Reaching compliance with a required framework is never a simple process. When it comes to the Cybersecurity Maturity Model Certification (CMMC) — one of the most stringent cybersecurity frameworks ever developed — the process can be even more complicated.
For DoD contractors aiming to reach CMMC 2.0 compliance before the final deadline, it may be a long and arduous road. Here are seven CMMC challenges they are likely to face.
Challenge #1: Reaching Compliance Before the Deadline
DoD contractors have a little over a year until CMMC 2.0 is fully implemented. That means — if you already hold one or more DoD contracts — you have approximately that long to prepare.
However, as anyone in the cybersecurity world knows, making significant changes to a security program often takes years. Given that CMMC 2.0 maps very closely to NIST 800-171, which is already an existing requirement, there's no time to lose. Additionally, as NIST 800-171 Revision 3 is underway, achieving CMMC compliance may be a moving target in the near future.
Challenge #2: Reaching Compliance Before You Bid
DoD contracts require bidders to meet a stated level of CMMC compliance. The rule is simple: no certification, no contract.
Reaching CMMC compliance is a significant process to go through just to be able to submit a bid. There is no guarantee that an organization will successfully obtain a contract once it reaches compliance, making CMMC a substantial hurdle to becoming a DoD contractor.
Challenge #3: Cost of Certification
CMMC does not rely on contractors to self-assess. Instead, some current and prospective contractors will need to pay a certified assessor to inspect their operations. The CMMC 2.0 release states that assessments are based on the sensitivity of information shared with a contractor. Here's how they are broken up:
- Contractors associated with Level 1 and a subset of Level 2 can perform annual self-assessments
- Some CMMC Level 2 requirements must be met via triennial third-party assessments
- Level 3 programs require triennial assessments conducted by government officials
Naturally, these third-party assessments will incur a cost. According to the DoD, the assessment cost will “not be prohibitive,” and successful contractors will be able to expense part of the assessment cost. Nonetheless, the need to pay and prepare for each audit will become entrenched as a cost of doing business with the DoD.
Challenge #4: Cost of Becoming Compliant
As any organization with compliance commitments knows, the assessment cost is not the main problem. The cost of preparing for each assessment is usually much greater.
For many current and prospective DoD contractors, becoming CMMC compliant isn’t going to be fast or simple. From changes to processes and personnel to the cost of new systems or expert consultancy, it’s not likely to be cheap, either.
Challenge #5: Preparing for a CMMC Assessment
Cost isn’t the only challenge when it comes to compliance. There’s also a significant amount of work to be done to prepare for a CMMC assessment. After all, being compliant isn’t enough — you have to be able to prove it. Naturally, setting up and maintaining the systems required to produce evidence will take additional time and resources.
Challenge #6: CMMC May Extend Beyond the DoD
While CMMC is exclusive to DoD contracts for the immediate future, there is a history of other government departments and agencies adopting similar standards. DISA STIGs is a current example of this trend, with the most recent being the Cybersecurity and Infrastructure Security Agency (CISA) directive requiring all federal civilian agencies to implement a Vulnerability Disclosure Policy (VDP) — a trail blazed by the DoD and U.S. military.
What does this mean for organizations doing business with federal civilian agencies? Right now, nothing. However, given the history, don’t be surprised if CMMC is extended to cover some civilian agencies within a few years.
Challenge #7: Identifying Compliance Gaps
One of the greatest challenges for organizations aiming to become CMMC compliant is determining where their gaps lie. While internal and external assessments can be a valuable tool to identify areas of non-compliance — particularly those related to human systems and processes — they are only point-in-time assessments. It’s easy for routine changes and updates to cause previously compliant systems to fall back out of compliance.
So, how do you find and fix gaps… and ensure they stay fixed?
CimTrak is an IT integrity, security, and compliance tool that makes it easy for organizations to identify and resolve CMMC non-compliance issues in IT systems and assets. With a closed-loop change control system, CimTrak can highlight configuration or security issues that don’t comply with CMMC.
Taking things to the next level, CimTrak continuously monitors your environment and detects changes to assets, files, and systems. CimTrak can scan and detect vulnerabilities utilizing threat intelligence feeds as well as white/blacklisting cloud services. When a change occurs that pulls an asset or system out of CMMC compliance, CimTrak provides instant notification of all changes and reports, giving forensic details and analysis, making it easy to resolve the issue quickly
Crucially, CimTrak's functionality maps directly to many of the control objectives of CMMC.
- AC - Access Control
- AM - Asset Management
- AU - Audit and Accountability
- CM - Configuration Management
- IR - Incident Response
- RE - Recovery
- RM - Risk Management
- SA - Security Assessment
- SC - System & Communication Protection
- SI - System & Information Integrity
To learn more about how CimTrak can help your organization align its security strategy and processes with CMMC, download the CMMC Solution Brief today.
