Securing the Defense Industrial Base
The Cybersecurity Maturity Model Certification (CMMC) requires U.S. Department of Defense (DoD) contractors, sub-contractors, and suppliers to adopt information technology security controls to help protect our national interests. We’re all aware of the many efforts by foreign adversaries to compromise intellectual property, trade secrets, proprietary technologies, and to generally disrupt operations. The DoD has been pushing the defense industrial base (DIB) to adopt more stringent cybersecurity controls for more than 7 years. NIST SP 800-171, DFARS Clause 7012, and FAR Clause 52.204-21are all intended to coax DIB organizations to increase their cybersecurity practices, processes and hygiene. But, as we might guess, polite asking doesn’t always lead to concrete action.
An Ambitious Goal
A little over two years ago, the Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD A&S) embarked on a mission to ensure the DIB reached a level of cybersecurity practice and maturity that could stem the tide of critical technology and information compromises by foreign competitors and adversaries. A daunting task to be sure, but one both necessary and timely. This effort resulted in the CMMC program that requires DIB organization’s cybersecurity programs, practices and systems to be audited. The audits will be conducted by select, authorized, third party assessors. The audits result in an assignment, or lack thereof, of a measured level of compliance. And, with this level of compliance validated, DIB organizations can then work on government contracts (those appropriate to their level of measured compliance).
Speed of a Zamboni
Like the ice-resurfacing machine pictured above, full CMMC implementation seems to be taking its time. Like that same slow-moving, ponderous, obvious and absolutely necessary Zamboni, CMMC looms large. We know it’s there, see its progress, and acknowledge how important it is. It is, however, really difficult to tell when exactly it will reach us.
For those yet to embrace a formal and structured cybersecurity program, and those that have started and are similarly lagging, resource and cost management are important considerations. So too is the real possibility that we might not reach our necessary level of compliance by the time we need our audit, by the time we need to respond to the Request for Proposal, or by the time we need to sign a sub-contract. Missing this gate means loss of revenue and loss of business.
How Much Time do we Have?
How long to reach a level of cybersecurity program practice and maturity to pass your Audit?
Given the diversity of businesses, services, companies and products this question is difficult to answer. But there are components to the answer that can help inform our efforts:
- Evaluating your current business practices, contracts, and systems takes time
- Selecting people, processes, technology and policies to meet your objectives takes time
- Training people to incorporate new ways of doing business takes time (and is often the most difficult task)
- Re-evaluating to determine if you’re ready for an assessment, and addressing any shortfalls takes time
- Getting on the list for an assessment, and having that assessment performed and results tabulated takes time
If I were to assign some very rough timelines, and assuming an organization has no, or an immature cybersecurity program:
- CMMC Level 1-2: 3 – 6 months
- CMMC Level 3: 9 – 18 months
- CMMC Level 4-5: 24+ months
* There have been discussions regarding the length of time a cyberecurity program must have previously been in place and running to be evaluated for maturity. This consideration comes into play for all CMMC Levels!