The U.S. Department of Defense’s new compliance program for the defense supply chain, CMMC, has been evolving for over a year and is about to enter an initial readiness phase. But to what degree will both prime contractors and their subcontractors be ready to be CMMC certified, and therefore be eligible to be awarded DOD contracts?
The official version of CMMC V1.0 was published on Jan. 31, 2020. Since then and throughout the spring, more information has become available regarding the CMMC Accreditation Body (CMMC AB) – the outside organization responsible for training and registering CMMC assessors.
Now, as we enter the summer, CMMC direction is becoming more refined. The CMMC Accreditation Body is adding details and structure to the CMMC ecosystem.
Applications are now being accepted for four levels of assessors and assessment organizations. Applications are also open for Registered Practitioners — individuals and organizations that facilitate CMMC understanding (but do not perform certified consulting).
As we continue throughout the summer, here’s what else may be coming.
More details about assessment practices: Look forward to the possible release of a CMMC Assessment Guide that provides more information about CMMC processes, and details of what assessors may be looking for in terms of documentation or artifacts for each practice. This information could be an important foundation for assessor training.
Assessor Training: The CMMC AB is still working on this — expect to see more details this summer about Licensed Instructors, Licensed Training Providers, and training material.
A CMMC Marketplace: This would be a website where defense contractors and subs may be able to find registered assessors, assessment companies, registered practitioners, and providers.
Supply Chain Readiness – Will Defense Subcontractors Be Ready?
Selected CMMC directions are more onerous for DOD suppliers than previous cybersecurity compliance programs. First, CMMC compliance will be required of contracts as of the date of award. Second, whereas previous programs such as NIST 800-171 allowed self-certification “declarations” of compliance, under CMMC an army of assessors will assess companies for compliance.
And where prime defense contractors need to team with many subs, those subs will also likely need to be CMMC certified.
What then are the key issues that prime defense contractors should be addressing beyond their own internal readiness?
- Has your Board of Directors, either as a whole or via its Risk Management or other Committee, considered the potential impacts of your subcontractors CMMC readiness for important DOD RFPs?
- Are you tracking the progress of CMMC readiness of your subcontractors?
- Are you facilitating the CMMC readiness of your subs?
- Since CMMC requirements will undoubtedly evolve, do you have a strategy to evolve your subcontractors’ readiness as the CMMC requirements evolve?
- If you have experience with previous compliance programs such as NIST 800-171, do you have plans for yourself (and possibly for your subs) to address the three domains new to CMMC: Asset Management, Recovery, and Situational Awareness?
- Compliance programs in the past have had ambiguities and grey areas due to assessors’ judgment factor. CMMC is no different. Do you have strategies defined to deal with the clash of interpretations by supplies and assessors over requirements and compliance?
Senior management interest in CMMC compliance may be higher than with previous compliance programs. The membership in the CMMC Academy, a free initiative of Celerium, includes about 25% of executives for CMMC Level 1, 2 and 4 companies, and about 11% for CMMC level 3 and 5 companies.
Overall, the bottom-line question is, will primes find themselves so preoccupied with their own CMMC compliance that they may fail to address, in time, their subcontractor compliance?
An upcoming virtual event hosted by the CMMC Academy will address many of these questions and issues. Featuring Katie Arrington, the CISO for the DOD Acquisitions Office, the free event will facilitate necessary discussions regarding CMMC readiness. Additional speakers include Andrew Hoover of the Software Engineering Institute at Carnegie Mellon University, and one of the original architects of the CMMC model; Commander s.g Jesper Rasmussen, Defense Industrial Attaché at the Royal Danish Embassy in the United States; and Jeffrey Troy, President and CEO of Aviation ISAC.. Registration for this virtual event is now open.
Author Background: Tommy McDowell has experience as a compliance planner and auditor with classified systems and NIST 800-53. His work in cyberthreat intelligence includes positions at Mandiant and FireEye as well as Retail ISAC. He is currently the General Manager of Celerium, a cyber threat intelligence and sharing company.
CMMC Academy Background. Tommy also leads the CMMC Academy, a Celerium initiative that provides free CMMC videos, webinars, reference guides, and self-assessment information to defense contractors and subcontractors. Members of the CMMC Academy International Alliance include the American Danish Business Council and Aviation ISAC. The Academy’s sponsors include Bank of America and Citi Private Bank.