Why Government Suppliers Will Struggle to Meet CMMC Requirements 

The SolarWinds cyberattack was unprecedented in both scope and scale. The sophisticated breach saw hackers bake their exploit into a trusted software update pushed out to SolarWinds clients, including federal government agencies. This resulted in the exposure of sensitive data and highlighted how the U.S. government’s cybersecurity is only as strong as the posture of its contractors and suppliers.

Nefarious actors targeting the U.S. government’s supply chain are nothing new. Since 2017, the government has sought to limit damage from cyberattacks by requiring federal contractors who handle sensitive government data to comply with the National Institute of Standards and Technology's 800-171 guidance. But, following a series of high-profile breaches of defense contractors, the Defense Department recognized that this approach was insufficient.

Now, to stem the tide of data leakage due to poor cyber hygiene in the defense supply chain, if you want to do business with the DOD, you need to provide evidence of appropriate proactive cybersecurity. Sounds simple, right? It’s not. 

Enter the Cybersecurity Maturity Model Certification, or CMMC, the DOD’s mandate for contractors that handle sensitive information. CMMC applies to thousands of defense contractors, big and small. New rules recently established give companies that don’t touch unclassified data a pass and they can avoid a third-party audit of their compliance, but others won’t be so lucky and they’ll still face a long road to compliance. Failure to meet those standards can cost an organization their eligibility for DoD contracts, potentially putting many suppliers at risk.

And the reality is that many will struggle to comply on time, if at all. Why? Three main reasons: 

• A huge delta exists between where contractors think they are compliant and the reality of where they are. At the core of CMMC is NIST 800-171. Today, contractors’ understanding about how compliant they are to NIST requirements is wildly off the mark. As a result, they have significant work to do to prepare for CMMC. Possibly more than they realize. Moreover, NIST 800-171 compliance must now be submitted to the DOD, which means some companies are scrambling to review their legally mandated requirements. Most are getting a dose of reality when they realize the gap that exists between their actual versus expected compliance.
• Most companies are unsure what parts of their network are subject to CMMC. Network owners must map out exactly where sensitive government data is generated, processed and stored. This also means one part of a network could be subject to a different CMMC level from another. And if a business receives sensitive government information from a prime or subcontractor, any CMMC requirements follow the data accordingly. So, some companies could have parts of their network fall into scope for CMMC that they aren’t aware of.
• Most will struggle to provide appropriate and accurate evidence. 

If your network handles controlled unclassified data, CMMC assessors will be involved, and they’ll want to review evidence quickly and easily. So, it will be important to present assessor-ready data to demonstrate compliance. The challenge will be how can businesses do this when most don’t have the right tools to accurately provide the required information?

While CMMC’s intent is to protect suppliers and the DOD, it’s a headache that most aren’t prepared for today and are unlikely to be ready for soon. It’s wrought with complexity and confusion. Suppliers need an accurate picture of where they stand on compliance. They also need guidance on how to fill any compliance gaps and to be able to provide the evidence that meets the reporting requirements of assessors. The truth is that most are going to have a real shock when they realize the extent of what needs to be done. 

Matt Malarkey is vice president of Strategic Alliances at Titania.