The Defense Industrial Base (DIB), – the organizations that make up the U.S. Department of Defense’s (DoD) supply chain, is massive – comprised of hundreds of thousands of government contractors. With these organizations providing essential products, tools, and applications to the military, it is critical that its vast cyber footprint has a hardened and bolstered cybersecurity posture. This is especially true in the age of digital transformation and modernization.
To protect the large amounts of critical defense information and data that they work with, it is imperative that the defense contracting community meets a certain set of cybersecurity criteria when partnering with and supporting the U.S. Department of Defense (DoD).
Enter the Cybersecurity Maturity Model Certification (CMMC). CMMC is a three-level cybersecurity certification program aimed at federal government contractors looking to partner with the DoD. CMMC provides contractors with a framework of best cybersecurity practices that they should implement in order to protect their organizations – and the federal defense customers they serve – from malicious cyber actors.
Depending on the level of security that specific defense information and data require, government contractors may be mandated to achieve a certain level of CMMC controls and standards. DIB organizations working with federal contract information (FCI) will almost certainly be required to meet CMMC Level 1 requirements. But depending on the types of data and information, some DIB organizations may be mandated to implement further cybersecurity practices and protocols.
To learn more about CMMC and how organizations seeking certification (OSC) can prepare for CMMC Level 2+ assessments, the GovCyberHub sat down with Brian Hajost, COO of SteelCloud.
Here is what he had to say:
GovCyberHub (GCH): What is CMMC and why should the DIB and government contractors be looking into getting certified?
Brian Hajost: CMMC is an acronym for Cybersecurity Maturity Model Certification. CMMC is a program that the DoD initiated to help better secure its contractors, mission partners, and supply chain.
GCH: Is CMMC certification a requirement for today’s government contractors? If not, why should contractors still seek out CMMC certification for their organization? Will the DoD make it a requirement for contracts in the future?
Brian Hajost: CMMC is not a government contract requirement today. But In 2023, CMMC certification will be a requirement for contractors to participate in programs that include access to confidential unclassified data.
Those requirements will start showing up in acquisitions next year. However, the latest revision of CMMC closely aligns it with NIST 800-171, which is a requirement today. Any contractor that wants to get a jump-start on CMMC certification should make the effort to closely align their internal system compliance with 800-171.
GCH: What are the repercussions if organizations choose to forgo CMMC certification?
Brian Hajost: The considerations are two-fold. At some point, virtually every program handling confidential government data will have a CMMC certification requirement. If a contractor does not have the certification, they will be closed out of these types of opportunities.
More importantly, prime contractors may use CMMC certification in their process to vet subcontractors, even before CMMC certification is required. Prime contractors will consider that future task orders may have CMMC requirements, and they will want to make sure they have the right team in place.
GCH: What is CMMC Level 2+? How is it different from CMMC Level 1? Who does it affect? What cyber hygiene requirements do OSCs need to meet?
Brian Hajost: The CMMC level requirement difference is based on the type of data that the contractor stores or uses. For processing simple FCI (Federal Contract Information), the contractor only needs to achieve a CMMC Level 1 certification. Only a fraction of the total controls are necessary at this level. Most Level 1 assessments will be through self-certification.
CMMC Level 2+ is required for contractors handling CUI (Controlled Unclassified Information) data. Certification at Level 2 will mostly be through a third-party assessor. Level 3 assessments will most likely be conducted by the government itself.
GCH: For OSCs who need to achieve CMMC Level 2+, what qualities and attributes should they be looking for when searching for a Certified Third-Party Assessor Organization (C3PAO) to certify them?
Brian Hajost: A list of C3PAOs is available on the CMMC AB’s web site. It is hard to generalize the best fit between a contractor and a C3PAO. Good advice would be to interview 2-3 C3PAOs to find the best fit.
GCH: Another path for OSCs to achieve CMMC certification is through a Registered Practitioner Organization (RPO). What is the difference between a C3PAO and an RPO, and for what reasons would an OSC select to hire one over the other?
Brian Hajost: There is some confusion between RPOs and C3PAOs. To clarify, a contractor can use an RPO or a C3PAO to assist them in getting ready for an assessment.
Certification can ONLY be reached by employing a C3PAO for the assessment. No matter their designation, a CMMC consulting organization cannot provide pre-assessment and certification services to the same contractor.
GCH: As for the C3PAOs and the RPOs themselves, how should they prepare when dealing with CMMC Level 2+ certification for OSCs?
Brian Hajost: To effectively assist contractors, RPOs and C3PAOs are well-versed in other certification/assessment processes (i.e., RMF, FedRAMP, etc.). They must go through the training provided through the CMMC AB as well as follow the government’s and the CMMC AB activities closely.