YOUNGSTOWN – A new cybersecurity standard being implemented by the Department of Defense is set to overhaul how contractors protect information on their systems. And while it won’t be in full swing until 2025 – and applied only to defense contractors – the framework is likely to have an effect on businesses beyond that supply chain.
This year, the Cybersecurity Maturity Model Certification will be applied to the first contracts as part of its rollout. While the number this year is only about 15 contracts, that will eventually ramp up to all 45,000 contractors and 300,000 subcontractors to the Department of Defense.
The new model, an extension of the current standard to protect controlled unclassified information, implements three major changes from current certification practices.
Earning the Cybersecurity Maturity Model Certification, or CMMC, requires a pass-fail audit, evidence of implementing security measures instead of a checklist of recommendations, and an independent database of compliant companies.
The further down on the supply chain a company is, the less stringent the security requirements become. After an audit by a third party, businesses are given a score based on their compliance with CMMC guidelines.
“Some people hold the entire diagram for the missile and some people just have the SKU for a spring,” says Paul Hugenberg, a partner at Rea & Associates, which is certified to conduct CMMC audits. “Based on that, [the Department of Defense] is cognizant of what they’re asking the supply chain to do. CMMC incorporates thresholds for its requirements.”
The audit includes a checklist of security practices. Auditors look at everything from how data are stored to physical access to computers. That includes an examination of company culture around cybersecurity, Hugenberg says.
“Can you show that security is in place and embedded in your company culture? Folks with a lot of dollars in these contracts are looking at regulations that could be cut off if they aren’t aware right now,” he says. “They need to start the process of implementing that culture.”
Unlike previous cybersecurity standards, one of the biggest changes is that an audit is required before a contract can be awarded. Compliance for long-standing laws such as the Health Insurance Portability and Accountability Act, or HIPAA, on the other hand is audited after the fact – if at all.
“If you do not have a CMMC score, you will not get the work. Period. It brings a real, in-your-face downside to not complying,” says Robert Merva, CEO of Avrem Technologies.
For businesses concerned about the standards, Merva offers some words of solace: Many best practices are already incorporated in the CMMC framework. If you’ve been doing what you should, he says, there isn’t much more to do.
“Security needs to be layered. You need to have control over your data, for IT, HR and management. Anti-virus. Strong passwords,” he says. “Businesses need to do the same things they’ve always needed to do. The fundamentals of cybersecurity haven’t changed much.”
Compliance is sorted into five levels that range from the Level One requirement of an updated anti-virus software and safe passwords to the Level Five mandate of 171 controls that include network configuration, physical security and network maintenance. Contractors further down the supply chain – in Hugenberg’s example, a company supplying a subcontractor with a common part – need only lower levels while direct suppliers to the Department of Defense need a Level Five rating.
With that in mind, Hugenberg says most businesses need to be aware of what of kind of compliance they must maintain. Businesses contracting with Youngstown State University, he offers as an example, might end up working on a project that falls under CMMC’s requirements.
“There’s the prime [contractor] that has a contract with the government. That contractor then hires subcontractors, who then hire third-level contractors who may contract with a university,” he says. “At the bottom, the person may not know what they’re providing. It may get to an engineering department that needs the whole schematic.”
Any DoD project that requires CMMC certification will have that information stated on the cover, Hugenberg adds, and prime contractors will share that information with subcontractors.
But say you aren’t involved in any projects for the Department of Defense. What does this mean for you? Like most government-mandated cybersecurity measures, the impact isn’t limited to the industry it’s first intended for. The framework is already getting attention from other federal agencies, Hugenberg says.
Merva adds that as new guidelines are launched, groups often begin to adopt their best practices. He points to California’s Consumer Privacy Act, which had a nationwide ripple effect.
“If you don’t think this applies to you today, it will somehow, some way, in a couple of years. There will be some sort of regulation from this that you will need to follow,” Merva says. “The whole world is going to move in this direction.”
Although the lowest levels of the supply chain won’t be affected for a few more years, Hugenberg recommends that businesses begin to look at cybersecurity practices now. If you know what problems need to be addressed today, they can be resolved before you’re affected down the line.
“It can be daunting. Take a self-assessment to get an idea of where you’re at. If you’re lucky, there may not be much to do. If you haven’t been doing anything, it’s probably a major lift,” Hugenberg says. “Hopefully the rollout will give people the ability – before 2025 – to take a breath and set up a budget, or maybe escalate it so you can walk into what your plan needs.”