Yes it's still 2019, let's take advantage
The draft U.S. Department of Defense’s new Cybersecurity Maturity Model Certification (CMMC) framework has just been released, in January of 2020 the first official version will be released, in June 2020 it will be seen in requests for information, and in fall it will appear in RFP’s. How can you prepare your company before the DoD sends out independent non-profit third party auditors? In this blog post we answer that question. If you don’t know what the CMMC is then go ahead and read our previous blog post on it and follow us on social media to stay up to date with the DoD’s new CMMC framework.
Statistical Reality Check
- “Zero companies were 100% compliant.
- On average companies implemented only 39% of the controls.
- 61% of the controls were either not implemented or only partially implemented.
- Large companies, on average, successfully implemented nearly 60% of the controls.
- Small to mid-sized companies, on average, successfully implemented 34% of the controls.
- Over 80% of companies assessed failed to implement 16 specific controls.”
Accept the Past, Prepare for the Future
Let’s face it, more than likely your company is missing a decent amount of the required NIST SP 800-171 security controls. Thats why the government came out with the new CMMC program. Implementing all NIST SP 800-171 controls was a tough proposition in the first place (especially for smaller DoD contractors), the good news is that you have some time to work on your security program. If your company was already working on implementing the NIST SP 800-171 framework then it should continue to work on it as a proper implementation will very likely give you a CMMC level of 3. Many of the controls in NIST SP 800-171 are the same/similar to the controls in the new CMMC draft so you can’t go wrong with continuing your NIST SP 800-171 project.
Was NIST SP 800-171 Overkill for Your Company?
“If you’re on a contract for boots and you’re the subcontractor who’s sewing the eyelets for the laces, you may not need state of the art cybersecurity,” she said. “We want them to have good cyber hygiene. We want them to protect their employees, their IP, but as far as the government, we should not be sending them anything more than the instructions on how to make the eyelet, and a level-one certification would be good enough. The prime contractor may need a level three, because they’re receiving controlled unclassified data that has to do with where the boots need to be shipped. The contract will have specific areas of work that will have specific levels of maturity that will be needed. That’s why we’re doing an entire reeducation of our contracting officers and program managers. We want them to really understand what security is going to cost, and why you need it.”. That was Katie Arrington, the special assistant for cyber in the Office of the Assistant Secretary of Defense for Acquisition with the quote sourced from FNN. So if you are a company that is producing bootlaces for the DoD or something similar then it may not be a good use of resources to implement all NIST SP 800-171 controls trying to achieve a level 3 (unless of course you are trying to expand your company’s ability to go after more complex DoD projects). Let’s look at the different DoD levels to see what it takes to achieve one.
Cybersecurity Maturity Model (CMMC) Levels, which one should you prepare for?
As can be seen in the graphic below all levels of the CMMC model demand different levels of security:
The below graphic does a good job of showing how complicated meeting a control at a higher level is compared to meeting one at a lower level, you can then deduct how much effort it will take to meet your goal.
If your current Department of Defense contract requires that you implement the 110 NIST SP 800-171 controls then I wouldn’t shoot for less than a level 3. If you currently have a DoD contract but your contract doesn’t state a NIST SP 800-171 requirement then you should still work to improve your security program, shooting for a level 2 won’t hurt as you will be more prepared if you get hit with a level 3 requirement by the DoD.
- Many companies have done poorly regarding NIST SP 800-171 implementation.
- If you are required to implement NIST SP 800-171 I advise that you continue doing so or get started now.
- If you are a DoD contractor and were not required to implement NIST SP 800-171, trying to implement the level 2 CMMC controls is a good idea.
- If you need any help preparing for the CMMC feel free to reach out.