I had the pleasure of participating as a panelist this week for companies primarily involved in the maritime industry, and one of the topics discussed was the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification Program (CMMC). The discussion generated questions that I thought merited sharing.
Simply put, the DOD’s CMMC Program was designed to provide cybersecurity guidelines and certification for government contractors to achieve in order to bid on Requests for Proposals for government contracts. The purpose is to make sure that all contractors that have access to sensitive classified and non-classified information have a cybersecurity program in place to protect the data the contractor receives from DOD.
There are five levels of certification under CMMC. The idea is that DOD will designate and allow Assessment Organizations to assess the data security program of the defense contractor to determine whether it can be certified in one of the five levels. Once a contractor has been certified, it can bid on an RFP. The level of CMMC certification required will be published in the RFP, and contractors that have not reached that level of certification will not be permitted to bid on the contract. Obviously, for DOD government contractors, this is a huge compliance deal.
The problem is that it is estimated that 350,000 firms will need to be assessed for CMMC certification, and the Accreditation Body has not determined how the Assessment Organizations will be accredited, nor have any of the assessors been trained.
In the meantime, there is a lot of angst in the defense contractor community about how the CMMC is getting rolled out, the process by which the Assessment Organizations are going to assess the contractor and if the assessments will be consistent across contractors, how a dispute about an assessment will be resolved, and that DOD will not be determining the requirements—the assessors will be. Doesn’t this breed inconsistency and litigation? Perhaps. Another concern is that there are vendors marketing their services saying that if a defense contractor hires them, they will “guarantee” certification. It reminds me of companies that tout that they are “HIPAA certified,” giving health care entities the impression that there is such a thing as HIPAA certification, which does not exist.
The sense from the panel was that the CMMC requirements are here to stay, and if you are a government contractor, reviewing the requirements and preparing for them now is better than waiting until all the guidance and nuances are determined. The basic requirements are not new in the cybersecurity readiness arena, but keep in mind that the program may need some flexibility to respond to guidance as it is issued and more information about the assessment process is determined.
One thing was clear: be very wary of any vendor that pitches any type of guarantee of CMMC certification.