6/7/2019
BY: JEFF WILLIAMS
In an ongoing effort to maintain information security throughout the defense supply chain, the Department of Defense (DoD) plans to implement a new program called the Cybersecurity Maturity Model Certification (CMMC), which will mandate cybersecurity audits and certifications for DoD contractors.
As announced by Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the DoD, all DoD contractors that interact with Controlled Unclassified Information (CUI) must comply with 110 cybersecurity best practices as outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171. Currently, contractors are only asked to self-certify that they have met the security requirements. However, as cyber risk continues to grow at an alarming rate and compliance among the supply base remains insufficient, the DoD now seeks to require additional proof of security through CMMC, which is lacking in the current Defense Federal Acquisition Regulation Supplement (DFARS).
What will this new program change?
With the implementation of CMMC, it will no longer be possible to self-certify compliance. The CMMC initiative requires all contractor information systems to be certified compliant by an outside auditor. This will serve to standardize and unify cybersecurity practices across the entire DoD supply chain while ensuring true compliance and understanding of NIST 800-171 among contractors. Although many of the details of CMMC are still being settled, the DoD has stated that the levels within CMMC will range from basic cyber hygiene to “state-of-the-art,” as well as will capture both security control and the institutionalization of processes.
Why does this matter to contractors?
Contractors who deal with CUI have been required to comply with NIST 800-171 since it was first released in 2016. However, until now, there has been no auditing or certification program in place to fully guarantee that suppliers have reached compliance. Under this new program, a “go or no-go” process will be established to determine all contract awardances. In other words, if a company does not achieve the certification, they cannot receive further contracts from the DoD. In order to continue receiving DoD contracts, remain competitive within the industry and safeguard company information from attack, this certification is essential for all DoD contractors to attain.
How can contractors prepare for these changes?
The CMMC program is still in the development phase, but implementations will begin to unfold over the next year. In the meantime, contractors can start taking steps to reach compliance with NIST 800-171 and prepare for the certification audit. This involves completing an assessment of cybersecurity compliance, a System Security Plan (SSP), a Plan of Action and Milestones (PoAM) and an Incident Response Plan (IRP).
Going forward, cybersecurity will need to be considered a necessary strategic business initiative among suppliers. Cyber safety must continually be maintained not just to reach compliance, but to ensure the protection of all information as well as the future of the business.
For companies in need of additional assistance with reaching compliance, learn how The Center’s experts can help here or contact cyber@the-center.org.
MEET OUR EXPERT
Jeff Williams, Program Manager, Cybersecurity
Jeff Williams is a Program Manager for The Center’s cybersecurity team, leading our efforts to educate and equip small and medium-sized manufacturers to guard against the growing threat of cyber-attacks. One of his main areas of focus relates to the cybersecurity requirements outlined in NIST Special Publication 800-171, designed to protect the information security systems of contractors working with the Department of Defense.
Since 1991, the Michigan Manufacturing Technology Center has assisted Michigan’s small and medium-sized businesses to successfully compete and grow. Through personalized services designed to meet the needs of clients, we develop more effective business leaders, drive product and process innovation, promote company-wide operational excellence and foster creative strategies for business growth and greater profitability. Find us at www.the-center.org.
Categories: Cybersecurity