The Cybersecurity Maturity Model Certification (CMMC): the new framework from the Department of Defense that will soon be required for all defense contractors, big or small, sub or prime. While cybersecurity has rightfully been on the minds of those within the Defense Industrial Base (DIB), CMMC sets out to enforce a standard and officially instate a new way of doing things.
CMMC sets itself apart from previously required frameworks. The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) has stated that CMMC will “review and combine various cybersecurity efforts” and “build upon existing regulation” of DFARS 252.204 – 7012. The DoD has a clear mission: protect the DIB from malicious cyber activity. CMMC is meant to be the next logical step in a progression; building on what is already known, standardizing it, and requiring organizations to create sustainable cybersecurity programs varying in sophistication across levels one to five.
Not only will the DIB need to prepare for and implement the requirements of CMMC, they will need to successfully demonstrate their compliance through the process of a third-party audit. When you think you are ready, these CMMC 3rd Party Assessment Organizations (C3PAOs) will evaluate your environment and practices in place and ultimately decide whether you pass or fail in obtaining the required certification.
A New School
If we think about this through the lens of education, the DIB is more or less like students preparing for final exams. The teacher (the DoD) has shared the textbook (the CMMC framework) and now it’s up to you to learn the subject matter and prepare for the exam (C3PAO audit).
Given the variety of organizations within the DIB (regarding size, reliance on technology, or even number of links in their supply chain), a variety of options are and should be considered when preparing for CMMC “exams” down the line. While the traditional, white-paper textbook may work for some students to learn the material, it will not work for all. As with any new assignment, preparing for CMMC should include as many learning and teaching methods that are possible.
The Traditional Method
The current CMMC documentation (the textbook) is dense – over 250 pages dense. For many contractors, unpacking it will be difficult without help. Their only option will be the traditional one: to outsource the problem to an external consultant (tutors). But we all know that some tutors are more effective than others.
For many traditional consultancy engagements, this typically results in sending a team of security analysts to the organization to conduct days, or even weeks’ worth of interviews and information gathering exercises. Consultants then leave and spend another valuable 4-6 weeks drafting what ends up being a 200+ page assessment. Although the intention is to provide a solution, this typically results in confusion, very little actionable information due to lack of context within the report, and more questions than answers. Knowing how to implement solutions that can address the organizations’ gaps are still far from obvious.
This traditional consulting process does not necessarily encourage the transfer of knowledge, it simply provides another textbook. This method may work for some organizations, similar to how some students only need a textbook and truly gain nothing from a lecture, but it can pose a challenge to much of the DIB.
Channel Your Inner Student
Instead of relying on hours of interviews and an overwhelming report, it’s worth exploring other options. Just as students expand their study methods beyond the textbook with internet research, peer collaboration, and asking questions, defense contractors can do the same to tackle CMMC.
1. Expand Your Research.
Online resources regarding CMMC are updated frequently as the DoD continues to iron out logistics and the best methods of implementation across the DIB. Concerning questions about the overall timeline and rollout of CMMC, who it applies to, and potential costs, the official OUSD site is a great place to start before diving into any white paper. Information regarding the C3PAOs is quickly coming to light as well on their page — the CMMC-AB has only recently been formed as whole, and they are quickly defining what they will be looking for as the framework is rolled out.
2. Collaborate With Your Peers.
To better understand the unique cybersecurity environment of an organization, it’s best to start from within. Open communication between IT stakeholders and those responsible for implementing CMMC will quickly provide the best first snapshots at what will be required to achieve compliance. There’s already a lot to prepare for the first Level’s 17 practices that will be baseline requirements, which only expand further across Levels 2-5. It is imperative to discuss not only the logistics, but the potential challenges that lie ahead for relevant teams in order to approach CMMC as a unified organization on the same page — similar to how to approach a group project.
3. Ask questions.
Teachers have always encouraged students to ask questions. We follow the same philosophy – when it comes to cybersecurity you will be much better off if you ask all the questions that come to mind as opposed to refraining. It’s through asking questions that problems are solved, new strategies come to light, and incidents are avoided. Interacting with a new subject requires critical thinking, and being able to formulate even the most abstract questions proves that there’s an effort towards understanding. When reading through the CMMC framework, you’re bound to have questions, and we’re happy to help.
A New Way of Doing Things
While the traditional outside consultant strategy may work for very large suppliers and primes themselves, it is not a solution that will work for the entire DIB. It’s simply too time-consuming and too expensive. A more modern solution will encompass the resources that motivated students already reach for — curating outside resources, using a communication tool, and bringing experts onto their team for a better understanding and faster action towards a goal.
Tetra Defense recognizes the unique “assignment” that the DIB has before them, and that’s why we’re working on Beacon, the CMMC preparation tool with our team behind it. Beacon helps you own your CMMC preparation process by explaining the ins and outs of the framework with an easy-to-understand knowledge base, giving you collaboration tools for your team, and access to on-demand information security professionals to help if you hit a roadblock. This guided approach assesses and educates simultaneously, going far beyond the lone textbook. Solutions to gaps become more visible, and reports yield actionable information. This hybrid tool + team approach is far more efficient than the current status quo, which can easily cost $50K+ and result in more questions than answers. Simply put, Beacon is an efficient, cost-effective, and sustainable CMMC solution that educates organizations of any size.
In the grand task of standardizing cybersecurity across an entire supply chain, it’s unlikely that one method, one tool, or one textbook will do the job. Before resorting to “the way we’ve always done it”, keep in mind that learning and building a safer future comes from interaction and collaboration with a team, with multiple resources, and with innovative solutions beyond the status quo.