A Practical Guide to Next Steps of the Pentagon’s Vendor Cyber Certification Program

With the release of the Defense Department’s Cybersecurity Maturity Model Certification 0.6, there are new guidelines that will require defense contractors to act now to prepare. Instead of a technical summary of the 90-page guidance, here are the steps businesses can take today, to be ready for January 2020.

First, Time is of the Essence

The department identified cybersecurity weaknesses in the supply chain is a threat to the economy and national intelligence. In response, the department is implementing a process whereby all 300,000-plus defense contractors—large and small, primes and subs—are required to be CMMC certified in order to bid on new contracts. The Pentagon has confirmed that cybersecurity is the fourth evaluation criteria for all new contracts.

The CMMC model has five defined levels of cybersecurity preparedness ranging from basic cybersecurity hygiene to proactive and advanced levels. The certification must be performed by a third party and it is partially reimbursable. Contractors will no longer be able to self-certify.

Time is of the essence, as the final rule is anticipated in January 2020 with a June 2020 effective date. However, since CMMC requires both technical practices and process maturity, the sooner contractors improve their cybersecurity preparedness the better.

Process Maturity is the Greatest Hurdle

Defense’s sixth version of its CMMC guidance was released Nov. 8 and clearly defined the steps contractors need to take for Levels 1-3 (guidance for Levels 4 and 5 will be released later). All organizations must meet technical practices and process maturity across 17 cybersecurity domains: access control, assess management, audit and accountability, awareness and training, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, recovery, risk management, security assessment, situational awareness, system and communications protections, and system and information integrity.

The technical practices are clearly articulated in the guidance across the 17 domains. Depending on the level of the organization, practices include implementing numerous standards under 48 CFR 52.204-21 and NIST SP 800-171.

The process maturity is “the extent of institutionalization of practices at an organization.” Depending on the level of the organization, cybersecurity processes must be established, documented, implemented, reviewed, planned and “adequately resourced.” Each of the 17 domains will require meeting the process maturity standards.  

Practical Steps to Prepare for CMMC and Beyond 

Now that the CMMC guidance is out all defense contractors should be taking the following steps to prepare: 

• Assessment of Current Cybersecurity: Every organization should assess if it is currently meeting the technical and process maturity standards in CMMC. Furthermore, defense contractors are often subject to additional contractual obligations and regulatory standards related to cybersecurity and data protection/privacy. Knowing your organization’s current preparedness is good business and essential risk management.
• Vulnerability Remediation: As part of your cybersecurity assessment, businesses should identify vulnerabilities and compliance gaps in CMMC and broader areas. A plan to remediate the gaps should be created and implemented. 
• Process Maturity: Creating, documenting, implementing, training and confirming cybersecurity processes take time. The sooner organizations set up a system to create a history of process maturity, the better prepared they will be to not only satisfy CMMC but also be more prepared for a cyber event.
• Plan for Adequate Resources: CMMC process maturity for Levels 3 and above requires the provision of “adequate resources” for the controls in the 17 domains. Organizations should evaluate their existing resources and consider if additional resources are warranted. The department has made this requirement purposefully vague, so expertise with its cybersecurity expectations is essential for preparing.
• Culture of Cybersecurity:  The Pentagon has expressly stated that CMMC will evolve over time and is only the first line of defense for contractors’ overall cybersecurity program. Integrating a culture of cybersecurity throughout all aspects of the business is essential to mitigate risks and minimize impacts if a cyber breach occurs. Recall the startling statistic from IBM, that 29.2% of all businesses should anticipate a cyber event within the next two years.

Don’t Wait – Act Now 

Kicking your cybersecurity can down the road is no longer an option. Internal resources are not your best option since they are inefficient and often lack the interdisciplinary expertise to adequately address your cybersecurity. To be best prepared for these businesses changing regulations, experts need to be brought into the fold as soon as possible, and prepare your company for what lays ahead in the new year.

Bret C. Cohen is the chief executive officer of Tier 1 Cyber.