit Federal Services is a small business in the DIB, using cloud-based Google Workspace to maneuver in its CMMC journey. Part of their CMMC journey included completely rethinking their cloud provider, and they ultimately Google Workspace, an outlier in the DIB realm. 

    “We believed Google would catch up,” said O’Brien. “Google occasionally arrives late to a party, but when they arrive, they usually bring the keg. And in this case, they are proving that that's the case. So they did arrive a little late, but we found that they installed their head of global compliance, who was the former assistant secretary for cybersecurity and communications at [the Department of Homeland Security,] DHS. And she was also the director for critical infrastructure cybersecurity on the National Security staff at the White House. So they're obviously investing in this, and they've come a long way since we were in the middle of CMMC 1.0. So they are here at the party and, like I said, we found that Microsoft was not as turnkey as folks had thought.”

    From London’s perspective at a federal consulting agency, Summit’s cloud experience rings true for many businesses that Chertoff Group advises. He advises other small businesses to pay careful attention to software that could create a gap in security. 

    “Organizations need to not only build a level of security around both their own custom code, as well as the open-source code that they're incorporating into their software products as builders of software,” said London. “But 800-171 also focuses on, as consumers of that software achieving a level of software visibility, what are you using in your environment? How frequently are you maintaining that in your environment? How are you ensuring that updates have a level of visibility and integrity before you bring them in? Because adversaries are now exploiting those gaps and seams within the supply chain to address them to achieve a level of initial access and then onward persistence within their environments.”

    Important CMMC 2.0 Dates and Resources

    Only organizations that plan ahead will be in the clear for CMMC certification by next year. Panelists O’Brien, Itkin, and London offered valuable dates and resources for the small defense business to reference when charting their path forward. 

      • March 2023: Itkin says the rule is slated to be published in the interim in March of 2023, followed by a 60-day review period. 
      • May 2023: After the 60-day review period is up, it’s estimated that the federal government will make CMMC 2.0 a requirement for contractors by May 2023, according to Itkin. 
      • Joint Surveillance Assessments: Itkin mentions an early-adopter CMMC assessment that defense contractors can participate in as a ramp-up to CMMC 2.0 compliance.
        “It's a means for them to be able to go through, complete the assessment process, and then once that DFARS rule will becomes effective, this interim assessment will become automatically a CMMC certification that will be good for a period of three years.”
      • CMMC Assessment Process Document: In July, the Cybersecurity Maturity Model Certification Accreditation Body released a document designed to help defense contractors plan and prepare. London explains that it’s “a document for 3PAOs, registered providers to help kind of build a level of scale, but also formalizing the assessment process. That's obviously particularly instructive as well for the DIB and other organizations on how, what, what the measuring stick looks like and how organizations will be assessed.”
      • MITRE ATT&CK Database: London describes the MITRE ATT&CK database as “the most exhaustive sort of encyclopedia and periodic table and inventory of not only threat actors, but threat behaviors. Organizations can achieve both a level of visibility into the threat actors that don't target everybody, but target the DIB, for example, and overlay that and express that through Mitre ATT&CK. Then, overlay their own kind of security controls and capabilities to understand where their gaps are.” 
      • A Potential Version 3 of NIST 800-171: London briefly references a potential amendment to the foundational NIST 800-171, which could have implications on CMMC in the future. As for right now, the changes have not been released or confirmed, however, it’s vital for DIB contractors to keep their fingers on the pulse. O’Brien added a prediction that Version 3 of 800-171 could eliminate the use of POA&Ms–meaning defense contractors need to have their ducks in a row before it’s too late.

    It’s About the Data, Not Just Compliance

    “If anybody takes away anything from this particular session and thinking about CMMC, don't think about compliance,” emphasized Itkin. “It's not about how we check this box. Think about how it is that I secure the information that I'm entrusted with and how do I secure the information that I've actually paid to develop is an organization and that I'm looking to get a return from.”

    Watch the full webinar on-demand here, and to learn more about Virtru’s data protection solutions for CMMC 2.0, read our whitepaper or schedule time with our team today.

    Shelby Imes

    Shelby Imes

    Shelby is the Manager of Content Strategy at Virtru with a specialty in SEO, social media, and digital campaigns. She has produced content for major players in healthcare, home services, broadcast media, and now data security.

    View more posts by Shelby Imes

    See Virtru In Action