What Being “Audit-Ready” Means Today for DoD Suppliers

Last Updated on January 19, 2024

The Cybersecurity Maturity Model Certification (CMMC) program is the US Department of Defense (DoD’s) answer to a massive national security problem: $600 billion lost annually to cyber-enabled theft of intellectual property from the US Defense Industrial Base (DIB). The Chinese J-31 fighter jet, built with stolen tech paid for by US taxpayers, is a sweeping censure of the current situation, which is based on contractors’ self-attested compliance with the NIST 800-171 cybersecurity framework.
The DoD is moving the CMMC forward with all deliberate speed. But that’s not the only step the agency is taking to strengthen the DIB’s cyber defenses. During the CMMC rollout, the DoD will be conducting more frequent and more in-depth audits of suppliers’ NIST 800-171 self-attestations. Failure to accurately report compliance status can lead to prosecution under the False Claims Act, and/or block participation in DoD contracts.

What do DoD contractors and subcontractors need to do to be “audit-ready” during the CMMC rollout?

A recent episode of The Virtual CISO Podcast addresses this question in-depth. It features Stuart Itkin, VP of Products and Marketing for Exostar, a major cybersecurity service provider to the DIB.

Hosting the podcast is Pivot Point Security’s CISO and Managing Partner, John Verry. John has helped many US government contractors achieve and prove compliance with regulations like NIST 800-171, FedRAMP and HITRUST.
Stuart notes that suppliers need to be CMMC compliant by the time that contracts with CMMC requirements come out. Katie Arrington, the DoD’s CISO for Acquisition, has stated that the DoD plans to include CMMC at various levels in ten RFIs and ten RFPs in 2020, with approximately 1,500 suppliers needing to be certified as CMMC compliant prior to these contracts being awarded in 2021.
Stuart also confirms that scrutiny of organizations’ compliance with NIST 800-171 will significantly increase going forward: “The number of audit teams that the DCMA [The Defense Contract Management Agency] has is almost quadrupled over the last year. The recognition that CMMC is being put in place because 800-171 alone with self-attestation, having people grade their own tests, hasn’t been an effective mechanism to really thwart the leakage of CUI to adversaries.”
“So while CMMC is being put in, I think at the same time DoD through DCMA is saying we need to put some more teeth into 800-171 through audits, through greater scrutiny, to ensure that people are really putting in the controls they say they are under 171, and moving from a POAM [Plan of Actions & Milestones] to actually doing the things that they’ve said in their POAMs,” Stuart adds. “I think the DoD is telling people, ‘We need to take this seriously.’ It’s not just the process of 800-171 self-attestation or CMMC certification—but the recognition that the cybersecurity of the supply chain is a national defense priority.”
A further key point from the podcast is that “audit readiness” isn’t just about compliance with NIST 800-171 or CMMC—it’s also about firms creating solid security controls. “It’s not answering the questionnaire, it’s understanding what it is they need to put in place,” Stuart underscores.
The bottom line for DoD prime contractors and their suppliers of all sizes is that their cybersecurity posture has never been more central to business success. Proactively addressing NIST SP 800-171 controls now will reduce the challenges of dealing with CMMC certification in parallel with 800-171 self-attestation, make it easier to pass a CMMC audit, and ultimately confer an edge over slower competitors.
To listen to the full podcast episode with Stuart Itkin, and check out the rest of the series including the opening episode with Katie Arrington, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.