| In the Forest of CMMC – Here is How to See Through the Trees
Hi everyone! It’s been a while since we have added our two cents on the current landscape of DFARS 7012 compliance. I’m sure you’ve heard of the Cybersecurity Maturity Model Certification. If you haven’t, please read up on it here: https://www.acq.osd.mil/cmmc/draft.html.
While we have watched a slew of companies jumping on the bandwagon to provide you “CMMC assessments” before the final document was released, Techni-Core has taken a distinctly different approach with our own customers. With the final version being released today, now is the perfect time to discuss how we will be guiding our customers through this ever-evolving program.
Like many of you, we are also a Defense Contractor. We find ourselves saying, “We invested so much money to get DFARS 7012 compliant and now there’s something ELSE we have to be compliant to? How much more can DoD businesses take?”
Our approach has been to carefully watch…and wait…and make sure we have fully received all the information coming forward with CMMC before advising our customers on a path forward. We know how precious your cybersecurity capital is to your operations budget and no company wants to exceed their budgeted cybersecurity activities. Many of our customers say, “I just want to ‘check the box’ of my cyber compliance,” and we certainly understand the frustration of the stakeholders!
There are three reasons we have taken a “wait and see” approach to CMMC:
- The industry BLEW UP when they got a new “marketing” buzz word – it is not our desire to add more noise to the already saturated market of “Experts.”
- The requirements have been in multiple Drafts; and until today, we were waiting for the final version. Who can be an “expert” on a changing set of requirements? That’s just nonsense. Any SME worth their salt knows that you cannot implement cyber security based on shaky requirements. Not just cannot – should not. From our almost 4 years of experience in implementing the security controls for NIST 800-171, we’ve seen this “urgency” dance before (remember the DFARS 7012 “deadline”). We will continue to advise our customers to meet DFARS 7012.
The most important reason: we are highly protective of our clients’ best interests. Advising them to invest resources above and beyond that which has already been spent on DFARS 7012 and NIST 800-171 (spent being the key word, here) into CMMC when it is not YET a contractual requirement is irresponsible. DFARS 252.204-7012, however, IS a contractual requirement. We know that most contracts with a CMMC flow-down will be looking to require a minimum of CMMC Maturity Level 3 – which ever-so-handily corresponds with the full implementation of the DFARS 252.204-7012 controls. Maintaining compliance to DFARS 7012 and the implementation of NIST 800-171 is our best advice for now – and moving forward into the future.
We have been closely following the progression of CMMC since its appearance on the scene last year. After today’s final version release, we believe that for our customers, the most successful strategy is to know how much of your currently deployed DFARS 7012 compliance is already satisfying CMMC maturity levels. As it stands now, we know our customers who have successfully implemented NIST 800-171 and maintained that implementation are at least meeting CMMC Level 3. They are in a decidedly better position than those who have waited to deploy DFARS 7012 requirements organizationally.
A Side Bar to Those Who Have Waited Comply with DFARS 252.204-7012: your waiting was a business decision – a management and acceptance of risk. When you signed that new contract, modification, or questionnaire attesting to your compliance with DFARS 7012 and you chose not to fully implement NIST 800-171, that signature/attestation could be considered fraud to the U.S. Government. Reason being, you are attesting compliance by the already-passed deadline of December 2017. The Government is now fining contractors who are non-compliant – remember when the Navy removed the award fee for the entire duration of the contract? OUCH!
Some guidance from the DoD CIO, Katie Arrington: “…CMMC is not going to happen overnight. Let’s just think about the history. The National Institute of Standards and Technology special publication 800-171 came to life in 2014 when President [Barack] Obama signed the executive order and put it into contracts. Do you know how long it took us to get it into contracts? We had until 2017. We gave ourselves to 2018. We just started auditing in 2019. I appreciate the concern about how this will impact. But we understood going in that we couldn’t do this automatically” (https://federalnewsnetwork.com/defense-industry/2020/01/dod-to-drop-second-piece-of-supply-chain-cyber-puzzle/). Arrington continued that the “DoD expects CMMC to take five years to fully roll out” (https://federalnewsnetwork.com/defense-industry/2020/01/dod-to-drop-second-piece-of-supply-chain-cyber-puzzle/). The DoD expects CMMC to fully get off the ground by 2021 – the third-party assessors to certify about 1,500 vendors in 2021, 7,500 more in 2022 and 25,000 more by 2023.
Training of third-party assessors is not even scheduled to start until this spring. Contractual flow-down is not expected until 2021.
We are advising our clients to SLOW DOWN and wait for all of these requirements to come to fruition (e.g. begin to enter into contracts) before making any drastic investments in CMMC. This does not mean we are advising a “no action right now” approach. We are advising that our customers keep a close watch on this ever-evolving program and polish their implementation of DFARS 7012 and NIST 800-171. We are advising them and every contractor to stay educated, stay current, and Fully and Completely implement DFARS 252.204-7012 and its NIST 800-171 requirements. I will say it again, if you have implemented NIST 800-171 and have maintained your in-place security controls, you know you will come into CMMC at the Maturity level 3.
“What can Techni-Core do to help me?”
If you are a company that has worked with Techni-Core in any capacity for DFARS 7012 compliance, please reach out to us. Those customers who have fully implemented DFARS 7012 need to understand this is a living package that has to be updated yearly, at a minimum. We maintain a schedule of annual review and updates of DFARS 7012/NIST 800-171 packages and periodic CCB’s for our DoD contractors.
We are providing an integrated assessment via our TechDART tool that will cross-map your current implementation of NIST 800-171 to your current CMMC level and provide a plan of action & milestones (POA&M) to structure your implementation of any lacking CMMC controls. Techni-Core SME’s will aid customers in checking off POAM items by providing professional services, technical products/solutions, and employee training.
Call us today for more information on our approach and to schedule your annual DFARS 7012 and NIST 800-171 risk assessment. If you haven’t started your DFARS 7012 compliance process, NOW IS THE TIME.