April 7, 2022

Last Updated on January 19, 2024

There’s a good reason why leading security standards like ISO 27001 and the NIST Cybersecurity Framework strongly emphasize the importance of executive support for security programs. Without it, your program is toast.

So why—with their firm’s ability to participate in US Department of Defense (DoD) contracts on the line—are so many SMB defense suppliers struggling to get their C-suites to pay attention to cybersecurity contract prerequisites?

To give orgs in the US defense industrial base (DIB) a leg up on CMMC 2.0 challenges, CMMC experts Kyle Lai, founder and CISO at KLC Consulting, and Caleb Leidy, CUI Protection and CMMC Consultant at Pivot Point Security, were co-guests on a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.

“Make this go away”

The CMMC program has admittedly had its starts and stops. Before that it was self-attested compliance with seemingly no penalty for non-compliance. So why spend money on security now?

“Most senior management, they want to believe this is an IT issue,” remarks Kyle. “That is, until somebody says, ‘This is going to cost you like a million dollars.’ Then it’s, like, ‘Make this go away. We don’t have that kind of money. You deal with it.’ So, the costs involved are really a problem when you actually need buy-in.”

If a company hasn’t yet invested in IT security and “suddenly” has to comply with a comprehensive cybersecurity framework like NIST 800-171, the cost curve will be steep. Some businesses don’t even have foundational tools like Microsoft Active Directory in place, let alone access controls or security information event management (SIEM) or other table stakes controls. These capabilities take money to implement and maintain, and people need training to use them effectively.

DoD Requirements 101

As costs add up, senior management could get “sticker shock.” Further, the C-suite may lack a full understanding of the organization-wide scope of CMMC compliance requirements and the fact that CMMC is not merely an IT and/or compliance issue. The advice of a trusted third-party expert can be extremely valuable in this context… but that costs money, too.

Kyle recommends educating senior leaders on the DoD requirements and the consequences of noncompliance: “Because the first thing they will ask is, ‘What is the penalty?’ If the penalty is low, [they want to] just deal with the penalty. Make sure that senior management understands what is the cost and what is the impact and what is the risk. They need to understand this is something they have to do.”

Is this willful ignorance?

In John’s view, a lack of management awareness at this point is hard to fathom. After all, many DIB SMBs have been subject to NIST 800-171 compliance since 2017. They’ve been in violation of their contracts all this time, and every invoice they send that asserts they’re in compliance puts them in violation of the False Claims Act.

“Is this just willful ignorance?” John asks. “Because this shouldn’t be a major investment. The audit should be the investment. They should have had this whole program in place prior.”

“I think some of it is negligent ignorance and some of it is willful ignorance,” Caleb replies. “And we’ve seen the direct results of that by now. Primes pushing out the flowdowns in their contracts and pushing out these questionnaires and making sure that they’re covered. It seems like nobody was really reading their contract clauses up to this point—and that’s still an issue.”

Moving beyond box-checking

When a “check-the-box” mentality prevails, CMMC compliance gets pigeonholed as an IT issue. The IT manager gets stuck with it, but often IT doesn’t understand the business reasons behind the effort.

“Most of the time when we talk to clients or potential clients and ask them, ‘What’s your stake in all of this?’, they say, ‘We were told by someone that we need to have a CMMC certification,’” Caleb discloses. “There’s no understanding of why.”

What’s needed is a top-down knowledge of what the organizational risk is, how the security landscape relates to that risk, and how best to address those risks—one of which is CMMC non-compliance.

“But you’ve got this disconnect between your IT folks that are doing the bulk of the work and senior leadership, who should bear the onus of responsibility for why the company is doing these things,” offers Caleb. “Sometimes it’s just the IT guy who is working with a prime and they hear, ‘You guys are going to have to be NIST 800-171 compliant and you need a CMMC certification.’ Then they run that back up to their senior leadership, who say, ‘Oh, we never heard of that before. I’m not too worried about it since Bob from prime said it. We need some documentation on that. Maybe you already have it and you just didn’t read it.’”

Meanwhile, non-compliance is a major business risk. If the IT person says, ‘Yeah, we got most of that stuff. We got pretty good security,’ management shouldn’t just accept that assertion without verification.

As Caleb comments, “That’s going to put some people in a world of hurt.”

Yesterday, no penalty. Today, big penalty.

If you’re at the helm of an established manufacturing company that’s been doing business in the defense industry for decades and suddenly you’ve got a False Claims Act suit from the Department of Justice on your desk, that’s a pretty loud wakeup call.

Kyle explains: “Unfortunately, I think when the DFARS 7012 first came out, a lot of the box checkers were business development people. ‘Do you have this? Yep, we do.’ But what has been the penalty? Nothing, right? I think that’s the biggest problem.”

What’s next?

To get all the great guidance in this show from with Caleb and Kyle, Click here.
Want some actionable tips on how to communicate security issues to business leaders? You’ll love this podcast with consultant and author Dr. Eric Cole: EP#53 – Dr. Eric Cole – You Are a Target: Assessing Cybersecurity Risk