Understanding CMMC

Though the US government generally acknowledges the importance of securing its full perimeter—its networks and all the networks across the Defense Industrial Base (DIB)—the government had largely let companies secure themselves to the best of their ability with no real oversight. The Solar Winds attack was a turning point, however, making it a reality that even IT companies weren’t great at executing cybersecurity for themselves, and the risks to the government were too much to bear.

The US Defense Department had more at risk with evidence that intellectual property from across its largest weapons manufacturers, like Lockheed Martin, were ending up in Chinese hands. DoD acted, and that action is now CMMC.

CMMC stands for Cybersecurity Maturity Model Certification, which was stood up by DoD acknowledging that the DIB are a part of the national cyber-attack surface area and therefore need to meet basic cybersecurity requirements.  DoD collaborated with the DIB to figure out the best approach to mandate basic cybersecurity.  When CMMC 1.0 iteration was shared, the DIB balked at the requirements with the following main complaints: 1) CMMC is yet another Compliance exercise that won’t necessarily garner true cybersecurity improvements, and 2) the costs to comply—especially to small businesses and new entrants to the DoD market—are astronomical, and this poses yet another barrier to Defense market entry.

DoD listened and modified its initial CMMC framework and requirements.  In the simplest terms, here’s what they are:

·       All companies doing business with US Defense customers are expected to be CMMC Level 1 compliant by the end of 2024 or early 2025 when CMMC 2.0 takes effect, which means they are self-certifying that they meet NIST 800-171 security requirements.  They must self-certify annually.

·       Defense Acquisitions Officers have the authority to specify by contract requirement whether bidders must meet CMMC Level 2 or 3 requirements.  CMMC Level 2 requires triennial third-party assessments, and CMMC Level 3 requires triennial government-led assessments.

·       A CMMC assessment is required if/when DoD Controlled Unclassified Information (CUI) will be processed, stored, or transmitted on a contractor information system.  If this isn’t the case, companies should only have to achieve CMMC Level 1 compliance.

There is still some ambiguity around how Acquisitions Officers will apply Level 2 and 3 requirements.  That said, some companies are proactively achieving CMMC Level 2 to differentiate themselves from their competitors on strategic captures.

In general, I see CMMC as a solid step in the right direction.  Though there are modest cybersecurity gains, what it really accomplishes is a collective mindset shift among CEOs, executives, and the early teams they build as they pursue or expand business in Defense; security isn’t a nice-to-have or afterthought but must be considered as a part of doing business, and that’s a really good thing for our US national defenses as a whole.