As the US Department of Defense (DoD) moves its new Cybersecurity Maturity Model Certification (CMMC) program steadily forward, suppliers across the Defense Industrial Base (DIB) need to think about their eventual certification audits. This is a big step up from the current NIST 800-171 self-attestation scenario. Suppliers can no longer “grade their own tests,” and many will need to implement additional controls to achieve the appropriate CMMC certification level.
How big is the impact of CMMC on my business?
To answer DoD suppliers’ top questions on the CMMC rollout, a recent episode of The Virtual CISO Podcast features Stuart Itkin, VP of Products and Marketing for Exostar. While even many DoD subcontractors may not have heard of this key service provider, about 65% of the DoD’s direct spending is transacted through Exostar’s secure platform.
Pivot Point Security’s CISO and Managing Partner, John Verry, hosts the podcast. John has helped many companies that serve government agencies prove they are compliant with regulations like CMMC, NIST 800-171 and FedRAMP.
One view Stuart and John share is that CMMC is “win-win” for the DoD, the DIB and the American people.
A key win the CMMC brings to the DIB is its five compliance levels. For example, Level 1 specifies only 17 controls, and Level 2 specifies 63. In contrast, NIST 800-171 is “one size fits all”.
This “rightsizing” of the compliance footprint could yield major savings in cost and effort for many small suppliers. However, even contracts requiring Level 1 certification will only be open for bids by companies that have passed a CMMC certification audit. By 2026, every new DoD contract will mandate CMMC compliance across the board to the level defined in the RFI or RFP.
What if your organization handles Controlled Unclassified Information (CUI), like engineering specs or the personal data of DoD staff?
This mandates certification via audit to CMMC Level 3 or higher. Level 3 encompasses the full slate of NIST 800-171 controls, and adds about 20 additional/complementary controls.
For organizations that are already NIST 800-171 compliant, or close to it, “the delta from that point is a relatively small one,” confirms Stuart. “Truly being fully 800-171 compliant in the sense that you’ve implemented all 110 controls becomes a real bridge to being able to achieve CMMC Level 3 certification.”
For organizations with robust security postures, the shortest route to CMMC Level 3 compliance and eventual certification is probably a “gap assessment” to ensure existing NIST 800-171 controls are operating as required, and to determine the extent to which the additional CMMC controls may already be covered. Documenting a Plan of Actions and Milestones (POAM) for implementing any missing NIST 800-171 controls is also advisable.
For companies that are farther from their CMMC objective, the path is longer and most likely requires structured steps like establishing goals, scoping your environment, conducting a risk assessment, and so on. (see our CMMC Certification Guide for more specific information)
The goal, as Stuart puts it, is “companies that are complying with 800-171 being audit ready in addition to going down this path for CMMC.”
“Audit ready” means being able to provide evidence of compliance with NIST 800-171 or CMMC per an RFI/RFP to upstream organizations as well as auditors. “It’s not answering the questionnaire, it’s understanding what it is they need to put in place,” Stuart emphasizes.
To listen to the complete podcast episode featuring Stuart Itkin, and a growing number of others like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.