How You Can Prepare for CMMC: Key Insights from Industry Leaders

If your business sells products or provides services to the Department of Defense (DoD), then you should know about the Cybersecurity Maturity Model Certification (CMMC) program. 

Designed to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB), the intent of the CMMC is to ensure that “appropriate levels of cybersecurity practice are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Departments’ industry partners’ networks.” This includes system integrators, solutions providers, and technology companies. 

CMMC will soon be part of Defense Federal Acquisition Regulation Supplement (DFARS) and will be a requirement for contract award for some contracts in December 2020. It is also likely to see broader adoption across the federal government and may apply to all federal contractors in the coming years.

But how will this new set of requirements affect the channel? Does CMMC certification represent a competitive edge? Does not having a certification introduce risk into your business? 

To answer these questions, and more, DLT convened a panel of experts for an online discussion to help our partners prepare for CMMC. 

CMMC is imperative, but it also brings concerns.

The benefits of the CMMC program are clear. Stacy Bostjanick, who serves as Director of CMMC Policy at the Office of the Under Secretary of Defense Acquisition & Sustainment (OUSD A&S) explained:  “Everybody recognizes that this is something we need to do, it’s a national security issue. We need to protect ourselves, so we don’t find ourselves losing our military and economic status.”

Yet, despite this, many in the DIB are concerned about the time and financial strain inherent in CMMC certification. . Don Maclean, DLT’s Chief Cyber Security Technologist, echoed this sentiment: “First, there’s the immediate cost of the assessment, but there are also hidden costs associated with remediation and addressing any issues that arise.” 

Another concern is for contractor and subcontractor relationships. “What if you bid with a partner who’s not certified or are certified at a different level?” said Maclean. “How do they adhere to the spirit of CMMC requirements? What if a partner is not protecting data in the same way as you – who is liable?”

Why some contractors are adopting a wait and see approach.

Considering these concerns, many contractors are taking a wait and see approach on the chance that a new White House administration might terminate the program. 

Maclean advised against this position: “Although CMMC won’t be a requirement for all contracts until 2026, it will gather steam very quickly over the next five years. You don’t want to be in the position where you’re bidding on contracts and, because you’re not certified, aren’t awarded them. Taking a wait and see approach could cut you out of a lot of business.”

Panelist Bill Malone, President of Coalfire Federal – a leading FedRamp Third Party Assessment Organization (3PAO) – reiterated the urgency of taking CMMC seriously. “Prepare early, understand it, and posture for it because CMMC is real and it’s going to be here.”

Many contractors are already on a path to CMMC.

The good news is that companies in the DIB are already on their way to meeting CMMC requirements. 

“Many contractors are already self-certified for NIST-800-171,” continued Maclean. “Although CMMC will require a higher level of reporting – these companies are almost at CMMC certifications levels.”

The panel also challenged the perception that certification is costly. In fact, the cost of an assessment by for a firm with a few hundred people can be as low as $3,000 and may be considered an allowable, reimbursable cost. 

How to prepare for CMMC.

There are many resources available to help the channel prepare for CMMC.

“Don’t be afraid of CMMC,” said Bostjanick. “Our goal is to help contractors embrace the program. For example, smaller businesses can receive assistance from their Procurement Technical Assistance Centers (PTACs) to help them with their assessments.” 

Malone, whose company, Coalfire, offers both advisory and assessment expertise that helps organizations prepare for CMMC stressed the following: “Understand the CMMC maturity level requirements based on where you’re going as a business. Think about what you need now versus where you want to be and choose a partner who can help get you through your assessment – the first time.”

Watch the discussion on-demand.

In this hour-long discussion, the panel also took questions from the audience and shared best practices on the things to consider when selecting an accredited CMMC Third-Party Assessment Organization (3PAO). They also touched on who is exempt from the program, and how the DIB can prepare for certification and the broader adoption of CMMC requirements across the federal government. 

For these and more insights from this dynamic panel, watch the discussion on-demand. Then learn more from DLT on how CMMC will affect your organization when doing business with the DOD.