How Defense Contractors Can Boost Business with DoD Compliance
For defense contractors and the companies that work with them, compliance with U.S. Department of Defense (DoD) cybersecurity requirements can mean...
With the phased rollout of the U.S. Department of Defense’s (DoD’s) new Cybersecurity Maturity Model Certification (CMMC) requirements, many defense contractors are scrambling. These companies are looking for quick and easy ways to meet DoD compliance standards so they can keep bidding on government contracts.
However, as with any new government regulation, there seems to be some confusion about CMMC, who needs to adhere to it, and the best way to go about complying with the cybersecurity rule. In fact, some CMMC myths have already started to crop up that may cause defense contractors to waste valuable time and money if they fall for them.
What are some common myths about CMMC? More importantly, how can you prepare your business for CMMC compliance?
Some of the most prevalent myths about CMMC include:
One of the biggest misconceptions about CMMC is that it’s the same as NIST 800-171. So, many companies may assume that if they are NIST compliant, then they’re already CMMC compliant.
This may be because a significant portion of the controls used in CMMC is based on NIST 800-171. However, while many of the controls required are the same or similar, CMMC builds on NIST 800-171 and adds more controls and nuance.
Additionally, certification for CMMC is conducted by a certified third-party assessment organization (C3PAO) in accordance with the CMMC accreditation body (CMMC-AB). So, there is a separate certification for CMMC that is distinct from NIST 800-171.
While meeting CMMC standards will require many of the same controls as NIST, they aren’t the same thing. A separate certification will be required for DoD contracts that specify CMMC.
RELATED: Does Your MSP Know NIST 800-171?
Some organizations might assume that, because they aren’t specifically defense contractors working directly with the DoD, CMMC won’t affect their business. This isn’t necessarily true.
Even companies that don’t work directly with the government, may act as subcontractors for companies that do. When these companies apply for CMMC certification, part of their assessment will involve if their vendors are meeting the right cybersecurity standards.
In this case, even a business that doesn’t work directly with the government may lose customers. After all, defense contractors need to meet CMMC and other cybersecurity requirements themselves—and cutting off vendors who hold them back from being able to take government contracts only makes good business sense.
On the other hand, a CMMC-compliant company may be able to attract new business from defense industry contractors who need partners to outsource specialized projects to.
One of the things that everyone needs to know about CMMC is that the certification comes in three levels.
To oversimplify things a bit, higher levels of certification indicate that the company’s cybersecurity is better optimized and documented compared to lower levels.
One thing that many organizations might assume is that, if they want to win government contracts, they will need to have the highest possible certification. However, this isn’t necessarily true. In fact, for many DoD contractors, pursuing the highest levels of CMMC certification may actually be wasteful of both time and resources.
The DoD isn’t going to require level 3 certification for every request for proposal (RFP) they make. In fact, the majority of defense contractors will only need to meet level 1 of CMMC. Level 4 and 5 certifications will only be required for the most sensitive of defense contracts.
Some contractors may be slightly confused about a statement from Katie Arrington the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD in 2019.
In the statement reported on Federal News Network, it was intimated that “the government, in some cases, will pay for cybersecurity.” This may have led some contractors to believe that the government will cover the costs of their CMMC readiness efforts. However, this is not the case.
Here’s a clarification from the pages of Small Business Today Magazine (SBT): the “official audit costs – and not any readiness assessment costs or remediation – will be reimbursed when a company is awarded a contract that requires a CMMC Maturity Level.”
In other words, the government is only going to cut a check for the audit itself—and that’s only if you win the contract requiring CMMC certification. Your costs for getting CMMC ready, such as adding new security, going through additional training, and running other assessments will not be reimbursed.
So, what if your security measures already meet DoD compliance standards for the level of security a government contract requires? Does that mean that you can just show the DoD your compliant security processes and tools and skip getting certified by a C3PAO?
No.
Even if you’re actually compliant already with CMMC, you still need to undergo the assessment and certification process to be able to take on a contract from the DoD. As noted in the SBT article cited above, when a contractor is awarded a contract, “the awardee will need to present their CMMC Maturity Level Certification required by the proposal” at that time.
So, while you might not need a certification to bid on a contract, you will need to provide your certification documents to the DoD once you’re awarded the contract.
With the phased rollout of CMMC underway, how can your company prepare for certification so that it can start taking contracts that require certification ASAP?
Some basic preparation tips include:
RELATED: How to Perform an IT Gap Analysis
In addition to these preparatory measures, you can also work alongside an experienced managed security service provider (MSSP). MSSPs can help you identify the best tools and resources to efficiently increase your cybersecurity and bring it into compliance with your desired CMMC maturity level.
This, in turn, can help relieve some of the stress and difficulty of adjusting to a new cybersecurity regulation—freeing up your time and resources so you can focus more on winning bids rather than worrying about if your two-factor authentication and incident response plan is up to snuff!
Need help meeting CMMC requirements while avoiding falling for CMMC myths? Reach out to the Systems X team today to get started!
For defense contractors and the companies that work with them, compliance with U.S. Department of Defense (DoD) cybersecurity requirements can mean...
In November of 2020, the U.S. Department of Defense (DoD) rolled out the interim rule for the cybersecurity maturity model certification (CMMC). This...
The Cybersecurity Maturity Model Certification (CMMC) is the major new security standard that companies in the defense industrial base (DIB)—and...