5 CMMC Myths You Should Know About
With the phased rollout of the U.S. Department of Defense’s (DoD’s) new Cybersecurity Maturity Model Certification (CMMC) requirements, many defense...
4 min read
Mike Brattain : Apr 2, 2021 3:22:08 PM
For defense contractors and the companies that work with them, compliance with U.S. Department of Defense (DoD) cybersecurity requirements can mean the difference between significant business growth and losing key DoD contracts.
How valuable is a DoD contract? According to The Balance, estimated spending by the DoD for the period of October 1, 2020 through September 30, 2021 will be $705 billion—making up the majority of the $934 billion estimated spending for the U.S. military spending during the same period.
For companies that are currently defense contractors or who want to work with the DoD, this represents a massive opportunity for business growth. However, to earn this opportunity, businesses need to meet DoD compliance requirements for standards like NIST 800-171 and CMMC certification.
The Cybersecurity Maturity Model Certification, or CMMC, is a relatively new DoD compliance requirement that builds off of several previously-existing security rules. It is intended to help businesses protect controlled unclassified information (CUI) and federal contract information (FCI) that they may process or store as part of a DoD contract.
The DoD’s implementation of CMMC (also known as DFARS Case 2019-D041) will force contractors working with the DoD to place a greater emphasis on cybersecurity than ever before.
A special publication from the National Institute of Standards and Technology (NIST). NIST 800-171 Rev 2 is a standard for protecting the confidentiality of CUI in “Nonfederal Systems and Organizations” that consists of fourteen different families of controls.
There are 14 “families” of controls specified in a NIST compliance checklist:
RELATED: Does Your Current IT Support Know NIST 800-171?
The Defense Acquisition Federal Regulations Supplement (DFARS) section 252.204-7012 calls on contractors to safeguard covered defense information and report cyber incidents. This includes a clause to “implement NIST SP 800-171, as soon as practical.” If security controls vary from NIST 800-171, a request must be submitted “in writing to the Contracting Officer.”
The Code of Federal Regulation (CFR) rule specifically addresses “basic safeguarding of covered contractor information systems.” Under CFR 52.204-21, contractors have to meet 15 separate security requirements and controls.
Many of these requirements center around limiting access to information systems to “authorized users,” implementing monitoring systems for said systems, and protecting against malicious code or intrusions.
A new DoD compliance standard that businesses will need to meet to be able to keep winning DoD contracts moving forward. It encompasses security rules and guidelines from several existing standards and divides them into 17 distinct “domains.”
It’s important to note that not every contractor will need to meet every CMMC certification requirement. There are five levels of CMMC compliance for contractors to know, each with a different number of specified controls that contractors will need to meet.
RELATED: Important CMMC and NIST 800-171 Information
So, how does compliance with DoD standards such as NIST 800-171 and CMMC certification boost business? Here are a few ways to leverage that compliance to gain some revenue opportunities:
The most obvious way to increase revenue after meeting DoD compliance standards is to work with the DoD (or other government agencies). With billions of dollars in government spending up for grabs, working with the DoD can be an enormous revenue opportunity.
Plus, by meeting compliance requirements like CMMC before competitors do, companies can enter a more limited market with less competition.
Instead of trying to win DoD contracts directly, DoD-compliant companies could opt to work as subcontractors for other organizations working on DoD projects. Many DoD contractors may need to outsource specific tasks (such as procurement, IT development, or manufacturing) to other companies that specialize in them.
Being compliant with DoD cybersecurity requirements can be crucial for earning work as a subcontractor. Because government contractors need to ensure that their vendors/partners are able to protect CUI and FCI data as comprehensively as they can.
Given the ever-present threat of data breaches that result in identity fraud and other major types of fraud, being able to protect sensitive information can be an enormous selling point. Customers who have been exposed to fraud from identity theft or who understand modern info security risks may prefer companies that have strong cybersecurity.
Showcasing how your business complies with security standards like NIST 800-171 or CMMC can be highly effective for catching the attention of security-conscious customers in both the public and private sectors. If you can demonstrate the ability to effectively protect sensitive data, it can be a valuable competitive advantage when your products and services are otherwise similar for quality, price point, and speed.
Why? Because you would be able to provide the same products or services at a lower risk.
To demonstrate your security advantage, you may need to thoroughly document your security policies, procedures, and tools.
When preparing for NIST 800-171 or CMMC certification, there are several key steps to take, including:
RELATED: How to Perform an IT Gap Analysis
If you have any questions about CMMC, NIST 800-171, or other DoD compliance standards, reach out to the Systems X team today! We’re here to help connect you with what’s next in cybersecurity compliance so you can be ready for the future of business!
With the phased rollout of the U.S. Department of Defense’s (DoD’s) new Cybersecurity Maturity Model Certification (CMMC) requirements, many defense...
The Cybersecurity Maturity Model Certification (CMMC) is the major new security standard that companies in the defense industrial base (DIB)—and...
In November of 2020, the U.S. Department of Defense (DoD) rolled out the interim rule for the cybersecurity maturity model certification (CMMC). This...