BizFayetteville logo print

Cybersecurity Maturity Model Certification preparation begins for contractors

By Jenna Shackelford, posted Sep 1, 2021 on BizFayetteville.com

The Cybersecurity Maturity Model Certification program, a Department of Defense initiative announced in January 2020, is in the early stages of the implementation process.
The standard is applicable to anyone who supports the Department of Defense contractually. “Any DOD contractor or subcontractor eventually will need to attain CMMC certification between now and 2026.
The whole notion behind this is up until now, cybersecurity was something companies had to attest to,” said Matthew Travis, the CEO of the

Cybersecurity Maturity Model Certification Accreditation Board.

There are a plethora of “terms and conditions,” Travis calls them, that contractors have to sign off on — that they paid their taxes and that they only hire US citizens who are eligible, documented immigrants, for example. Cybersecurity is one such parameter. The National Institute of Standards and Technology relied on organizations to accurately report how they were performing practices and controls for basic cyber hygiene. CMMC builds off of NIST but has additional standards and requires companies to prove that they are meeting the standards, rather than simply attesting to it. 
CMMC-AB is the exclusive partner of the Pentagon. The organization is authorized to accredit the companies who are going to be doing the CMMC certifications and certify the individuals who will be doing the assessments and instructing classes. 
Edward Petkovich, president of Walsingham Group, a Fayetteville-based company specializing in the operations, maintenance and support of critical infrastructure and government-owned, contractor-operated facilities, already sees businesses preparing for the full implementation of CMMC firsthand. 
“Even though we are a few years away from the end-all, where that policy takes effect and that law of the land takes effect, and no contract will be awarded without that vendor meeting the requirement, we are seeing right now contracts and solicitations and procurements and acquisitions that are incorporating aspects of this,” Petkovich said.
Jaron Cayton, president of TeamLogic IT, says his company is working with clients to help them comply with CMMC. 
“We’re trying to do two things: We’re trying to make sure we have the basic cybersecurity practices in place and well-documented. And then, we’re trying to make sure that we are not only documenting them but that we have a tool by which we can audit them,” Cayton said. "That’s the biggest change from previous compliance guidelines. CMMC is going to ask you to see the policy, see it in action, and then show the report on how you audit to make sure this is happening regularly.”
Cayton expressed a concern that many companies have shared as they try to adhere to CMMC: the cost. “My hope is that the government is taking some of that into consideration because it is a big ask of all your contractors and it could potentially hurt some of the smaller contractors that can’t meet even level one, and there are 5 levels of CMMC,” he said.
Travis breaks down the costs into two categories: the cost to implement
CMMC and the cost to be accessed.
Ideally, Travis says, since third-party assessment organizations are doing the assessments, in a competitive environment, the cost of testing will go down. The accreditation board is expecting that to be the case.
All five levels of CMMC are rigorous to ensure best cybersecurity practices; even so, the requirements that a contractor must adhere to varies depending on the level, so some require more effort than others. “It may be that you only need that first maturity Level One, which is very basic cyber hygiene,” Travis said. “But if you’re a big [contractor] — Raytheon or Boeing — you can imagine you’ll be needing up to Level Five ... Think of a ladder scale. But the higher you go the more requirements there are.”
That being said, the CMMC-AB, TeamLogic IT and Walsingham Group agree that contractors should not wait until the last minute to learn about what CMMC will mean for them.
Travis expects that some contractors will wait till the last minute to prepare for certification, but that investing in cybersecurity now and leaving time to get all of the details right is important. Regardless, Travis urges contractors to look into registered practitioners who are consultants that can help them with the process that have gone through the CMMC-AB. He also points out that the accreditation board has virtual town halls to talk through issues, provide information and answer questions. The Board also emphasizes public engagement and is willing to speak to groups like local Chambers to help people understand CMMC more thoroughly.
Kelly George, director of security at Walsingham Group, advises contractors to start keeping records of their cybersecurity measures now.
“The key piece for companies is they have to show a longstanding history of cyber hygiene when that inspector walks in the door. I better have a year of data and event logs and things to show that inspector. You can’t do it overnight. It’s a long-term process,” she said. Aside from procrastination, Cayton sees two major issues that businesses will face as they dive into the application of CMMC. “These projects take time to plan and implement and obviously our clients and our team are trying to run businesses while we do this ... We can’t just simply say we’re going to shut down and implement these things and then turn everything back on.”
Secondly, the nature of complying with CMMC is tedious and putting in the work to meet the standards can be frustrating when you cannot tell you’re making progress. “It’s more of an attitude of it being a marathon, not a sprint, and prioritizing that time accordingly,” Cayton said.
Some contractors may be frustrated by the new means of cybersecurity accountability, but Petkovich believes that businesses need to welcome the change, not just by leading by example, but by recognizing the need for best cybersecurity practices. “I will tell you, it needs to be embraced by the business,” he said. “We laugh, like, ‘Do we really have to do this?’ I do ... I really, no kidding, have to lock myself down and make sure I’m not cheating and I’m not doing a disservice to the company. I may be the weakest link if I think I’m the exception to the rule. It needs to be embraced by management.”

 

Copyright © 2024 Enhanced Media Management Inc. dba Greater Fayetteville Business Journal
This story may be displayed, reformatted and printed for your personal, noncommercial use only and in accordance with our Terms of Service located at https://bizfayetteville.com/useragreement.