The Most Important CMMC Takeaways That We Learned at a Recent Industry Event

By Jeremy Louise | January 30th, 2020

As many long-time readers are undoubtedly aware, staying up to date on everything going on with DFARS/NIST 800-171 compliance makes up a big portion of my responsibilities here at TSI – especially recently. Not only is the DoD actually going to start enforcing these compliance requirements in the very near future, but they’ve even introduced something called the CMMC – or Cybersecurity Maturity Model Certification – in an effort to help better secure the Defense Industrial Base (DIB) and as a means of qualifying contractors for future DoD related projects.

For those unfamiliar to these updates, the CMMC is a new requirement for ALL CUI facing DoD contractors that is designed to replace the self-attestation model with a third-party certification process. This new CMMC model is consists of five levels (with the fifth being the most secure) to better measure the cybersecurity practices and posture of contractors managing CUI. Based on the type and degree of sensitivity of the CUI you manage will determine the CMMC level you must attain.

This past October, I had the pleasure of attending an event on this very topic sponsored by a defense contractor-oriented organization. It featured several governmental agencies, notably keynote speaker Katie Arrington, The Special Assistant to the Assistant for the Office of the Under Secretary of Defense for Acquisition and Sustainment.

In short, her department is responsible for the different business and contractor relationships that operate with the DoD and the degree in which they adhere to these new compliance standards move forward. At any given time, she’s tasked with overseeing the relationships between the sub-contractors who manufacture things like F-35 jet components and their primes that ultimately have a direct relationship with the DoD issuing that particular project.

All of this is to say that there were a significant number of thought leaders in the industry and from the government who were in attendance, all to provide some much-needed visibility and clarification as to what these compliance requirements will mean for most of the 300,000 businesses that fall under the CMMC.

It was a truly invaluable event but if you weren’t able to attend yourself, don’t worry – today, I’d like to provide you with some of our biggest takeaways that will hopefully help people like you navigate through these compliance requirements moving forward.

Security is Now an Allowable Cost in Contracts

This is a significant development, as allowable costs will enable subcontractors to more or less subsidize some of the costs associated with implementing these security controls to the primes who will then mark up their own pricing to the DoD. The DoD will then ultimately pay the difference for all services that will need to be implemented, which will obviously impact profitability for the services that the subcontractors are providing.

In other words, instead of the burden being singularly on the small business, there will be something of a “trickle-up” effect where some of these costs are going to be subsidized in a way that you can now include them as a part of your own cost of doing business.

For additional information about this new feature, I’ve included a link that in part includes a press release from Katie Arrington that can help clarify this exciting development;

Cloud Providers Meeting FedRamp Moderate Standards ARE Sufficient for Any and All Organizations Storing CUI Data

A lot of our clients have been asking us to get more clarification about SaaS and IaaS licensing and which levels are going to be appropriate under this new level of compliance. They’ve been seeing how costly government-level pricing is for services like Office 365, Azure and AWS, and how they also often have to essentially start from scratch and rebuild their network during implementation.

Luckily, the event specifically covered these licensing requirements and so long as those cloud service providers meet the FedRamp Moderate Standards for storing CUI data, then everything is good to go. That said, there wouldn’t necessarily be a need to attain these types of licenses-unless it’s specifically required within Section H of your contracts- and the burdensome costs of the licenses and the implementation of the software itself can be avoided…for now.

Why CMMC and DFARS Compliance Matters

Another one of the most interesting things that we learned, unfortunately, isn’t what one would call “good news.”

It’s been estimated that, every single year, American companies lose a combined $600 billion to cyber theft and crime. A prime example of this involved a case where someone stole the blueprints for our American F-35 jets and sold them to the highest bidder-China. The plans included detailed breakdowns of parts that you wouldn’t necessarily consider to be highly classified, but were CUI all the same. Flash forward to today, there are now copies of those F-35 jets flying over the skies of China that were derived from these stolen materials. American taxpayers dumped millions (if not billions) of dollars into the research and development for these materials and suddenly something that was a major advantage of our aerial capabilities is available to anyone who wants it anywhere in the world.

That’s just one small example, but it really is a critical one to understand what these compliance requirements are aimed to address. Not only are they safeguarding the intellectual property of these companies, but they’re increasing our overall security posture and are helping to further our efforts in terms of national defense as much as possible.

Additional Points of Interest

While these were certainly two of my biggest takeaways from the recent DFARS event, we also learned a great deal more about the coming implementation of the CMMC that I’d like to take the opportunity to share with you today.

  • There are already plans in place to keep a comprehensive database of the CMMC certification levels that prime and subcontractors meet. This means that if you achieve a Level 3 certification, that’s going to be recorded in an accessible place into perpetuity. Moving forward, the Federal Government and prime contractors will refer to this database as a means of determining a subcontractors’ qualification to pursue RFPs moving forward.
  • CMMC Level 3 will follow all of the NIST 800-171 standards – meaning that most entities will need to adhere to this level of compliance at the very least.
  • To that point, I was also surprised to learn that out of the 300,000+ businesses that perform work with the Department of Defense and other government agencies, only about 5% of them are currently compliant with NIST 800-171.
  • There are also plans to require self-assessments from both prime and subcontractors based on NIST 800-171a for existing contracts.
  • NIST 800-171B is coming soon, but it will only be used for organizations with CMMC levels of 4 and 5. Along the same lines, NIST 800-53 compliance will continue be used for government agencies only.

In the end, one of the most important things we learned is that you ALWAYS want to refer to your individualized contracts in terms of compliance. Even if everything has seemingly been addressed, the DoD or primes always reserve the right to tailor contracts to whatever requisites they see fit. If they decide the listed precautions are not adequate, they can add specific considerations that go above and beyond what compliance mandates.

It’s an easy thing to overlook – which is why we always want to encourage people to refer to Section H in their contracts to find out whatever additional requirements have been added given the context of the current situation.

TSI: Your Partner in CMMC Certification

The Most Important CMMC-CTA

At TSI, we understand just how important CMMC certification is - and that the chances are high you might not be one of the 5% of businesses that are currently compliant. But that's okay, because we’re here to help. Contact either myself or one of my colleagues today so that we can schedule your free introductory phone call. Once we make sure our organizations are a good fit for one another, we can help you get started addressing CMMC certification in the most comprehensive and straightforward way possible.

The Most Important CMMC-CTA

Need Support? Call Us Today

Available 24 hours a day, 7 days a week