Reaching compliance with a new framework is never a simple process. When it comes to the Cybersecurity Maturity Model Certification (CMMC) — one of the most stringent cybersecurity frameworks ever developed — the process is likely to be even more complicated.
For DoD contractors aiming to reach CMMC compliance before the framework is fully implemented, it may be a long and arduous road. Here are nine CMMC challenges they are likely to face.
Challenge #1: Reaching compliance before the deadline
For most current DoD contractors, it will likely be 2-3 years before CMMC is fully implemented. That means — if you already hold one or more DoD contracts — you have approximately that long to prepare.
However, as anyone in the cybersecurity world knows, making significant changes to a security program often takes years. Given that CMMC will require most DoD contractors to make substantial improvements to their existing programs, there’s no time to lose.
Challenge #2: Reaching compliance before you bid
If you’re a prospective DoD contractor, the timescales associated with CMMC could be much shorter. Within a few months, new DoD contracts will begin to require bidders to meet a stated level of CMMC compliance. The rule is simple: no certification, no contract.
Reaching CMMC compliance is a significant process to go through just to be able to submit a bid. There is no guarantee that an organization will successfully obtain a contract once it reaches compliance, making CMMC a substantial hurdle to becoming a DoD contractor.
Challenge #3: Cost of certification
In 2019, the DoD audited 10 contractors with contracts worth over $1 million to determine whether they were genuinely compliant with NIST SP 800-171. The results of the audit made two things clear:
- 9/10 of the contractors didn’t have the proper controls in place to protect Controlled Unclassified Information (CUI)
- Self-assessment doesn’t work
As a result, CMMC will not rely on contractors to self-assess. Instead, all current and prospective contractors will need to pay a certified assessor to inspect their operations.
Naturally, these assessments will incur a cost. According to the DoD, the assessment cost will “not be prohibitive,” and successful contractors will be able to expense part of the assessment cost. Nonetheless, the need to pay and prepare for each audit will become entrenched as a cost of doing business with the DoD.
Challenge #4: Cost of becoming compliant
As any organization with compliance commitments knows, the assessment cost is not the main problem. The cost of preparing for each assessment is usually much greater.
For many current and prospective DoD contractors, becoming CMMC compliant isn’t going to be fast or simple. From changes to processes and personnel to the cost of new systems or expert consultancy, it’s not likely to be cheap, either.
Corbin Evans, director of regulatory policy at the National Defense Industrial Association, claims the cost of reaching level three compliance could be in the region of $250,000.
Challenge #5: Preparing for a CMMC assessment
Cost isn’t the only challenge when it comes to compliance. There’s also a significant amount of work to be done to prepare for a CMMC assessment. After all, being compliant isn’t enough — you have to be able to prove it.
While the specifics of the CMMC assessment process aren’t yet known, it’s a reasonable assumption that contractors will need to provide documentation and real-world evidence that all of the requirements are met. Naturally, setting up and maintaining the systems required to produce this evidence will take additional time and resources.
Challenge #6: Short lead times
For up to 1,500 contractors, CMMC compliance will be a requirement very soon. CMMC certification will be included as a requirement in the Request for Proposals (RFP) for ten contracts in late 2020. These contracts are expected to impact approximately 150 contractors each — 1,500 contractors in total.
Faced with the prospect of becoming CMMC compliant within a very short time, only contractors with mature, well-established cybersecurity programs will have any chance of meeting the requirements of these contracts.
Challenge #7: Compliance may be harder than you think
According to Tier 1 Cyber research, many DoD contractors have a false sense of their cybersecurity preparedness. To make matters worse, only 12% trust their vendors to handle cybersecurity effectively.
With CMMC being the most stringent cybersecurity standard yet — and prime contractors taking on responsibility for subcontractors’ compliance — reaching full compliance could be an uphill struggle for many contractors.
Challenge #8: CMMC may extend beyond the DoD
While CMMC is exclusive to DoD contracts for the immediate future, there is a history of other government departments and agencies adopting similar standards. DISA STIGs is a current example of this trend, with the most recent being the Cybersecurity and Infrastructure Security Agency (CISA) directive requiring all federal civilian agencies to implement a Vulnerability Disclosure Policy (VDP) — a trail blazed by the DoD and U.S. military.
What does this mean for organizations doing business with federal civilian agencies? Right now, nothing. However, given the history, don’t be surprised if CMMC is extended to cover some civilian agencies within a few years.
Challenge #9: Identifying compliance gaps
One of the greatest challenges for organizations aiming to become CMMC compliant is determining where their gaps lie. While internal and external assessments can be a valuable tool to identify areas of non-compliance — particularly those related to human systems and processes — they are only point-in-time assessments. It’s easy for routine changes and updates to cause previously compliant systems to fall back out of compliance.
So how do you find and fix gaps… and ensure they stay fixed?
CimTrak is an IT integrity, security, and compliance tool that makes it easy for organizations to identify and resolve CMMC non-compliance issues in IT systems and assets. With a closed-loop change control system, CimTrak can highlight configuration or security issues that don’t comply with CMMC.
Taking things to the next level, CimTrak continuously monitors your environment and detects changes to assets, files, and systems. CimTrak can scan and detect vulnerabilities utilizing threat intelligence feeds as well as white/blacklisting cloud services. When a change occurs that pulls an asset or system out of CMMC compliance, CimTrak provides instant notification of all changes and provides reports giving forensic details and analysis, making it easy to resolve the issue quickly.
Crucially, CimTrak’s functionality maps directly to many of the control objectives of CMMC.
- AC - Access Control
- AM - Asset Management
- AU - Audit and Accountability
- CM - Configuration Management
- IR - Incident Response
- RE - Recovery
- RM - Risk Management
- SA - Security Assessment
- SC - System & Communication Protection
- SI - System & Information Integrity
To find out more about how CimTrak can help your organization align its security strategy and processes with CMMC, download the CMMC Solution Brief today.
November 19, 2020