Article by Avatara’s VP of Sales, Kraig Kubicek, originally published in Manufacturing Tomorrow Magazine.
If you’re a contractor for the United States Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC) probably isn’t news to you. Your role in protecting sensitive defense information from cybersecurity threats is imminent. And so is your requirement to prove that you’re up for the task.
Soon, all contractors and subcontractors that engage with DoD will need some level of certification. And many of them will come from small businesses — 2020 alone saw small businesses win more than 26% of federal contracts amounting to $145 billion.
The struggle is that confusing and fluid guidelines often keep small enterprises from bidding on DoD contracts. With the recent CMMC 2.0 update, contractors now have to wade through certification-related procedures and documentation before subjecting their businesses to third-party cybersecurity assessments. It’s a tall order considering there’s no clear expectation as to when all the “rules” will be finalized or how much it will cost.
For small businesses, this can be a major investment in time and money. Great effort goes into not only implementing the proper security measures, but also creating all the necessary documentation for CMMC compliance. We’ve seen many companies that have been working at it for months before coming to us for help.
Beyond that, most internal IT teams don’t often have the level of expertise required to bring the operations into compliance. A recent survey from Tier 1 Cyber found that 27% of government contractors felt unprepared for a cybersecurity breach. This same survey also found that many contractors had a false sense of cybersecurity preparedness. With “prime” contractors already narrowing suppliers based on CMMC readiness, there’s no time to waste preparing for the inevitable change in requirements.
Small businesses stand to earn a significant amount of money thanks to government contracts, so they’ll want to ensure every base is covered. Even if you’ve just dipped your toe in DoD waters, it’s important to understand the risks involved in noncompliance. For one, you’ll likely lose existing contracts when CMMC goes into full effect and lose a chance at future contracts without the necessary certification level.
Cybersecurity in and of itself has also become a critical component to business, outside of DoD contracts. In the first quarter of 2021, supply chain cyberattacks rose by 42% across the U.S. An even harder-to-swallow statistic: Most companies go out of business within six months of a cybersecurity breach due to the associated costs. Why not use the new CMMC guidelines to improve your cybersecurity while increasing the chances of landing a government contract in the process?
In addition, the marketplace has changed. Both B2B and B2C customers expect a greater level of security when it comes to data. The loss of reputation resulting from a breach should be reason enough to invest in greater cyber protection. Then, of course, you’ve got insurance companies dropping clients, whistleblowers shining a light into internal processes, and the operational downtime that comes after cyberattacks. Compliance will give you a leg up on all fronts.
Though somewhat complex and time-intensive, CMMC compliance is completely doable for almost any business. It just takes the right strategy — and some attention to detail — to ensure all boxes are checked. Following are four steps in the right direction:
1. Assess your data to identify the points subject to CMMC.
Controlled unclassified information (CUI) covers many different forms of data. Tax-related, sensitive intelligence, patents, and intellectual property all would fall within this category.
To maintain CMMC compliance, companies will not only need to determine and disseminate their own CUI, but they’ll also have to ensure their downstream suppliers properly process and store this type of information because DoD contracts extend throughout an entire given supply chain.
2. Pull together all the necessary CMMC documentation.
A time will likely come when you’ll need to provide evidence of CMMC compliance. Don’t wait until you get the call, as it’ll just increase the chances that something will be missed. Plus, considering the idea of a “compliance maturity model” is to implement continuous improvement — you’ll be behind before you even begin. Now is the time to begin building a folder for the following CMMC materials:
- Written policies for each domain
- System security plan (SSP)
- Security incident response plan
- Accessible use policies
- NIST 800-171 interim rule responses
- Security infrastructure documentation
- Objective evidence for each domain
3. Plan ahead.
Although the timeline for CMMC compliance isn’t totally clear, preparation will likely take longer than you imagine. Starting early will help you achieve compliance by the time the program is completely rolled out.
More importantly, try to reach the highest of CMMC certifications possible. Even if you think you’ll only need to meet CMMC Level 1, for example, maturity levels may differ from contract to contract, and requirements will be integrated into all renewals and new RFPs going forward. After all, the end goal is really to button up your security as tightly as possible and mitigate any and all risk.
4. Don’t give up on DoD contracts.
This step is more of a mindset. The new requirements may be discouraging and cause you to rethink DoD contracts. But many of your competitors will fail to comply — that, or drop out. This leaves you a lot of room to leverage compliance for success.
Fortunately, plenty of resources are available to help navigate the new CMMC complexities. For example, EverySpec has compiled more than 55,000 specifications for the likes of NASA, DoD, and DOE in a single database. This site would be a good place to start.
While there may seem to be a lot of red tape associated with DoD contracts, the effort is often worth the outcome. You’re opening your business up to another whole market. Once you’ve gone through all the necessary pieces, it should be smooth sailing from there.