When it comes to navigating the new Cybersecurity Maturity Model Certification (CMMC) 2.0, the IT leader at the nation’s purported first defense supplier to earn the new certification offered a tip for other contractors who need the credential.
“Start early, don’t wait,” asserted Zbigniew Kaniewski, vice president for information technology and continuous improvement at Fort Worth, Texas-based Aero-Glen International LLC, of the CMMC 2.0. “Don’t wait for it to become law and then respond to it because it will take you time to implement and you’ll end up falling behind.”
The Department of Defense (DoD) is expected to issue a rule on CMMC 2.0 in March, and requirements are supposed to be in effect by summer, according to sources. Each contract will specify which of three CMMC 2.0 levels is required.
CMMC 2.0 replaces CMMC 1.0, a more complex version, and will become part of the DFARS, the Defense Federal Acquisition Regulation Supplement, explained attorney Townsend L. Bourne, leader of cybersecurity and data protection in the governmental practice and government business group, which she also leads, of the Los Angeles, Calif.-based Sheppard Mullin Richter & Hampton (SMR&H) law firm. The DFARS includes several cybersecurity-related provisions, including requirements for safeguards related to sensitive information and incident reporting.
CMMC 2.0 compliance is necessary for defense contractors—known as “primes”—and their subcontractors to continue working under DoD contracts and to qualify for new contracted work. It’s designed to protect federal contract information and controlled unclassified information that primes and subsuppliers have access to through federal acquisition programs.
If the federal government is like a pit bull for cybersecurity under DFARS, then CMMC 2.0 lets Washington watchdogs off the leash.
“The days of partial compliance are over,” said Padraic O’Reilly, co-founder and chief product officer at CyberSaint, a cyber-risk-management company based in Boston. “If OMB (Office of Management and Budget) accepts the latest round of changes to the interim rule that DoD is submitting right now, then it’s going to be an all or nothing type thing in the contract. I think that’s been hard for manufacturers to understand, because DFARS was supposed to have more heft behind it.”
Even though CMMC 2.0 isn’t the rule of law yet, that isn’t stopping lawmakers and the military from expecting DoD contractors to take cybersecurity more seriously under current DFARS rules.
“We still have customers and potential customers who are surprised that this is something they’re supposed to be doing right now,” said Noël Vestal, compliance officer at Boston-based PreVeil, a provider of encrypted email and file sharing. “I had a conversation with somebody yesterday who’s been doing business with the DoD for years who said, ‘Well, yeah, I’m just gonna wait until CMMC comes out.’ And I said, that doesn’t make any sense. You are legally obligated today.”
She said the DoD sent out a memo in June about extra scrutiny of cybersecurity plans among any supplier requesting a modification on any contract with a 7012 clause, the part of DFARS that addresses cyber safeguards and incident reporting.
“And contract modifications can happen for a million reasons, you know, little stuff can make for contract modifications,” Vestal noted. “So, the DoD is coming down very hard on 7012, which is what it probably should have done in the first place. So now it’s kind of cleaning up the little bit of the mess that it made.”
It took Kaniewski and a team of three other internal IT staff two years to achieve Level 2 certification. Level 2, or “advanced,” the middle of three levels, requires suppliers to implement 110 practices aligned with National Institute of Standards and Technology (NIST) SP 800-171 r2, perform an annual self-assessment for select programs, and undergo a third-party assessment every three years for the way it handles critical national security information, according to the website of The Cyber AB, the DoD’s contracted administrator for CMMC.
Level 1, “foundational,” involves 17 practices and requires an annual self-assessment, according to the Cyber AB website. Level 3 “expert” certification requires meeting more than 110 practices based on NIST SP 800-172, and undergoing government-led assessments every three years.
The practices include such things as log keeping; hardware and software controls that promote cybersecurity; policies and procedures to enable those controls, such as two-factor authentication to gain access to a company’s network; awareness training for employees to resist phishing attempts; and threat detection and mitigation plans.
Aero-Glen’s initial third-party assessment in August took a full 40-hour week, with one day onsite. The assessment included a review of how the company implemented the required practices.
“And when you say you’ve implemented them a certain way, they will spend time reviewing in person or over your shoulder virtually to confirm that what you say you do, you actually do—and you’ve got evidence to back it up,” said Kaniewski.
Aero-Glen’s quality and supply chain teams contributed to the effort intermittently, as did the company’s leadership. Kaniewski and his core team prepared for certification with guidance from TMAC, the official representative of NIST’s Manufacturing Extension Partnership in Texas. An article on the website of TMAC at the University of Texas at Arlington touted Aero-Glen’s as the first in the U.S. to qualify for certification.
Leadership support is critical from day one, Kaniewski stressed. “Because in a lot of cases to meet the policy or the control objectives and the practice objectives, you do need to change your policies and the consequences of some of those policies,” he said. “So, you need upfront leadership support to implement it.”
