CMMC — a platform approach aids approval process for DOD contractors

Doing business with the Department of Defense has never been easy. But it’s about to get more complicated for tens of thousands of defense contractors and suppliers who must now prove they can meet a complex set of cybersecurity requirements as part of the Pentagon’s Cybersecurity Maturity Model Certification (CMMC) program.

“The Cybersecurity Maturity Model Certification is DoD’s latest attempt to stem the tide of intellectual property loss and data exfiltration within its complex supply chain,” says Ryan Bonner, an independent compliance consultant who focuses on cybersecurity regulations for defense contractors.

Despite years of imposing tighter cybersecurity commitments on companies wanting to do business with the Defense Department, “the United States is losing between $600 billion and $1 trillion in intellectual property to foreign powers each year,” much of it from within the Defense Industrial Base, says Bonner.

The Pentagon is attempting to stem those loses by making cybersecurity central to all acquisitions through the CMMC program.

“You can trade cost, schedule, and performance – but cybersecurity is fundamental to doing business with the DoD,” says Andy Stewart, former chief of operations for the U.S. Navy’s Fleet Cyber Command and now senior federal strategist at Cisco Systems.

Similar in concept to the federal governments FedRAMP program — where cloud service providers, using third-party auditors, must prove they meet and can maintain upwards of 200 government-mandated security controls — CMMC requires defense contractors to get certification demonstrating they meet minimum security standards.

One strategy for simplifying that process, say Stewart and Bonner, is to turn to infrastructure providers like Cisco, which have already been accredited to meet the Defense Department’s highest security requirements.

The two security experts highlight what’s at stake for defense contractors and offer recommendations for navigating CMMC’s complex requirements in a new podcast produced by FedScoop and underwritten by Cisco:

What’s contractors need to understand about CMMC:

CMMC is one part of several strategic initiatives to secure the supply chain and enhance the cybersecurity posture of the Defense Industrial Base, says Stewart. But it gained momentum in 2019, when the Department of Defense mandated that the Defense Contract Management Agency include cybersecurity compliance as a part of a contractor’s purchasing system audit and approval.

Companies seeking business with the Defense Department must meet various NIST SP 800-171 cybersecurity guidelines, depending on the level of security they plan to work within. But they will also need to complete an independent third-party assessment and certification process in place of self-certification.

And “CMMC does not allow for a deviation process for individual control gaps or plan of action and milestones,” Stewart says.

How defense contractors can better prepare for the review process

“CMMC assessors will attempt to understand not just whether certain practices are in place, but how well they are performed, documented and managed on an ongoing basis. This creates the need for much more data gathering, interviewing, and even practical demonstrations or observations during the assessment process,” says Bonner.

Bonner explains that a common assessment method in the DOD space for security controls is KID — known, implemented and documented — which increases the level of complexity of an assessment beyond what has been expected from the previous paper-based exercises or self-assessment.

“We are seeing a lack of documentation in contractor systems,” Bonner says. “CMMC’s predecessor, NIST 800-171 assumed things like policy and procedures existed, but did not require it. CMMC is closing that loop, and these oversights will impact the assessment and certification outcomes.

Additionally, contractors “struggle with identifying the difference between controlled classified information, federal contract information, and their own proprietary business information,” Bonner says. “They don’t understand their own data ownership and data rights well enough to know when they’ve crossed into CUI territory on a contract deliverable, or when CUI is hitting their inbox from an outside customer.”

Recommendations to streamline CMMC-certification

“I’m pretty vendor-agnostic, in the sense that I try not to play favorites in consulting engagements. That being said: it’s really rare to find a single vendor providing the breadth of security solutions that you see with Cisco,” Bonner notes.

“If an organization is looking for fewer vendors to manage, and a broader set of integrated solutions; Cisco can provide a somewhat unique relationship. As an organization seeking certification under CMMC, I don’t think you can place enough emphasis on working with providers who understand the federal mindset. And Cisco continues to expand its portfolio in the FedRAMP marketplace, which is a big decision factor for contractors trying to determine whether their technology choices will align with federal and defense safeguarding requirements in the future,” he says.

Andy Stewart served nearly three decades in the U.S. Navy in a variety of cyber and cryptologic warfare leadership roles. He most recently served as chief of operations for the Navy’s Fleet Cyber Command, before retiring and joining Cisco two years ago as a senior federal strategist.  

Ryan Bonner is an independent compliance consultant who focuses on cybersecurity regulations for defense contractors. Among other work, Ryan has been working with NIST Manufacturing Extension Partnership offices, where he participates in grant-funded efforts to improve cyber resiliency for manufacturers in the defense industrial base.

Listen to the podcast for the full conversation on how to navigate the Defense Department’s CMMC process. You can hear more coverage of “IT modernization in government” on our FedScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.

This podcast was produced by FedScoop and underwritten by Cisco.