If you’re looking for some clarity on CMMC and what it means for you and your organization, you may find it a bit overwhelming to visit the official site, where even the very definition of CMMC is overly complicated. 

That site says: CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.

Basically, the government wants to be able to trust that your company can handle data safely, based on their given set of standards. But what’s it take to achieve compliance? That one is a bit more complicated, said EJ Hilbert, former FBI Agent-turned CISO, at the Chicago Virtual Cybersecurity Summit.

“It changes the way we as companies certify to the US government that we are able to protect the data they’re giving us. It no longer allows you to self-certify, it no longer allows you to come up with your own various rules. You have to bring an expert third-party in to watch over you, and if you do not comply, you don’t win the work,” Hilbert said.

The pressure to adapt CMMC comes hot off the heels of SolarWinds supply chain compromise, which, according to Hilbert, was a major exposure of some of the shortcomings of our current system and our supply chain.

“What people don’t recognize is, the government cannot regulate everybody. They can only place rules for those groups that want to do business with the government,” he said. “Though the DoD is the only group right now that has this in place, it could spread to all government contractors across the board, and it would force them to have the same levels of standard.”

Ultimately, CMMC compliance will require you to check off the boxes for NIST 800-171 — which had been prescribed to organizations working with the government, but “had no teeth,” according to Hilbert. That’s part of what brings us to where we’re headed with CMMC.

“It wasn’t required by anybody. It was suggested,” he said. Less than 30% of government contractors actually met the requirements by the Dec. 31, 2017 deadline. Laziness on the part of the contractors, Hilbert said, is primarily to blame. And contractors could still do the work if they had a plan-of-action for compliance in place.

By 2020, roughly 50% of the government contractors met the basic standards for compliance. And, unfortunately, a Russian hacking group found their way into an organization that carried the full trust of the U.S. government that had not met the standards, Hilbert said.

And since then, government agencies have been focused on closing the loopholes that allowed for companies to not meet the initial standards that were set. Now, with CMMC, all contractors for the Department of Defense must meet the 110 NIST controls, plus the additional 24 controls set out by the requirement. If you’re a DoD contractor and don’t have this done by 2022, you’re out of luck. Keep in mind, of course, that government contracts are set years in advance. That means your organization should be getting started on working toward those controls.

And, according to Hilbert, it’s pretty clear that this will soon apply to all government contracts.  The bottom line: compliance with the standards set by CMMC is a safeguard against attacks, as well as a requirement if you want to do business with the government. It’s worth it to meet these controls for the safety of your team and the organizations you work with.

Keep up with compliance and regulations with the rest of the Data Connectors Community by attending a Virtual Cybersecurity Summit, where our expert panels cover this topic regularly. Submit a question for an upcoming panel to learn more.

SolarWinds, Non-Compliance, and What Brough …

Hot Topics in Cybersecurity Posted by Jen Greco on Apr 28, 2021