5 steps to building an early advantage in CMMC


With CMMC on the horizon, Redspin's chief information security officer Thomas Graham explains the five steps organizations should take to show they are an early adopter.

With Cybersecurity Maturity Model Certification on the horizon, and as it begins to expand beyond the Department of Defense into other government agencies, there is an advantage for organizations who get involved early.

By beginning the process now, government contractors are able to validate their compliance with NIST 800-171 rev. 2, gain a competitive advantage, and avoid potential roadblocks in the future, such as assessment/assessor bottlenecks.

To get started, organizations can take several steps to validate that they meet the upcoming requirement and to leverage the advantages of being early adopters before CMMC becomes final.

Conduct a Comprehensive Current Compliance Review

Start by conducting a full review of your current adherence to NIST SP 800-171 rev 2 as stipulated under DFARS 7012. If you have a DFARS 7012 requirement in your contract, then you are already accountable for the implementation of NIST SP 800-171 rev 2.

One of the biggest misconceptions about CMMC is that it’s a forcing mechanism, when it is merely a validation process by third -party assessment organizations. Implementation requirements are not CMMC.

The implementation requirements are from DFARS 7012, and they have already been codified to include the DoD addressing concerns about implementation costs. In the 32 CFR proposed rule that was released in December 2023, the DoD provided comments/concerns provided to the agency upfront around implementation costs.

The DoD noted that these concerns were addressed when DFARS 7012 was codified and that CMMC is simply the verification of the requirement.

Also, with the recent release of NIST SP 800-171 rev 3 the concern was that now organizations would be held to the new requirements. However, the DoD amended DFARS 7012 to specify NIST SP 800-171 rev 2 will be the baseline for the foreseeable future.

Conducting a comprehensive current compliance review is vital as it lays the groundwork for CMMC readiness and emphasizes the importance of addressing any discrepancies found during this self-assessment to avoid penalties under the False Claims Act.

Prioritize Gap Mitigation

Upon identifying compliance gaps, prioritize their resolution based on the complexity and the resources required. Focus on both technological upgrades, such as enhanced security firewalls and SIEM systems, and procedural modifications including training and improved CUI handling processes.

Keep in mind that one of the requirements under NIST 800-171 rev 2 is how you as the organization conducts flaw remediation. This is in addition to if you track open findings in a POA&M until completion.

Engage with a C3PAO Early

Engage with a C3PAO for an early assessment to gauge your readiness for CMMC. Early assessment can help you understand your current standing and queue up for certification before the rush.

Once CMMC becomes mandatory, there may be an assessment bottleneck as there may not be nearly enough Certified CMMC Assessors (CCAs) available to handle the 100k+ organizations who will need an assessment. This includes MSPs and MSSPs if nothing changes in the final rule.

Participate in Voluntary CMMC Programs

Take part in the Joint Surveillance Assessment Program (JSVAP or JSVA), if possible. Taking place in the JSVA, an early adopter CMMC program, not only demonstrates your proactive approach but will also transition into formal certifications once the rule becomes final, giving JSVA participants a competitive edge.

Once the rules are finalized, then anyone who has achieved a 110 score as part of the voluntary program and was issued a DIBCAC High certification will see this transition to a CMMC Level 2 Certification.

This allows them to focus on winning new business, rather than having to deal with the queues that inevitably will happen at the onset of the formal program. It also provides additional leverage regarding why their proposal should have additional weight versus others submitting bids.

By participating in the JSVA, you also can properly define how the other members of your team are addressing the same DFARS 7012 requirements. It allows you to plan if you are going to flow-down the requirements or require your team to store, process, or transmit the information only within your environment.

If your organization is not going to do this, it provides the opportunity for you as the Prime on a particular contract to require members of your team to show verification of NIST 800-171 implementation.

Implement a Continuous Compliance Strategy

Develop a strategy for continuous improvement and compliance that includes regular reviews and updates to cybersecurity practices. This ongoing process ensures that your organization remains compliant and adapts to new updates, stays ahead of emerging threats, and is ready for the next round of assessments when the time comes.

Taking these proactive steps ensures that your organization will not only meet the forthcoming CMMC requirements but will also stand out as a leader in the defense contracting industry. With CMMC set to become final soon, now is the time to move forward decisively, ensuring readiness and securing a strategic advantage in the competitive landscape.

CMMC is not going away. If you look at the history, the government has been moving towards this for the last decade with the implementation of standard categorization of CUI.

By having a standard categorization across agencies, the next step was to identify the minimum requirements of how to properly protect it (NIST 800-171).

The final step is to validate organizations are properly implementing the requirements and that brings us to CMMC. Several years ago, when DFARS 7019, 7020, and 7021 were introduced, the information gleaned from only DCMA assessments has been illuminating in and of itself.

Thomas Graham is vice president and chief information security officer with Redspin.