Key takeaways from WT's CMMC Summit

Advice and insights flowed hot and heavy at the Washington Technology CMMC Summit that covered the intricacies of that four-letter acronym for the Defense Department’s cybersecurity initiative.

The Cybersecurity Maturity Model Certification is DOD’s program to ensure the defense industrial base's systems that contain sensitive government data are secure.

CMMC's concept and goal are easy to grasp, but it has several complexities and nuances that the speakers at Thursday’s event tried to convey.

Government contractors have up to three levels of CMMC certification they can obtain, with Level 1 the lowest and Level 3 the highest.

To reach Level 1, companies can self-attest to the National Institute of Standards and Technology Standard 801-171 that describes the needed controls for securing systems.

But when the final CMMC rule is out next year, most defense contractors will need to be at Level 2 and that requires third-party assessments of their systems.

The final rule will also describe how to attain Level 3. The catalyst that will force companies to move from Level 2 to Level 3 is not clear yet.

March 2023 is the earliest timeframe for the final rule's release, but it likely will not go into effect for a few more months. The requirements will not be retroactive, but will begin to appear in certain new contract requirements.

DOD will phase the requirement in over several years until all defense contracts carry it.

Here are four key takeaways we gleaned from the speakers at last week’s event.

Waiting is the wrong way to go

As Robert Metzger made abundantly clear in his opening keynote, it’s a mistake for defense contractors to wait for the final rule before making moves to comply the NIST standard.

Metzger is considered by many to be the "father of CMMC" for co-authoring a report that lays out the standard's guiding principles.

He urged companies to use CMMC and the NIST standard as starting points for building secure networks and systems.

“Be secure beforehand for the sake of your employees, your lenders, your clients, your customers, your investors,” Metzger said.

One size will not fit all

NIST Standard 801-171 describes 110 security controls. What controls companies should focus on depends on the systems and the data in them. Metzger said a “spread the peanut butter smoothly” approach is not the right thing to do.

Speakers said these basic steps are where companies can make the most impact: understanding systems and the data in them, how that data flows through systems and focusing security investments on areas that will make the most impact.

For example, some companies may only have contract and procurement data in their systems. They will only need CMMC Level 1. Other companies whose systems have engineering plans may need to invest more in other areas to protect that information.

That is a guide to determine whether CMMC Level 1 is enough or whether to move to Level 2.

Small business resources are available

CMMC has been a challenge for many small businesses. But after DOD paused the initiative and then relaunched it as CMMC 2.0, the department also has stepped up efforts to provide resources and support for small businesses.

Also speaking at summit was Kelley Kiernan, director of Deep Blue Cyber -- an Air Force effort she is taking to the Navy in order to make training and other information available to small businesses free of charge.

She holds a weekly "Ask-Me-Anything" session for small businesses through the Deep Blue Cyber website. The site also includes upcoming training events on a range of topics including policy and guidance, oversight and a variety of how-to presentations.

Complementing Deep Blue Cyber was a presentation on Project Spectrum, another DOD organization focused on cybersecurity. They work with companies one-on-one to help them achieve a better cybersecurity posture.

Kareem Sykes, Project Spectrum's program manager, said that organization can help small businesses take a step-by-step approach that starts with current cybersecurity posture and identifying next steps, then moves to measuring progress.

“When you know your starting point, you look at risk differently,” Sykes said. “The risks you thought you had sometimes aren’t the risks you have.”

That is the starting point for determining where to invest, the needed training and how to stay up-to-date.

Make cybersecurity a way of life

Sykes and other speakers emphasized that cybersecurity, and the CMMC standard when it is in place, is more about the people and organizational culture.

“Your business is your fortress and your employees are the guards,” Sykes said.

Looking at CMMC as a checklist is the wrong approach. Getting a Level 2 certification requires documentation but that is not the point, several speakers said.

Companies need to show how they implement policies and procedures, or in essence that actions must reflect the policies. That stretches from the network administrator to the receptionist at the front desk.

More resources

The entire CMMC Summit is available on demand at the Washington Technology website. Click here.