On January 31, 2020, the Honorable Ellen Lord, who currently serves as the Under Secretary of Defense for Acquisition and Sustainment, delivered the opening statement at the beginning of the official press briefing for the release of Cybersecurity Maturity Model Certification (CMMC) version 1.0. During her remarks, she said, “We know that the adversary looks at our most vulnerable link, which is usually 6-7-8 levels down in the supply chain.”
This has been a common theme among government and military cybersecurity experts and professionals over the past few years. In fact, it’s been a topic of conversation at many of the cybersecurity-focused government events and conferences that I’ve attended recently – the military has a massive supply chain and that supply chain is vulnerable to attacks. This is why the Department of Defense (DoD) introduced the CMMC certification process in the first place.
However, while there are significant and understandable concerns about supply chain security, there are just as many concerns about the impact that introducing a cybersecurity certification for government contractors will have on the smaller companies that provide products and services to the DoD. According to Ellen Lord, “One of my biggest concerns is implementing CMMC for small and medium businesses, because that is where a large part of innovation comes from.”
I believe the fact that SMBs were so deliberately and specifically addressed in her opening statement, is indeed a sign that there will be every effort made to ensure that innovative and capable small and medium businesses will continue to be able to contribute and participate in implementing effective cybersecurity measures within DOD, while attaining and maintaining the appropriate levels of compliance with CMMC.
What types of things are in the works that demonstrate DOD’s commitment to helping small and medium businesses understand CMMC? What is the DoD doing to help these companies position themselves to meet the requirements without compromising the comprehensive soundness of cybersecurity implementation with our national security?
A CMMC plan for SMBs
Katie Arrington, the Special Assistant to the Under Secretary of Defense for Acquisition and Sustainment, shared several insights that pointed to tangible mechanisms and resources that they have put into place to help small businesses. These include:
- Market Place: expected to be launched on the CMMC Accreditation Body website in late March or early April, Market Place will provide contractors with additional information on the process and identify C3PAO organizations that they will be able to work with for assessments/audits.
- CMMC “Pathfinder” Programs: specific programs designed to identify current contracts within DoD that can serve as an example of how they would relate to the CMMC implementation.
She also was careful to explicitly state that it is not true that SMBs will be held to the same level of certification that “primes” will be held accountable for. For example, if the SMB will not “touch” CUI (Controlled Unclassified Information), then they would only potentially need a “Level 1” CMMC certification. Katie Arrington also referenced upcoming investments for CMMC training coming in June 2020 that will be another resource via the DAU (Defense Acquisition University) website.
According to Ellen Lord, CMMC’s desired end state is to, “…build a Cyber-Safe, Cyber-Secure, and Cyber-Resilient Defense Industrial Base (DIB).” And I believe that she intends to do so while making sure that CMMC is attainable for SMBs. With a plan in place to make certification possible for SMBs, the DoD can continue to benefit from leveraging the critical innovation they provide without compromising our national security.