The time for self-assessment is over. This time, the federal government wants to ensure that defense contractors can be trusted with the nation’s most sensitive data. Enter CMMC 2.0, a revised version of the defense contractor’s rigid cybersecurity guidelines.
It’s no secret that the onset of CMMC 2.0 has been cause for confusion and frustration within the Defense Industrial Base (DIB), for what some perceive as a lack of guidance and unclear timeline.
That’s why we gathered a group of CMMC experts from all sides of the equation: Advisors, consultants, and defense contractors. We wanted to hear directly from those on the front lines of CMMC, including the paths they have taken toward compliance, and what other DIB businesses can do to ensure they're ready for CMMC 2.0.
David London, Managing Director, Chertoff Group
Stuart Itkin, VP CMMC & FedRamp Assurance, Coalfire Federal
Patrick O’Brien, CIO, Summit Federal Services
Moderator: Matt Howard, CMO, Virtru
Cybersecurity Maturity Model Certification, or CMMC for short, is a rigorous certification model that enforces cybersecurity standards on contractors within the DIB. CMMC takes direct influence from NIST 800-171, an extensive list of cybersecurity practices published by the National Institute of Standards and Technology. In 2021, the U.S. federal government announced their changes to the requirements outlined in CMMC, calling the new version CMMC 2.0.
All of that explained, why is enforcing data security through CMMC so important?
“Critical defense information is stolen every single year from members of the supply chain to the DoD, and it's not being stolen from Lockheed Martin or Northrop Grumman,” said Stuart Itkin of Coalfire Federal. “Their cyber maturity is exceptionally high. Their cyber defenses are exceptionally strong. It's those that are two, three, four tiers down within the supply chain that don't have the cyber maturity, who are more vulnerable and from whom this information is being stolen by the Chinese, by the Russians, by the Iranians and others. And, you know, what's the impact of this? Well, it really diminishes the technological advantage that the United States has enjoyed for quite some time.”
Before CMMC, NIST was the standard for federal defense contractors' data security efforts, and would primarily be self-assessed. In reality, this resulted in many DIB organizations “grading their own homework” according to Itkin, or setting Plans of Actions & Milestones that were never followed through on.
Now as a result of the impending CMMC 2.0, “There'll be a third party that is going to come in and verify that every one of the 110 controls [and] 320 requirements under those 110 controls have all been satisfied. And ultimately what this does is creates a minimum threshold of cybersecurity that the DoD believes is required for any organization to be entrusted with sensitive defense information,” said Itkin.
As a DIB contractor, O’Brien acknowledged that, despite the ambiguity surrounding its implementation, CMMC 2.0 isn’t simply a fleeting regulation possibility.
“We're on the receiving end of this—and we're availing ourselves of services like David and Stuart's organizations provide … We now believe that this is the real deal—it's not another fire drill,” said O’Brien. “Even if you're pessimistic about the outcome, it's a win-win. You're going to get your arms around 800-171, you're going to be in a good place with [Defense Federal Acquisition Regulation Supplement, or] DFARS. Your security posture is going to be better. You will be ready when CMMC does come of age and everybody's on the hook for it.”
Howard asked the panel about what small businesses should do today to get ready for CMMC 2.0 compliance. O’Brien’s experience in the federal government and the big business DIB realm led him to Summit Federal Services, where he offers three-part advice for getting started with CMMC.
Summit Federal Services is a small business in the DIB, using cloud-based Google Workspace to maneuver in its CMMC journey. Part of their CMMC journey included completely rethinking their cloud provider, and they ultimately Google Workspace, an outlier in the DIB realm.
“We believed Google would catch up,” said O’Brien. “Google occasionally arrives late to a party, but when they arrive, they usually bring the keg. And in this case, they are proving that that's the case. So they did arrive a little late, but we found that they installed their head of global compliance, who was the former assistant secretary for cybersecurity and communications at [the Department of Homeland Security,] DHS. And she was also the director for critical infrastructure cybersecurity on the National Security staff at the White House. So they're obviously investing in this, and they've come a long way since we were in the middle of CMMC 1.0. So they are here at the party and, like I said, we found that Microsoft was not as turnkey as folks had thought.”
From London’s perspective at a federal consulting agency, Summit’s cloud experience rings true for many businesses that Chertoff Group advises. He advises other small businesses to pay careful attention to software that could create a gap in security.
“Organizations need to not only build a level of security around both their own custom code, as well as the open-source code that they're incorporating into their software products as builders of software,” said London. “But 800-171 also focuses on, as consumers of that software achieving a level of software visibility, what are you using in your environment? How frequently are you maintaining that in your environment? How are you ensuring that updates have a level of visibility and integrity before you bring them in? Because adversaries are now exploiting those gaps and seams within the supply chain to address them to achieve a level of initial access and then onward persistence within their environments.”
Only organizations that plan ahead will be in the clear for CMMC certification by next year. Panelists O’Brien, Itkin, and London offered valuable dates and resources for the small defense business to reference when charting their path forward.
“If anybody takes away anything from this particular session and thinking about CMMC, don't think about compliance,” emphasized Itkin. “It's not about how we check this box. Think about how it is that I secure the information that I'm entrusted with and how do I secure the information that I've actually paid to develop is an organization and that I'm looking to get a return from.”
Contact us to learn more about our partnership opportunities.