In an effort to strengthen U.S. national security, DoD contractors must roll out the Cybersecurity Maturity Model Certification (CMMC) across their internal business, and expect that their supply chain does the same. Those who don’t have the CMMC certification won’t be able to engage in Department of Defense (DoD) contracts, so the pressure is on for Primes and their suppliers. Amid the COVID-19 pandemic, this regulation does not seem to be slowing down in the face of the crisis, and security is more of a priority than ever before. Read on to learn how Contractors should support a supply chain CMMC program in 2020.
At the time of its public release, this new DoD standard was made clear that requirements from the CMMC for primes may be included in RFPs in 2020. These initial RFPs could contain language specifically around cyber threats in missile defense, nuclear modernization, and small business-focused programs. There is projected to be a five-year CMMC rollout period, but Prime contractors are expected to get their houses for 2020 CMMC requirements and RFPs.
The new set of requirements involves a net-new certification process that is based on a review by the Certified Third-Party Assessment Organization (C3PAO) focused on assessing organizations against these cybersecurity requirements. Upon rollout, RFPs will include a "go/no-go" decision based on whether the contractor meets the level required for CMMC certification at the time of the award. With these strict requirements, it’s imperative that Prime contractors and their DoD subcontractors prepare for CMMC certification in 2020.
Prime contractors are expected to support their supply chain in the CMMC rollout
At the end of last year, the Department of Defense (DoD) Under Secretary for Defense Acquisition and Sustainment Ellen Lord stated that cybersecurity vulnerabilities in the defense industrial base are most common six to seven levels down from prime defense contractors, hiding in their extensive supply chains.
"This is a U.S. economic security issue as well as a U.S. security issue," Lord said. "When we look at cybersecurity standards, I believe it is absolutely critical to be crystal clear as to what expectations, measurements are, what the metrics are, and how we will basically audit against those."
Across the Defense Industrial Base (DIB), organizations are rushing to translate their compliance from the NIST SP 800-171 cybersecurity controls to the new Cybersecurity Maturity Model Certification standard. These requirements include basic cyber hygiene at the low end, like levels 1 and 2, but prime contractor CMMC strategy, and the strategy for those who are higher up in the DoD supply chain in general, needs to focus on higher certification levels against the CMMC framework to continue doing business with the Department of Defense.
How Primes can prepare their own supply chains for CMMC compliance
Katie Arrington, DOD's Chief Information Security Officer, recently stated in an interview, “...if you’re in the supply chain," she said, "within the next five years, you are going to have to be certified. It just depends on when your [contract] comes up.”
As primes prepare for 2020 contracts, it is important that they take the state of their supply chain into consideration. As a prime contractor, starting to develop a plan for your own Cybersecurity Maturity Model Certification rollout, and how to support your suppliers in getting prepared, is important to prioritize. Many prime contractors will have their suppliers calling on them for answers; thus, developing a proactive support system is an initiative that can set you apart from other leaders in the defense industry.
- 1. Create a resource-rich support system
The greater the size of the supplier base, the more complexity there is, and therefore, the more risk is inherent in that supply chain. As the National Institute of Standards and Technology puts it, “a supplier can compromise the end product, business performance, reputation, and shareholder value” of a prime contractor. When primes consider the immense importance of supplier security, whether physical or information security-related, the argument for prioritizing security awareness and training for that supplier base becomes even stronger.
Effective supply chain risk management is more than monitoring whether suppliers have business continuity plans, quality control procedures, or physical security programs. Prioritizing the cybersecurity risk management in the defense industrial base by being a resource to your suppliers is a way of life, especially as a prime contractor, and must become a critical component of business moving forward. Digital resources and certified training programs are great places to direct suppliers who come calling with questions about CMMC compliance.
Digital education programs can be a strong route, and ones like those of CyberSaint's partners became popular because although current cybersecurity credentials for individuals (CISSP, CISM, SANS, etc.) teach the fundamentals of how to achieve a specific set of cybersecurity controls, they can come up short in teaching organizations how to assess their current cybersecurity posture, or how to establish a continuous implementation and improvement program based on industry standards like the CMMC or the NIST Cybersecurity Framework. In the meantime, the CMMC Accreditation Body (AB) provides regular updates with news on CMMC rollout, new developments, and DIB resources.
- 2. Set expectations and over-communicate
When rolling out new requirements, as much as an industry may criticize at times, standards bodies try their hardest to be clear and concise. The CMMC updates are no different, and both the AB, the writers themselves, and the DoD leadership have made efforts to over-communicate, listen, and react to the feedback from the DIB and government entities. Similarly, as a prime contractor, setting and communicating those expectations throughout your supplier base is critical to your success on CMMC in 2020 and beyond.
Work with both information security and business-side leadership to define success criteria for your supply chain - what does good look like - and decide on a mechanism to measure that success. Clear communication across all the layers in your organization itself - from the vendor risk team to the Board of Directors - is critical to success.
A robust supply chain risk management solution that supports CMMC assessment and certification will visualize and simplify the compliance process for prime contractor information security teams and suppliers working to meet the requirements.
- 3. Consider flexible compliance/risk solutions that scale easily and are quick to implement
Enterprises, prime contractors included, are constantly fighting the battle of complexity - but as it turns out, complex security programs don’t need complex solutions. Instead, they need solutions that simplify their cybersecurity strategy and minimize barriers to compliance. Only the most enterprise-ready solutions that support the Cybersecurity Maturity Model Certification will be able to put cybersecurity activities into a business context for security leaders and business-side leadership.
Advanced analytics, dashboarding, reporting, and tracking capabilities are key functionalities to prioritize in a solution to address the Cybersecurity Maturity Model Certification across a prime contractor supplier base. Prime contractor Boards of Directors and infosec teams alike must be able to view and understand supply chain gaps, prioritized plans to close those gaps, and the return on security investment (ROSI) for both the prime contractors down to the individual suppliers at level 1 CMMC certification. Additionally, drill-down capabilities allow suppliers and vendor risk teams to dive into requirements and know where any supplier stands on any CMMC requirements.
Thankfully, CyberSaint’s CyberStrong platform helps organizations achieve the CMMC requirements, helps them track progress towards their CMMC Level of choice, and is used by Primes to manage compliance and risk up and down their supply chain.
Book a demo with us to learn more.