Perspective on the state of CMMC – July 2021
Disclaimer: This is based on a general perspective amalgamated out of the past several months of news and specification revisions rather than any insider information and should not be considered at all authoritative.
CMMC threw the greater defense industrial base into a whirlwind of confusion with poor government communication, a cottage industry of un-accredited CMMC consulting, and concerns over the cost to small and medium firms. Over the past month, yet more smoke has billowed up, with the House Small Business Committee holding hearings, Katie Arrington, the DoD CISO serving as the public face, getting put on administrative leave, an early member of the CMMC Accreditation Body’s board resigning, and distribution of official notices warning of unauthorized providers.
At Oxalis, we talk to a lot of DoD contractors and find that this noise and confusion is creating either analysis paralysis or investment in anything that promises to be CMMC-ready, accurate, or not. We want to help cut through that noise and give our perspective on how all DoD contractors can make clear plans forward.
If You’re Currently Meeting DFARS Contractual Requirements, CMMC Will Be Easy
Oversimplifying, the CEO level summary of CMMC is that instead of self-certifying to meeting security requirements, now firms will need to be audited by a third party (3PAO). That’s it.
Yes, there is some change in the language of the requirements and a few non-trivial new requirements, but those are minor in contrast with the auditing requirement. Viewed through that lens, CMMC compliance and certification should be relatively inexpensive – tighten up policies, find an auditor and add some incremental tracking.
CMMC forces companies to ask if they have truly been in compliance with their current requirements and many are finding that the answer is “no”. With C-suite attention, DIB firms are recognizing that their system security plans (SSP) are superficial, plan of action & milestones (POAMs) serve as a graveyard of good ideas and missed deadlines, and bidding/contracting does not recognize what security rules they’re actually testifying to meeting.
At Oxalis, our perspective is that this is the gap between the DoD’s view that CMMC should be relatively inexpensive versus the reality of firms, some of who, are facing $250,000+ estimates for getting certified.
Get your house in order and make sure you’re meeting your current requirements before diving straight into CMMC. Remember, there is personal criminal liability associated with failing to protect government information, and although rarely prosecuted, ensuring you meet the requirements of DFARS 7012/7019 will serve as a stepping stone to CMMC 3.
The DoD Will Require More Than “Just” CMMC
The current security standards landscape already causes confusion, but DoD contractors need to remember that on the majority of contracts, the cyber security requirements (DFARS 7012, etc) include meeting NIST 800-171 and then more. Similarly, many contracts have NOFORN (No foreign persons, aka ITAR) restrictions.
CMMC, even at level 5, doesn’t have any requirements that meet those ‘extras’. The DoD has not given any guidance on how (or if) they will continue adding their specific requirements. At Oxalis, we cannot see a case where those requirements will go away even with the full adoption of CMMC.
We all get imprecise with language, but when it comes to compliance and certification, no one can afford imprecision when differentiating between Controlled Unclassified Information (CUI) and Controlled Defense Information (CDI) and recognizing what your “High Water Mark” is for compliance. Similarly, just because a vendor or service is FedRAMP certified doesn’t mean they meet ITAR requirements.
As an example, many defense contractors use Microsoft’s Cloud Services – Office 365, Azure Cloud, etc. When looking at secure versions of those offerings, Microsoft 365 Government (GCC) and Azure Commercial meet the requirements of CMMC Level 3 and (very excitingly) DFARS 7012. There is a really big asterisk here – which is that those offerings do NOT meet ITAR/NOFORN requirements, requiring GCC-High for O365 and Azure Government for cloud hosting.
US Government Compliance in Microsoft Services (from Understanding Compliance Between Commercial, Government and DoD Offerings – February 2021 Update )
Understand your highest security requirement(s) when looking at and evaluating providers and services. Take a fine-tooth comb to your government contracts and look for key clauses that would force you to look at more restrictive services.
Despite the Noise, CMMC Will Happen
Improving the security of our nationally sensitive information and the digital safety of defense firms remains a critical initiative, only gaining importance from recent attacks such as the Solar Winds hack. At Oxalis, we believe the changes in CMMC are critical to improving the cyber defense of the nation, and moving away from unverified self-certification is a necessary change. The entire Defense Industrial Base, already committed to the defense of the nation and the safety of our warfighters, should view the goals of CMMC as furthering their missions and vital to all of our security.
The awkward rollout, poor communication, and lack of financial support may mean the program gets revised with a new name or the timeline gets delayed. The core idea though – independent verification of the cyber security of the firms working with sensitive information will stay and be part of contracts in the near future.
While the rollout may be phased in and slow, being ready for the first contracts requiring CMMC or its equivalent is business-critical. For prime contractors, it will only take one RFQ you can’t bid on to cause reputation damage with your customer leading to major organizational changes. For sub primes, because of the requirements to certify the entire supply chain, the inability to participate on contracts will lead to primes building their businesses around subs that they can work with from day 1.
You cannot wait and hope that the chaos around CMMC will give you either the time to worry about this later or that it will go away altogether. It is critical that firms working with the DoD start planning and getting ready now.
While CMMC (or equivalent) will happen (and is a good idea), the largest gap we see is the financial support to aid small and medium businesses in adopting these best practices. CMMC related costs are supposed to be reimbursable in contracts, but that doesn’t help when the work needs to be done now, years in advance of potential bids, and in a low margin, cost-sensitive industry. Continue to advocate to your customers and government representatives that national cybersecurity infrastructure is something that requires federal support now.
What Oxalis Is Doing
We’re committed to helping our customers, the industry, and the nation meet the challenges of the modern cyber security landscape, with increased threats, changes to the work environment, and an increase in volumes of data. In our work to help transform industries we’ve always put compliance and security first and continue to push the ball downfield to meet the evolving landscape.
We continue to make security-first offerings:
- All our offerings are built to meet compliance needs – whether robust logging, identity management, MFA/2FA, we’ve already thought through the implications.
- Flexible deployment models to meet your security needs and risk tolerance – whether on prem, in a hybrid environment or on a sovereign cloud provider (Azure Government or AWS GovCloud), we meet you where you are.
- We’ve recently become a Microsoft Government Solutions provider which, in addition to our existing AWS and Atlassian partnerships, helps us offer comprehensive security solutions.
- Looking over the horizon to future needs. While CMMC and 800-171 will drive the next several years, the threats and defenses continue to evolve. We’re already meeting many of the requirements of NIST 800-172 and are actively working to make sure we and our customers are ready to meet the security needs of not just the next few years but the next decade.
Schedule time to discuss how we can help you meet and exceed your current and future security requirements.