We’ve expected for some time that the Department of Defense was going to step up
its efforts to move away from self-attestation and start enforcing cybersecurity
compliance among defense contractors. Now—just like that—it’s a reality.
In late May, Katie Arrington, special assistant for cybersecurity in the Office of the
Under Secretary of Defense for Acquisition and Sustainment, announced the
Cybersecurity Maturity Model Certification program, or CMMC, which will require
cybersecurity audits and certifications for all DoD contractors.
The program is currently being developed by Johns Hopkins and Carnegie Mellon
University and will combine several cybersecurity standards, including NIST 800-
171, NIST 800-53, FIPS and others, into a single unified standard. It will go into
effect next year.
The good news? There’s going to be a stick, yes, but there’s also a carrot—lots of
carrots, in fact—that will make compliance for small contractors not only easier but
actually affordable.
Here are the salient points:
- Compliance is no longer “one size fits all.” CMMC compliance will range from Levels 1 to 5, with Level 1 being full adherence to basic common sense cyber-hygiene standards and Level 5 being the ultimate in full compliance with all NIST and other security controls.
- Contracting requirements will be transparent. The required CMMC level (1-5) for each specific contract will be stated clearly in all RFPs and it will be a “go/no go” decision. If the contract calls for a CMMC Level 2 compliance and you’re only a Level 1, then you’re out. It’s that simple.
- Security will be an allowable expense. You’ll be able to roll the cost into your billable rate. Moreover, grant money will be available to smaller contractors to help them get initially certified.
- You’ve got to move forward—and soon. The official CMMC will be released in January 2020. The CMMC requirements will be used in RFIs starting in June and in RFPs following that. So companies will need to be audited and certified by spring at the latest.
One more thing: Small contractors have an empathetic, highly knowledgeable friend in Arlington, an entrepreneur who was once the vice president of operations for Dispersive Technologies, a small software developer for DoD, and she’s got a lot of plans in the works to make life easier for the 99.9 percent of defense contractors who aren’t massive and flush with cash.
“I’ve sat in your seat,” she says, noting that she wants to hear from contractors with questions or input. “I came into government to lessen the burden on you.”
So stay tuned: This blog will dig into the various aspects of the CMMC over the next several weeks and months to provide more details on what it all means for you, the small defense contractor.
About the Author: Richard Astle
Richard is the CEO of NeQter Labs. Known for his ability to reverse engineer a nuclear warhead - or possibly - better known as a recent winner of the Providence Business New's 40 under 40. Richard has been with NeQter Labs from day 1, what began with a need based idea for a DoD subcontractor turned into what is now a leading hardware and software based cyber security company. Richard enjoys working with their growing team and is based in Pawtucket, RI.
Related Posts
Compliance is a word that we hear a lot, but don’t necessarily understand fully. What it means by definition is conforming to a rule, policy,[…]
Read More
Protecting personal information like your social security number or your credit card information is extremely important. So why is protecting your[…]
Read More
If you’re even the slightest bit tech savvy, you most likely have some form of social media. Or, if you have teenage kids you need to keep tabs on,[…]
Read More