Take a breath, DIB community. There’s time to prepare.
I promise this blog post will not be a recap of the CMMC or Katie Arrington’s recent road show presentation. My hope is to calm the fears generated by the various scare tactics being used to acquire CMMC-related business across the DIB. In addition, I hope to offer some practical advice to consider as your organization prepares for the CMMC.
Let’s first recap on the reality. Yes, despite our feelings about the execution of CMMC, it appears to be here to stay. That said, the maturity model is still quite immature. While V 1.0 has been released, there is much to be defined. The first thing you should do to prepare is read the CMMC Standard and review the CMMC AB site; their candid Do’s and Don’ts are my favorite.
It has been widely reported that DoD will identify the appropriate CMMC level for each contract. With the exception of identifying any contract with Controlled Unclassified Information (CUI) as a minimum requirement of CMMC Level 3, there has been no real criteria associated with a particular CMMC level. However, with CMMC Scope still undefined, jumping the gun and aiming for CMMC level 4/5 might not make financial sense for your organization.
Does this mean you should wait to prepare until your RFI identifies a level? Of course not. There are several preliminary steps an organization can take to prepare without prematurely hiring a third party.
Things You Can and Should Do Now
As mentioned above, you should start with the standard. And, as with anything related to security and compliance, there is room for interpretation and differing opinions about the standard. This is far from and an exhaustive list, but based on my almost 20 years of experience in this business, this should be enough to guide you into setting a target state.
- Audit your DOD portfolio. Know what, how much and how important your DoD portfolio is to your organization (and to the DoD). This will help you anticipate the CMMC level(s) you will likely need to achieve.
- What and how much are you actually doing for the DoD?
- Get familiar with the different types of CUI from an authoritative source. Categorize your contracts by the sensitivity of the work and products vs. services delivered.
- Review the DFARS clauses within your existing contracts. Is DFARS 252.204.2017 even in your contract(s)? If so, you know you are starting at Level 3.
- Consider the above for planned opportunities targeted for the next five years.
- What makes your product/service special, or is it special? How are you currently protecting that intellectual property?
- Identify the specific partners/vendors that play a role in your delivery to DoD. Consider the questions above for each.
- Once you have analyzed your portfolio, try to anticipate your CMMC level(s).
- Service contracts with no secret sauce or data exchange outside of what is publically available could potentially be placed in the CMMC Level 1 bucket.
- Contracts where the government provides or your organization generates CUI will be in CMMC level 3+ bucket.
- Any unclassified product or services with affiliation to a weapon, physical or technical surveillance, transportation, or life and limb is likely in the 4/5 level.
- Identify where the data associated with #1 and #2 resides within your organization and how it is managed and secured.
- Complete a high-level gap analysis between the relevant CMMC Level you identified in #2 against the published standard.
- Determine if the standard exceeds your organization’s skills, abilities, and/or resources. From there you can assign internal resources or solicit specific third-party support, if needed, to prepare for the target CMMC Level.
There are shortcomings with this approach as there are shortcomings with CMMC itself. Until the assessment criteria, scope and process are finalized, it is impossible for anyone to commit to compliance. Companies trying to be the first to market on this effort will likely develop a stigma of solely going after a business opportunity vs. seeking to be a partner in solving this very critical issue.
In my opinion, long-term success with CMMC will be found in supporting the CMMC AB, specifically honoring their Do’s and Don’ts and providing constructive criticism where appropriate. Kudos to Stacy Bostjanick for calling out these companies during a recent AFCEA event. There is no doubt that DIB security is needed; contributing to the noise and confusion will only set us back.
The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.