If your company does business with the US Department of Defense in any capacity, you’ll soon need to prove to an independent auditor that you’re in compliance with the new Cybersecurity Maturity Model Certification (CMMC) to the level your contract specifies.
For many SMBs in the US Defense Industrial Base (DIB), this is a business-critical challenge.
Even CMMC Level 1—so-called “Basic Cyber Hygiene”—mandates a more formal information security program than many SMBs have in place today.
To share some fresh ideas on how small government suppliers can meet these looming compliance challenges, we interviewed Chris Lank on a recent episode of The Virtual CISO Podcast. Chris is Founder and CEO at Ivis Technologies, which offers a SaaS platform to help US government contractors of all sizes manage their risk and compliance programs.
“Even very small mom-and-pop type shops that do business within the DIB have to have these programs in place in order to continue doing business with the government,” Chris emphasizes. “With CMMC, they’ve gone to ‘trust, but verify.’ Now I’m going to have to present these findings on what I have done and put in place in front of what they’re calling the C3PAOs [Certified Third-Party Assessment Organizations] to actually assess what I have done and completed, and give me a certification on top of it. That’s what the radical change is here.”
Chris continues: “If you do any type of business with them [prime contractors] in any way, shape or form you’ll have to be CMMC Level 1 certified. That’s a janitorial service that comes onsite, or someone who brings food onsite. The government’s attitude is that if I have a catering company and I have a van with my name and my URL on the side and they see me there delivering food, I’m low-hanging fruit to a hacker. I’m a lot easier to hack than let’s say, Boeing.”
“So you’re going to start seeing the government really push the primes, and I think the primes have gotten this message already that we have to make sure if you do business with us, if we exchange money with you for any types of goods or services, whether you handle CUI or not, you’ve got to at least have this bare minimum Level 1 in place,” asserts Chris.
Chris then points out that recent audits of 20 prime contractors on NIST 800-171 compliance found only 2 to be in compliance—and even these had Plans of Action and Milestones.
(POAMs) in place. “So now we’re talking about organizations that have probably unlimited resources to throw at this, and they still can’t get NIST 800-171 in place. Now you’re saying to a small supplier, you not only now have to do these 110 controls from NIST 800-171 to get to CMMC Level 3, but also there’s 20 additional controls on top of that plus 51 processes you have to manage.”
In other words, SMB suppliers to the DoD have a lot of work to do to get ready for their CMMC assessments. “Phoning it in” is not an option as the CMMC is all about verification.
One of the ways that SMBs in the DIB can cost-effectively accelerate the maturation of their cybersecurity and compliance programs is to leverage a cloud-based compliance management platform. These tools can help companies achieve CMMC compliance, maintain certification and reduce ongoing compliance risk, and automate documentation and reporting take some of the pain out of audits. Additionally, many such tools can be used to support multiple compliance objectives, not just CMMC.
If your company will need to comply with CMMC, now is the time to get your planning underway, including looking at whether a SaaS compliance tool can streamline your efforts. Our podcast with Chris Lank is a great introduction to CMMC compliance issues for SMBs, and how a SaaS tool can potentially help.