Adjusting Amidst CMMC 2.0 Uncertainty

This article, written by Avatara President Ben Scully, was originally featured in Government Technology Insider.

If you’re a Department of Defense (DoD) contractor, the Cybersecurity Maturity Model Certification (CMMC) has undoubtedly been on your mind. It’s no longer a matter of if  the regulations go into effect, but rather when. That means companies are also realizing how time-intensive the compliance process is.

The CMMC Assessment Process (CAP) will determine whether an organization has the proper cybersecurity protocols in place, and this certification will be required for securing future government contracts. A recent pre-decisional draft of the CAP would have far-reaching implications. Critics of the document cited a lack of quality control, clarity, and meaningful information.

Despite the uncertainty, CMMC 2.0 compliance is expected to be mandatory for all Department of Defense contractors by March 2023. After that, you may risk losing out on contracts if found noncompliant — or worse. In a world where 93 percent of company networks are vulnerable to cybercriminals, we must not think of compliance as a roadblock or an unnecessary financial burden. It’s a matter of national security. As the defense industry grapples with more sophisticated attacks, CMMC compliance is essential to help contractors safeguard their organization, protect the sensitive information they possess, and bolster our national security.

Ready to take action? Here are four takeaways from the most recent CAP Guide to help prepare for compliance amidst uncertainty.

1. Choose Your Vendors Wisely

Achieving compliance is all about mitigating risk. Before you begin the assessment process, take stock of your vendor list, including your MSP. The CAP Guide indicates that contractors will have to report any third-party personnel, procedures, or technologies relied upon performing its DoD contracts. While the language remains a bit ambiguous, it would be wise to ensure that any outside organization with access to your network is also on track to becoming CMMC compliant. Consider this a trickle-down security strategy. If your relevant vendors aren’t interested in or capable of keeping up with the ever-evolving DoD landscape, it may be time to look elsewhere.

2. Choose the Right Assessor

Self-assessments will not be an option. When it’s time to assess, confirm the authorization and standing status of your assessment organization. The CAP Guide outlines that “CMMC level 2 assessments will be conducted by CMMC Third-Party Assessment Organizations (C3PAOs),” which contractors can find on the AB’s online marketplace. The CyberAB will only accept assessments from authorized C3PAOs that are in good standing, so it’s crucial that you verify this.

3. Take a Holistic Approach

Building a network enclave to meet compliance can be tempting. The CAP Guide indicates that only the parts of the organization “that are performing DoD contracts and have access to the CUI need to be assessed.” As such, I’ve talked to a few companies that were considering the enclave approach — until they realized the inevitable scope creep this creates.

You end up managing multiple infrastructures with higher costs in the long run, along with exposed vulnerabilities outside the enclave. If you are a DoD contractor, I strongly recommend taking a holistic, all-encompassing approach that layers security throughout your entire IT infrastructure.

4. Start Immediately

If you haven’t already, now is the right time to start the CMMC compliance process. While the Defense Industrial Base is still awaiting the final CMMC rules from DoD, contractors who know they will need a CMMC level 2 certification can begin taking steps forward.

If you are prepared for these regulations ahead of time, you will be in good standing to compete for DoD contracts once the new rules have been implemented next spring. Investing in a compliant infrastructure now is a de-risking strategy to remain competitive in the future.