What you need to know about CMMC — today

Protecting against cyber-attack is a component of nearly every business, but those in the Defense community now have another critical reason to incorporate cybersecurity best practices into their operations. Because of the Department of Defense’s Cybersecurity Maturity Model framework, businesses in the defense industrial base (DIB) have new rules and guidance about how they must protect sensitive but unclassified information.

Soon, CMMC will be a required component of every defense contract with the Government.

This framework adds new regulatory considerations for everyone in the defense sector- even materials and subassembly providers.

Why does CMMC matter?

The CMMC framework raises questions for many – starting with “why should I be concerned with CMMC?” There are five key reasons why CMMC matters:

1. CMMC is designed to protect sensitive-but-unclassified information. The intentional or accidental release of this information could be harmful to our country.
2. The ever-growing network of defense contractors and suppliers with access to sensitive information vastly expands our nation’s attack surface, making it more important than ever to implement a standardized framework to protect ourselves from cybercrimes.
3. The government is expected to require every defense contractor to be CMMC compliant by 2026. Anyone wishing to do business with the government must demonstrate compliance with CMMC practices.
4. The maturity model is designed to prepare businesses with enhanced security practices to detect, respond, and recover from cyber-attacks. It also aims to make organizations more resilient when a cyberattack does happen, making the recovery process faster and less expensive.
5. Cybercrime has become a costly problem – with its impacts estimated to drain nearly $600 billion from our GDP each year.

Positioning your businesses’ operations to protect against unintentional or malicious data leaks through CMMC helps to safeguard both our nation’s data and your bottom line. 

What is CMMC designed to protect?

CMMC is a set of regulations designed to safeguard information that is very sensitive but doesn’t meet the criteria to be classified (e.g., as Secret or Top Secret). Generally speaking, this refers to anything that could reveal important information about our defense systems or techniques.

Protecting this information from unintended release is important to our national security. In a worst-case scenario, adversaries can exploit controlled unclassified information (CUI) to harm our warfighters or critical systems. The CMMC framework is designed to provide organizations with the tools to safeguard this important data.

Who should be concerned about protecting CUI?

Anyone who has access to CUI is responsible for protecting it – regardless of the business’ purpose, size or type.

Most organizations in the DIB handle CUI at some point in doing their business. This is because CUI can come in many forms. CUI can include anything from blueprints to die designs, contract documentation, taxpayer information, and even parts lists.

The common thread across all CUI is that it is created by or on behalf of the DoD and is typically related to a defense end-use or system.

However, protecting CUI is often a tricky proposition, especially for subcontractors, suppliers and subassembly manufacturers. That’s because a business in one of these roles can be far removed from their products’ end uses; it may not even know that data it has is considered CUI. As an added challenge, many suppliers and manufacturers have had to pay little attention to cybersecurity management in the past. Without in-house cyber know-how and expertise, achieving CMMC can seem more intimidating.

The DoD realizes that small and medium size businesses have a disproportionate burden and risk from a cyber perspective because they may lack the vast resources large businesses have to implement rigorous cybersecurity programs. And with this in mind, CMMC is designed to unify cyber regulations while making government-mandated cyber practices accessible to organizations of all sizes.

Why does CMMC compliance matter to my business?

Beyond its aim to make our nation safer, CMMC can actually provide your business with some worthwhile benefits.

CMMC is designed to normalize and standardize cybersecurity practices across the industry, making participating organizations and our nation more resistant and resilient to cyberattack. While rigorous, CMMC provides businesses with a robust program for protecting themselves and their data from inside and outside threats. This is a big benefit to all companies who seek to steel themselves against cybercrime of all types, ranging from disgruntled employees to nation-state attackers.

Becoming CMMC compliant is also a differentiator for those intending to do business with organizations that exist within the DoD supply chain. Businesses with the program and credentials to support CMM certification have demonstrated their willingness and preparedness to protect our most sensitive information – making them a trusted collaborator in the national mission.

Eventually, every business that wants to work with the government as either a prime or subcontractor will need to adopt CMMC. Undoubtedly, the rigor required to comply with CMMC will lead some current defense contractors to decide to vacate the market entirely, creating more opportunities for those with CMMC compliance to win awards.

When does CMMC take effect?

In 2020, the government started releasing some acquisitions that require CMMC.

By 2026, the government expects that every contract will require CMMC.

Why should my company start preparing for CMMC now?

While 2026 seems far away, there are many factors involved in achieving CMMC, some that may take several years, so you may need to begin preparing your business as soon as possible.

Achieving CMMC compliance can be an intimidating proposition because of its interconnected nature, its rigorous technical requirements, and the continuous movement of the data it is designed to protect. For many businesses, preparing for CMMC starts with understanding where CUI is found in your business. Mapping this is key to establishing the controls and safeguards that will keep it safe.

CMMC is based on the principles of National Institute of Standards and Technology (NIST 800-171), which establishes basic controls for CUI. The Defense Federal Acquisition Regulations (DFAR) 252.204-7012 required compliance with NIST 800-171 by the end of 2017.

As you prepare for CMMC, you will first need to establish compliance with NIST 800-171, a process that might require a two- to three- year deployment.

Done efficiently, NIST 800-171 requirements roll directly into CMMC, saving valuable time and implementation cost. That’s because CMMC can inherit many NIST 800-171 processes, streamlining compliance.

While it may seem overwhelming, working with an organization certified as a Registered Provider Organization (RPO) can help. RPOs have undergone the due diligence of rigorous background checks and demonstrated a comprehensive understanding of cyber threats and the CMMC process.

For many, working with an RPO, like Wipfli LLC, in the early stages of CMMC preparation can expedite the process, quickly moving through a readiness assessment and towards a plan for compliance and certification.

Where can I learn more about CMMC?

Click here to read more about Wipfli’s CMMC services.

Or check out these additional resources:

• How to prepare for CMMC
• A guide to CMMC: Who it applies to, how it will impact you, what parts of your org it applies to