Suppliers who need to achieve Level 1, the most basic certification, may forgo seeking outside help and perform initial and annual assessments themselves. Under Level 1, “An organization must demonstrate basic cyber hygiene practices, such as ensuring employees change passwords regularly to protect federal contract information,” according to The Cyber AB website.
Vestal said companies should consider three factors when deciding whether to go it alone:
The latter must be knowledgeable about IT, compliance, and documentation. They also need to be dedicated to the task, similar to Aero-Glen’s team.
“How dedicated is your organization to getting this done?” Vestal asked. “Is it at the very top level? You know, do you have the CEO who’s like, ‘Absolutely, we’re getting this done no matter what?’ Or do you have somebody at the top level who’s like, ‘Yeah, we should do this at some point, but it’s not a big deal.’”
The factors Vestal mentioned are big hurdles, but it’s possible to certify to Level 1 with no outside help.
“Suppliers with strong confidence in their audit and compliance teams, and suppliers with sufficient staffing, are ideally positioned should they decide to achieve Level 1 without external support,” added Wolfgang Goerlich, advisory chief information security officer, Cisco Secure, the portfolio of security products offered by San Francisco-based Cisco. “Such internal compliance initiatives can move quicker than bringing in a third-party when the people on the team have the relationships and understanding of how the practices are performed.”
The approach Goerlich describes may save money, but it won’t provide external validation and new perspectives.
“Achieving Level 1 with an internal project team answers the question, ‘What are we doing?’ but cannot answer the questions, ‘What are others doing, and what should we be doing?’” Goerlich said.
Bitlyft CEO Jason Miller, who founded the Michigan-based managed service cybersecurity protection company, said using consultants, “Is how small companies are able to get scale and value. They’re able to understand what everybody else is doing, and that they’re making the right decisions. You get speed and efficiencies out of that.”
In some cases, small companies—those with little more than a patent, a technology, and a few people working in a warehouse—are earning Level 1 certification with little trouble, O’Reilly noted.
“They were able to get through it and it wasn’t prohibitive in any way, shape, or form,” he said. “It’s also just good practice. If you’re producing, you know, something essential for a rotor that Northrop Grumman is going to use in a helicopter, you might want to protect that because right now there are a lot of bad actors out there trying to lift IP, and there have been for a long time.”
The sensitivity of the government information a supplier handles helps determine which certification level to attain and how much outside help to get.
“Once you get to Level 2, where you’re dealing with controlled information and information that has more heightened sensitivity, I think there is a stronger reason to get outside help even if it is not required,” said SMR&H’s Bourne. “It also gives you a little more cover should the government ever come in and want to do its own assessment, that you have had a third-party review and tell you that you’re meeting certain controls or letting you know where you need to put in a plan of action.”
Some information labeled “controlled” also may have been done so incorrectly, Bourne noted. She can help a supplier push back on the error to get it corrected.
There’s been talk at conferences of the National Defense Industrial Association (NDIA) that suppliers may be thinking of quitting the defense sector due to the expense and effort connected with CMMC compliance, according to Bourne.
NDIA statistics and Bitlyft’s Miller support that scuttlebutt.
“The annual number of new vendor companies in 2020 fell by 28 percent since 2018,” according to the NDIA’s Vital Signs 2022 survey. “New vendors are a key part of the defense supply chain as they provide innovation, redundancy, and new capacity. Concurrently, companies are leaving the defense sector at an alarming rate, with 20 percent of total vendors exiting over the past five years.”
Bourne has suggestions that may apply to some companies that can’t or don’t want to undergo the rigors of certification. This includes accessing controlled information through a prime’s system or that of another company with cybersecurity controls in place. Another solution in some instances would be to store information in the cloud with a provider that’s authorized by the Federal Risk and Authorization Management Program (FedRAMP), which was established for the federal government to use cloud services.
Whether cloud providers authorized under FedRAMP must also achieve CMMC certification was an open question in December, Bourne said.
The Cyber AB website has simplified getting help with a system of registering, certifying, and licensing various professionals and creating a searchable online marketplace to find them.
“One of the smart things to do would be to look at the Cyber AB’s website, because they do accredit companies as registered practitioners, which are consultants that have gone through the Cyber AB training and are familiar with the CMMC program,” Bourne added.
It also helps to know what questions to ask. Here’s what O’Reilly would ask a potential vendor:
Because the CMMC ecosystem is growing and potential vendors may be just getting established, they may be newbies to the process. That’s not necessarily a deal breaker, Miller added.
“We started working with a couple of the auditing firms and we got introductions to customers through them,” he explained. “And we were clear with those companies right up front and said, ‘Hey, you’re either our first customer, our second customer, or our third customer in the CMMC space. But what we could promise you is that we have spent a lot of time learning and reading and understanding and going to the webinars put out by the CMMC leadership so that we can be in the ship right alongside of you, you know, paddling the boat, too.’”
Connect With Us
