The United States Department of Defense (DoD) will require organizations conducting business with the DoD (i.e., defense contractors) to obtain a Cybersecurity Maturity Model Certification (CMMC) involving verification from an independent assessor. This is expected to have an impact across the Defense Industrial Base (DIB). What can contractors do now to prepare their organizations to meet these new requirements?
Depending upon the CMMC maturity level required, implementation and certification of cybersecurity controls may require a time-consuming commitment of resources, both in terms of people and funding. This heightens the urgency for acting now rather than waiting. Consider addressing your CMMC challenges in a pragmatic way by leveraging Baker Tilly’s relevant expertise.
The rollout of CMMC is a major development in the cybersecurity regulatory landscape and will have significant impacts on defense contractors of all sizes. With the release of this model, in order to conduct business with the DoD, essentially all defense contractors will be required to achieve a defined CMMC level(1) involving a certification to be conducted by an independent and qualified third-party assessor.
Not only will the DoD require defense contractors to comply with these new requirements, but also to flow-down these requirements across their supply chains, adding further subcontract oversight and risk burdens to higher-tier contractors.
The DoD intends to use the CMMC to manage cybersecurity risk across the DIB – specifically with respect to protecting federal contract information (FCI) and controlled unclassified information (CUI) – through independent certification to verify defense contractors’ cybersecurity posture. Results of these certifications will become discriminators within the DoD’s solicitation and award processes.
In addition, the DoD aims for the CMMC to expand and improve upon existing guidance for adequate cybersecurity controls, aligning cybersecurity safeguarding requirements with contractors’ risk exposure when handling FCI and CUI in performance of DoD contracts.
The CMMC does not replace current regulations and standards, such as DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” and NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” Rather, it builds upon existing guidance by introducing additional standards that transition away from the current self-reporting approach, to a new paradigm involving an independent verification process with defined risk considerations based on scope and requirements of specific DoD contracts.
The CMMC currently includes the following key elements:
Baker Tilly recommends that contractors follow a three-phased approach to prepare their organization to meet their desired maturity level prior to the certification. The approach is outlined below:
In addition, defense contractors should assess their supply chain management (SCM) capabilities to identify where they need to strengthen processes and controls around flowing down, monitoring and managing cybersecurity safeguarding requirements relative to DFARS 252.204-7012, NIST SP 800-171, and the Defense Contract Management Agency’s Contractor Purchasing System Review (CPSR) Guidebook.
By following Baker Tilly’s methodology, defense contractors can proactively identify any deficiencies and begin corrective actions to meet their desired CMMC level. Early action in this regard will reduce the risk of being precluded from DoD business opportunities while preparing to become certified. Baker Tilly stands ready to help organizations to proactively complete these steps and position their organizations to meet their desired certification level.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.
1 Organizations that solely produce Commercial-Off-The-Shelf (COTS) products do not require a certification (source: https://www.acq.osd.mil/cmmc/faq.html FAQ #19)
2 Organizations that solely produce Commercial-Off-The-Shelf (COTS) products do not require a certification (source: https://www.acq.osd.mil/cmmc/faq.html FAQ #19)
3 Source: https://www.acq.osd.mil/cmmc/faq.html FAQ #15