Companies contracted to work with the U.S. Department of Defense (DoD) bear an incredible amount of responsibility to protect sensitive unclassified information. The Cybersecurity Maturity Model Certification (CMMC) was created to hold contractors accountable to do just this.
But when the initial framework proposal met resistance due to its complexity, DoD cobbled together an updated version that — while, in theory, more straightforward and easier to follow — has significantly delayed the rollout timeline and caused confusion around the steps that must be taken to comply with CMMC’s three levels. For many organizations, it’s not even clear which certification level must be achieved and, in turn, whether the process calls for a self-attestation or a more thorough evaluation by a government-approved third-party assessor (a so-called C3PAO).
The net-net is that many government contractors and aspiring contractors are scrambling to understand their obligations and begin checking the boxes to become compliant.
Recently, Apptega caught up with Carl Carpenter, CEO of Arrakis Consulting, to discuss CMMC’s high stakes, its common misconceptions, and how MSSPs can support the journey to compliance. Listen to the full conversation here.
What’s at Stake?
Failure to comply with CMMC can result in a range of drawbacks and penalties. For one, companies will not be able to bid on DoD contracts. And if a company does secure a government contract and then is found to be non-compliant, it can face potentially business-ending fines and criminal charges.
But the consequences extend far beyond the short-term risks.
Taking a wider view, companies can face irreparable reputation damage and disqualification from future contracts. Negative publicity can result in blacklisting, facing additional audits, and an inability to win future contracts.
By understanding the short- and long-term risks associated with non-compliance, companies can appropriately prioritize meeting CMMC standards and maintaining a strong cybersecurity posture. This is where MSSP support comes in.
Meeting the Mark
MSSPs can play a crucial role in helping businesses achieve CMMC compliance.
Carpenter says that to truly be CMMC compliant, organizations need a "do what you say and say what you do" mindset. In other words, companies need to be able to prove everything.
All cybersecurity procedures and evidence must be documented and tracked to show compliance. Complete accountability is required to prove controls are being met and MSSPs, for instance, can provide logging and monitoring services to help with documentation.
Another of the primary challenges with CMMC is a lack of understanding of what compliance truly entails – and, further, a lack of skill and knowledge to be able to implement the necessary controls. MSSPs are uniquely equipped to provide guidance on the requirements and can also assist businesses in identifying and addressing potential vulnerabilities, which is critical for mitigating both short- and long-term risks associated with non-compliance.
A Quick Reality Check
According to Carpenter, two of the most common pitfalls companies face in pursuing compliance are having a “this is what we’ve always done” attitude and assuming that they will fly under the radar due to their size.
With respect to the first, CMMC is a new framework that requires a new approach. A 20-year-old strategy isn’t going to cut it. The “little guy” defense won’t fly either. In fact, the government has recently shown its willingness to pursue charges for cybersecurity failures against even the smallest organizations.
Utilizing MSSP expertise to bolster framework compliance and information security strategy gives businesses the edge of expert and up-to-date guidance, advanced security technologies, and ongoing support. MSSPs can help ensure that their clients are prepared and protected when it comes to the ever-changing CMMC landscape.
The Future of DoD Contracting
Ultimately, CMMC compliance is crucial because it helps organizations compete for business, mitigate risks, and protect sensitive information, but it’s important to remember that the work does not end once a contract is secured. MSSPs will need to perform ongoing checks to ensure that the information security framework is up-to-date and avoid criminal charges.
Partnering with a qualified MSSP can help businesses achieve and maintain the CMMC compliance that is crucial for protecting sensitive information and maintaining a strong cybersecurity posture and eligibility for government contracts.