Oct 01 2020

The Importance of CMMC in Showcasing a Contractor’s Security Capabilities

Achieving a Cybersecurity Maturity Model Certification gives the Defense Department, and the federal government in general, reassurance about a contractor’s security protocols.

Early this year, the Defense Department formally started rolling out a new approach to cybersecurity for its contractors: the Cybersecurity Maturity Model Certification, or CMMC. At its heart, the CMMC is designed to ensure that those contracting with the DOD are practicing appropriate cybersecurity controls to secure the Defense Department’s data.

As the DOD itself puts it, the CMMC is “intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information” that resides on the networks of the DOD’s industry partners.

There are five levels of certification, ranging from basic cyber hygiene (Level 1) to advanced cybersecurity controls (Level 5). But the bottom line is that anyone doing business with the DOD will need to have a CMMC accreditation in order to receive future contracts. The DOD recently issued an interim rule on the CMMC in the Defense supplement to the Federal Acquisition Regulation.

“We are intending it to be finalized by November of this year,” Katie Arrington, CISO for acquisition and sustainment at the DOD, said in September, MeriTalk reports.

CDW•G has completed an assessment that qualifies us for Levels 3 and higher. Investment in assessing and qualifying to CMMC compliance demonstrate our commitment to the DOD and other government agencies that we take IT and data security extremely seriously, and that we can be trusted to protect sensitive government data. Any contractor looking to demonstrate such integrity and scrupulousness when it comes to cybersecurity of government data would do well to achieve a level of CMMC accreditation corresponding to the type of work they are performing as soon as possible.

What Does Getting a CMMC Accreditation Involve?

The DOD encourages its contractors to complete a self-assessment prior to scheduling a CMMC assessment. But what does a CMMC assessment involve?

The CMMC Accreditation Body, a nonprofit, independent organization, is starting to accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors — those who will actually perform the CMMC assessments of DOD contractors. Earlier this month, the CMMC Accreditation Body completed the first provisional training of 25 C3PAOs.

The provisional assessors will “shake out the program and what needs to be done before the training and certified assessors for the open market are released,” William “Tony” Bai, federal practice lead at A-LIGN, a cybersecurity and compliance firm, said earlier this month, according to MeriTalk. Arrington has estimated that 7,500 companies will be certified in 2021.

What are assessors looking for when they look at a contractor’s approach to cybersecurity? First, they are looking at what kinds of certifications a company has already achieved to see what its level of cybersecurity controls are. CDW•G has achieved ISO 28000 certification, demonstrating end-to-end secure supply chain controls, as well as ISO 27001, which covers requirements for NIST-based information security management standards. When assessors looked at our security controls, we did not have to close any gaps because of those earlier certifications.

Achieving those certifications demonstrates to the C3PAOs a level of commitment to security controls. If contractors do not have such certifications already, it may be difficult to achieve the required level of CMCC accreditation.

C3PAOs are also looking to assess the kinds of controls a contractor has in place to protect DOD data, such as but not limited to, a build of materials or a schematic or other government data that is sent over as part of a contract. That data needs to be protected. At CDW•G, such data is firewalled off from the commercial side of CDW. We employ multi-layered authentication controls to provide access to such data on a need to know basis and have security controls around which personnel can try to access the data.

CMMC Levels 1 through 3 encompass the 110 security requirements specified in NIST SP 800-171 Rev. 1, which covers the protection of controlled unclassified information in nongovernment systems. There are additional controls built on top of that for the CMMC, and assessors look at not only a contractor’s implementation of cybersecurity protection system, but also its institutionalization of cybersecurity practices.

MORE FROM FEDTECH: What are the fundamentals of zero-trust security?

The Value of a CMMC Accreditation for a Contractor

Each DOD contractor is going to be at a different maturity level in terms of the cybersecurity controls it employs. That is based on the company’s understanding of security controls and processes and how central they are to that company’s business model.

Companies cannot attain a high-level CMMC accreditation by taking a cookie-cutter approach to cybersecurity. That is not how security in the government contracting world works.

CDW•G has in-house security team of experts and entire internal organizations dedicated to security controls. Attaining certifications requires commitment and investment — but that pays off when it comes time to receive an accreditation, such as the CMMC. Government agencies trust CDW•G to protect their data because they know about and trust the rigorous controls that have been put in place to do so. Gaining that trust via an accreditation like the CMMC demonstrates not just a company’s commitment to security but also its value as a trusted partner.

Attaining a high-level CMMC accreditation is a signal that the company can meet the DOD’s core objectives when it comes to cybersecurity. Currently, the DOD needs to perform a separate evaluation of each supplier, on a task order by task order basis, to ensure that the suppliers meet certain cybersecurity controls. The CMMC will mean the DOD will no longer need to perform its own assessments. It also ensures that DOD will have a pool of accredited suppliers that have already been vetted and meet the necessary controls.

The CMMC will be rolled out in pathfinder contracts, and those that have achieved a high level of certification will be in a strong position to participate in those. Ultimately, the CMMC process could be applied in the years ahead to agencies outside the DOD. That makes being able to navigate the process even more valuable for contractors, especially as they perform more services for agencies and conduct operations onsite with them.

The CMMC process is not simple. However, for those looking to contract with the DOD and beyond, mastering it is essential.

This article is part of FedTech’s CapITal blog series. Please join the discussion on Twitter by using the #FedIT hashtag.

CapITal blog logo

Iaremenko/Getty Images