CMMC V1.02 – what is it and will it work?

March 20, 2020

Last week, my associate, Shane Rogers, shared an article on GovCybersecurityHub discussing the Cybersecurity Maturity Model Certification (CMMC) and its potential impact on small- and medium-sized government contractors. Shane concluded that the Department of Defense (DoD) is taking incredible steps to ensure that the CMMC doesn’t keep small companies from working with and selling to the government.

This is good, since smaller, entrepreneurial companies often pioneer innovative technologies and exciting new solutions to cybersecurity challenges.  Shane is right:  the DoD has taken some important steps to ensure that this innovation isn’t lost.

However, I continue to hear questions about why the DoD is rolling out CMMC and what they DoD seek to accomplish. Let’s take a closer look at why CMMC is necessary today.

What is the CMMC and why do we need it?

The Defense Industrial Base (DIB) – the collection of private companies of all sizes across multiple industries that sell products and services to the DoD – is an ecosystem of approximately 300,000 companies. To put that in perspective, there are more companies in the DoD supply chain than there are people currently living in Cincinnati, OH.  The sheer size of the DIB makes it an attractive target to our adversaries – it is an enormous attack surface.

The DIB is an ecosystem of approximately 300,000 companies. This makes it an attractive target to our adversaries – it is an enormous attack surface.

Even a small DoD contractor is a target. There is always something an adversary can learn from the information on that company’s networks.  Simple information, such as purchase and acquisition information, can teach an adversary important things about the DoD and give them insights into their cybersecurity strategy and the solutions.

Moreover, it’s unlikely that 300,000 companies adhere to cybersecurity best practices or have implemented strong technical measures for security.

DoD is implementing CMMC is one solution to address this problem.  CMMC is a certification process that will measure the cybersecurity maturity of government contractors. There are five levels of certification based on the types and sensitivities of the data and information that the contractor needs to access, store and protect.

CMMC organizes business processes, practices and capabilities into 18 domains, which in turn contain numerous specific security requirements.  Third-party organizations (C3PAOs, or “CMMC Third-party Assessment Organizations") will measure a company’s security posture against these domains and provide a certification at one of five levels. 

The Cybersecurity Maturity Model Certification (CMMC) Version 1.02 document developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment and released on January 30, 2020 details all of the requirements, domains, and levels. And now that it’s released, contractors must obtain certification.  But will the certification really help?

Will the CMMC work the way it’s intended?

It is possible to see CMMC as a barrier that makes it harder for small defense contractors compete, stifling innovation in DoD. However, as Shane explained, processes and tools are in place to help small- and medium-sized businesses (SMBs) navigate CMMC at a reasonable cost.

Consequently, CMMC’s impact will likely be positive.  Although certifying all 300,000 DIB companies is a massive challenge, the effort will be worthwhile.  CMMC will not make security perfect, but it will make a significant improvement in the overall security posture of the DIB.

Still, companies needing CMMC certification will have to plan for expenses: assessment costs, remediation costs and changes to business processes.

How much will certification cost?  Any specific number would be misleading, but it is possible to identify key factors influencing the cost.  The requisite certification level is the first factor.  The higher the level, the higher the cost.

Remediation costs will depend on the current strength of a company’s security posture.  Companies with strong security will have fewer issues to mitigate, and lower mitigation costs.  The size and complexity of the company is also a factor.  A company of 300 people faces a less expensive task than a company of 15,000.  The sensitivity of the data under the company’s control is another key determinant:  if a company handles Top Secret data, they can expect to spend more than a company processing information at a low sensitivity level.

From a national security standpoint, CMMC is a big step in the right direction:  holding private industry accountable for the data they store, process, and transmit.  CMMC will not solve all of the DoD’s cybersecurity problems in the DIB, but it will improve matters.  If the effort succeeds, civilian agencies, intelligence agencies, and state governments might even follow suit.


This blog was originally posted on GovCybersecurityHub here.