tashatuvango - Fotolia

CMMC requirements set to ripple throughout DOD supply chain

The Department of Defense's CMMC requirements target defense contractors, but organizations throughout the DOD supply chain -- and beyond -- are prepping for the standards.

The Department of Defense now requires contractors prove they meet specific security standards as outlined in the new Cybersecurity Maturity Model Certification framework, a move that affects some 300,000-plus organizations that serve DOD.

That is, by itself, a significant impact, yet CMMC's influence may be even broader than those numbers indicate. According to experts, the mandate to meet the CMMC requirements established in this new framework will apply to organizations throughout the DOD supply chain.

"Primary defense contractors are well aware of this new set of standards, and they're pushing compliance to these mandates down through their supply chain," said Sanjeev Verma, chairman and co-founder of PreVeil, a provider of encryption solutions based in Boston. "It's imperative for anyone, even those deep down in the supply chain, to pay attention."

Sanjeev VermaSanjeev Verma

In addition to the big, well-known defense contractors, many of those who work with or support those contractors will see the fallout of these CMMC requirements. This also goes for the broad array of organizations of various sizes and types -- such as research institutions -- that seek certain DOD contracts.

Heather EngelHeather Engel

Moreover, additional entities from state governments to foreign agencies have indicated their interests in CMMC as a model that they, too, want to adopt for their contractors and partners. Questions about how much of an impact CMMC will have are already rippling through the DOD ecosystem.

"I think CMMC will be more broadly applied, but just how broadly it will be applied is hard to tell," said Heather Engel, managing partner of Strategic Cyber Partners, which specializes in executive support, risk management, compliance and security program development and is based in Hampton Roads, Va.

Potential for broader impact

The requirements laid out in CMMC are already moving beyond the DOD ecosystem, experts said.

Case in point: In its STARS III contract posted in July 2020, the General Services Administration said it reserves the right to require CMMC certifications of businesses as part of the $50 billion contract, advising contractors to "prepare for and participate in acquiring CMMC certification."

Katell ThielemannKatell Thielemann

Katell Thielemann, research vice president at Gartner, the technology research and advisory firm based in Stamford, Conn., said there's already strong interest in CMMC outside of DOD, noting that she has "had several discussions with other federal agencies, as well as ministries of defense from other countries, that are keeping a close eye on the deployment of CMMC to see if it's an approach they might want to adopt."

Thielemann said organizations of all stripes might want to take note of the framework and use it to guide their own security decisions, particularly if they plan to work with DOD in the future.

That's what's changing a lot of things for DOD vendors: Security has now been elevated to a really strategic level.
Katell ThielemannGartner

"What is unique about CMMC is that it will be directly linked to an organization's ability to win a DOD contract, and that's what's changing a lot of things for DOD vendors: Security has now been elevated to a really strategic level," she said.

Engel said most organizations that have historically worked with DOD are preparing to prove that they meet the requirements established in CMMC, with the expectation that the assessment process will be ready to start in the upcoming months.

But, despite the strong interest in CMMC outside the DOD contractor community, Engel doesn't advise all organizations strive for the framework's most mature level (Level 5) or necessarily base their security program on the new framework at all.

Rather, she recommended organizations first consider whether CMMC fits with their security needs and their overall strategic direction.

"I think that whether a company decides to go and get the audit should depend on its government strategy," she said.

She pointed to one of her clients, a university that conducts research with a DOD component, that has studied the framework and determined that achieving a Level 3 certification is appropriate for the work it does as part of its contracts with DOD.

Meanwhile, Engel said companies outside of the DOD contractor community should weigh the strategic worth of using CMMC as a security framework against the value of using other existing standards. She said CMMC is indeed a strong set of standards that could be a useful guide for an enterprise security program, but other frameworks could be more applicable to individual organizations based on their work and industry.

"CMMC is a good standard, but there are other good standards out there as well," Engel said. "The standard you chose should come down to the regulations you must comply with."

Need for enhanced security

DOD released the first version of its CMMC requirements on Jan. 31, 2020. The model seeks to "to enhance the protection of controlled unclassified information (CUI) within the supply chain."

CMMC has five levels, with each level representing a higher maturity level than the next; DOD will determine and list in its contract requirements which maturity level organizations must meet for particular assignments and projects.

Contractors will have to prove their security practices meet CMMC standards through assessments.

"For decades, concerns about nation-states infiltrating defense-related systems have been swirling," Thielemann said. "After many years of trying various approaches, like voluntary security information sharing or self-assessments against NIST security frameworks, the gradual approach has been replaced with a sudden, much more aggressive one."

DOD has established the CMMC Accreditation Body, a nonprofit independent organization, which will accredit CMMC Third-Party Assessment Organizations (C3PAOs) and individual assessors. Federal officials said the establishment of the accreditation process is ongoing.

DOD officials developed CMMC in response to longstanding concerns about cybersecurity weaknesses among the 300,000-plus contractors within the DOD supply chain.

Thielemann noted that this puts any company in the DOD supply chain on notice, from big names, like Boeing or Lockheed Martin, to universities that receive research grants and even companies that supply boots or fuel.

"This is an approach that mandates independent assessments and is tightly coupled to future contract awards," Thielemann said. "That is the essence of CMMC."

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG