Since 2019, the Government Contracting (GovCon) community has believed that the Cybersecurity Maturity Model Certification (CMMC) will either fail or companies will not have to worry until at least 2025. Apptega has collaborated with SoundWay Consulting, Inc. (SoundWay) to investigate the rationale behind this opinion and the results are problematic.  The U.S. Government has guidance documents that pertain to CMMC but are not prescriptive. The reason, the Government doesn’t want to tell the industry how to go about achieving the objectives of each security control.  Conversely, Industry desperately wants to be told exactly what to do. So, it’s almost a chicken and egg debate. Either way, this creates consternation about what is to come.  

The U.S. Department of Defense (DoD) recently released a memorandum signaling its increasing willingness to review contractor compliance with cybersecurity standards in its contracts and take action against noncompliant contractors.  However, because of the Government's historical “lack of enforcement”, GovCons are focusing their sights on the 2025-2026 timetables. 

What's Wrong with Waiting? 

GovCons are focusing on “CMMC” and conflating this with legal obligations under the Defense Federal Acquisition Regulations Supplement (DFARs). While it is true that both rely heavily on the National Institute of Standards and Technology Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations”, CMMC is merely a third-party means of ensuring the DFARs are actually being adequately addressed. The DFARs clause has been in play for over six years now and the majority of GovCons that have previously attested to conformance have unfortunately not held up their end of the agreement. This goes back to the Government’s history of non-enforcement that created a type of “easement” if you will where Industry doesn’t conform and Government looks the other way,….until now. 

When a GovCon takes a position of continuously waiting, their challenges become exponential the longer they wait. Some things to consider: 

  1. As a GovCon, if you look at your existing contracts and you have “252.204-7012” or “800-171” clauses in there, regardless of when CMMC is fully ratified by the Government, you are legally on the hook to address right now. 
  2. Large primes are already asking for proof from their subcontractors of conformance with DFARs and in some cases, CMMC.  
  3. If you do not have anything in place as of the date you read this, you will likely require a runway of 8-12 months to adopt and operationalize all 320 control objectives as prescribed under 800-171.

I Don't Even Have CUI

While the 320 control objectives do apply to only those organizations that will have to obtain a CMMC Level 2 certification, keep in mind that is targeting an estimated 80,000 companies that are anticipated to have contracts with CUI according to the DOD CISO. SoundWay has heard on multiple occasions from existing clients and prospects, “We don’t have CUI” so we will be Level 1. When asked how they know they don’t have any CUI they either have a moment of pause or default to “nothing is marked by the Government as CUI”. Both responses are incorrect and will put you in harm’s way and here are the reasons why: 

  1. Do not look at the construct based on today’s date. What types of data do you currently possess OR anticipate you will need to possess in pursuit of future contracts that are consistent with the Dod's CUI Registry?  
  2. If a DoD solicitation comes out with CMMC L2 requirements, regardless of if you anticipated it or not, without the certification, you cannot bid on the opportunity. 

Be careful what you ask for

In the original version of CMMC, everyone was going to have to obtain a certification. It didn’t matter if you sold satellite weaponry or bottles of soda. The only thing that varied was the level of adoption. In the original approach, the DoD estimated out of roughly 300,000 GovCons, 10% (or 30,000) would need to be at what is now Level 2. Industry pushed back hard with claims of costs and burdens being too overwhelming. The Government capitulated to the industry’s demands and in December of 2021 under CMMC 2.0, the Level 1 obligations (same as under CMMC 1.0) will no longer require independent validation.  That’s a win for GovCon’s right? Well, not so fast. Let’s examine the results. 

  1. Instead of an estimated 30,000 companies requiring a formal CMMC certification by a CMMC Third Party Assessing Organization (C3PAO), the number is now 80,000, which more than doubled! 
  2. Those firms that will only conform with CMMC L1 will be obligated to have the CEO, President, or business owner attest (in wet ink) that they are compliant with all 59 objectives as prescribed by the 17 controls from 800-171. A willful misrepresentation constitutes a false claim and subsequently can trigger a breach of contract. 
  3. While CMMC 2.0 came out in December of 2021, the Department of Justice launched a new office in October of 2021 to specifically go after firms that misrepresent their company’s cybersecurity posture in order to win a contract. Coincidence or collaboration between DoD and DoJ? Regardless, it's bad news if you fail to adopt as contractually required.

It's too much for me to grasp and how do I even start? Apptega Can Help!

Apptega and SoundWay hear these concerns from the industry a lot. This is the very reason Apptega created a platform designed specifically for GovCons to assess their current readiness and measure their program’s progress in a single pane of glass. Regardless of if you desire CMMC Level 1 or Level 2, the platform is already preconfigured to allow its users to rapidly conduct initial assessments, auto-generate System Security Plans (SSP), construct Plans of Actions and Milestones (POAMs), and perform continuous monitoring of their cybersecurity program, which is, in fact, a “requirement” under DFARs.  

The platform also even now allows you to identify your Supplier Performance Risk System Score (SPRS) which is also now required under an interim rule issued by the Government.  

However, if you do not have an employee or contractor that has hands-on experience performing Authorizations to Operate (ATOs), there is a high likelihood that you will not respond to the security control objectives correctly. The fidelity of the data is critical as to the old theory of “garbage in = garbage out”. SoundWay has examined numerous SSPs of clients that either attempted on their own or created by other tools and the data supports that unless you have an individual that is highly skilled in understanding what an assessor will look for, you are likely spinning your wheels with no forward movement.  

The internal costs of having somebody responsible for these activities are quite high. This is specifically the reason why SoundWay created its Separation of Duties service offering to complement Apptega’s Governance, Risk & Compliance platform. By adopting this approach, you will have higher assurances of meeting requirements imposed by your Primes, the Department of Defense, and even your cybersecurity liability insurance providers. 

Author: Carter Schoenberg, Vice President of SoundWay Consulting Inc.

Join us this August 9th, 2022, in our upcoming webinar, CMMC 2.0 - A Wait and See Game?, to learn how your organization can start planning its CMMC compliance strategy.