Security 360° Perspective: Slow CMMC Boat to Arrive; Rules Being Finalized

Companies must prudently gather evidence of their control over Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in support of 2025 defense contracts.

While the timeframe of applicability of CMMC to any given company varies sharply, there is NO REASON to wait. Waiting will decrease your likelihood of demonstrating compliance!

Most security programs are born in reaction to compliance requirements. The best programs evolve a culture proactively safeguarding protected information and processing facilities well beyond compliance. The Military Industrial Base (MIB) has companies with security programs in the full spectrum of maturity. Where each company falls is unknown. The Department of Defense hasn’t measured program capabilities – but will do so shortly. It is time to get prepared to demonstrate to required maturity levels.

Fifty years have passed waiting for an auditable framework. In 1984, attestation started with the Federal Acquisition Regulation (FAR). In 2019, the Department of Defense (DoD) added the Defense Federal Acquisition Regulation Supplement (DFARS). In 2020, the DoD introduced the Cybersecurity Maturity Model Certification (CMMC) to replace DFARS. Companies now need verified evidence of their controls.

According to a study performed by Merrill Research, “the majority of contractors do not have the people, processes and technologies in place to meet the minimum cybersecurity requirements for doing business with the DoD, but often assess their companies as compliant when conducting their self-assessments”.[i] Up until now, the government has merely accepted the contracting organization’s attestations to controls. Unvalidated attestations could be off by an order of magnitude. Evidence backing up statements may not exist or might even contradict those assertions. An independent review now would likely identify issues and enable proactive remediation.

Many in the MIB have fallen asleep waiting for CMMC to be implemented. The first delay in CMMC was due to the design of the model itself. The change was significant. Version 1.0 was released in September 2020 and was almost immediately replaced with CMMC 2.0 in just over a year. CMMC 1.0 had 5 performance tiers with 2.0 only having 3 – Foundational, Advanced, and Expert. Contracted responsibilities dictate the required performance level.

The biggest delay has been in the verification and enforcement of rules – what the DoD calls Rulemaking. As of July 17, 2024, the DoD forecasted publishing of the final rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0 program in the Federal Register by October 26, 2024. That is just weeks away! The DoD wants to apply the rule almost immediately - late Q3 or early Q4 2024. The rule, 32 CFR 170[ii], is considered a "Major" rule and will be subject to a Congressional review of up to 120 days before it can be published. Once published, the rule will not be effective for at least 60 days. That puts applicability roughly six months out. A gap assessment can identify the remediation needed to get to your desired level before CMMC is mandated.

Two options exist. All companies in the Military Industrial Base should at least be performing a self-assessment. Many are taking the added step to be independently certified.

For decades, compliance was done manually using spreadsheets to capture attestations, evidence, findings, and action plans. Companies managed their organization one way while reporting compliance another way. This approach leads to more compliance issues and inefficiencies. Consider choosing an audit firm that offers an AI-enabled platform to manage your controls and audit them. Choosing an independent audit firm is a non-trivial exercise. The 2024 Compliance Benchmark Report[iii] offers some considerations before proceeding. Almost half (45%) of survey respondents have found their compliance process to be cumbersome and would switch audit providers for efficiency. Many firms (44%) are using AI to optimize the compliance process. Clients choose their auditor due to their experience (32%), report quality (19%), and ability to audit using tools and technologies (22).

Our moto is to Trust But Verify. The DoD will adopt that motto soon. Let us help you efficiently create verifiable security now in preparation for CMMC!

---------------------------------

Donald Borsay is an advisor, auditor, and instructor, with over 20 years dedicated to Cybersecurity. Borsay is a thought leader and Security Advisor for Coyote Brown, supporting Cybersecurity program initiation, assessment, and fractional CISO managed services. Borsay has worked within the MIB for over 9 years. Feedback is welcome at: Donald.borsay@cyberbuyer.io.

Coyote Brown offers Cybersecurity Advisory, Consulting, and Assessment Services, composed of highly experienced strategic cybersecurity advisors and consultants helping clients maintain a healthy cyber security posture.

Tech City Advisors is an IT Service Provider with specialized knowledge of information technology. They have commercial partnerships with over 300 technology vendors, enabling the resale and support to clients on behalf of our vendor partners.

[i] BREAKING: Few Companies Ready for CMMC Compliance, Study Finds - https://www.nationaldefensemagazine.org/articles/2024/10/1/few-companies-ready-for-cmmc-compliance-study-finds

[ii] Cybersecurity Maturity Model Certification (CMMC) Program - https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program

[iii] The A-LIGN 2024 Compliance Benchmark Report - https://go.a-lign.com/Benchmark-Report-2024?_ga=2.264079822.310205026.1724775344-1179027787.1724289118&_gac=1.22166217.1724775344.CjwKCAjw8rW2BhAgEiwAoRO5rEAeqLSA1sELyTey0JBOfYQFqCrKl7pVKDNFSXQHQ2MzoM2D-iX7tBoC1d8QAvD_BwE