Bill Osborne
Magna5 Defense Industrial Base Team
It’s hard not to notice the ecosystem growing around the Cybersecurity Maturity Model Certification (CMMC) and the chaos that’s coming with it. Businesses at every level of the US defense industrial base (DIB) supply chain are struggling to figure out where they fit, to what they (perhaps) have already contractually obligated themselves, and what lurks just around the corner. While businesses are wondering what their competitors are doing or have already done, executives are wondering if they are spending their money and other resources well, or if they are investing too early or too late.
Businesses that have existed in the DIB space for decades can be prone to becoming jaded with new requirements, wondering whether they will ever actually be enforced. All the while, due to heightened overhead of compliance, diligent firms are losing bids to competition that seemingly have made no attempt to adhere with these new regulations.
I have yet to meet an executive or owner in the DIB space that didn’t want to do the right thing—but they also have a business to run, bids to win, data to secure (internal and potentially DOD owned data), employees to recruit, hire, train and manage, as well as a product and service to maintain for their customers.
When a DIB contractor approaches us with CMMC on their mind, we almost always have the same starting points:
- Are you already working on NIST 800-171 compliance?
- Do you already have contracts with DOD or prime contractors requiring DFARS 7012 or other DOD compliance requirements?
- Do you have a system security plan, and do you currently have resources assigned to DOD unclassified data security requirements?
Those tend to be the easier questions; we are either at the start of a journey, or somewhere along the line. We then assess how we can help, where we can augment their resources to make things better, simpler, or more efficient. Once we get those answers, we can talk about the things that an MSP or MSSP can provide: personnel, technology, software, experience, etc.
The key insight that a lot of organizations fail to grasp, regardless of how many times they hear it, is that CMMC and NIST SP 800-171 are not IT certifications or frameworks. Compliant systems aren’t something you can just buy. Timelines depend on resources assigned. CMMC is something that can potentially alter every aspect of the way your business operates. Sure, it is centered around controlled unclassified information (CUI), but it is in a sense the government’s attempt to push uninitiated, smaller firms into a more mature security focused mindset—one that is often unpalatable to the “agile” small business. As technology providers, we can provide an awesome tech stack that includes multi-factor authentication, application allowlists, and alerts on security anomalies—but if you aren’t doing the annual incident response test that is written about in your system security plan, or your scheduled change management meetings, you will fail a CMMC assessment.
At the end of the day, the executive leadership team of a DIB business will own the compliance of that organization. No matter how many highly paid consultants are brought in, no matter how whizbang your technology is, an executive will be the owner of the system. The executive team not only owns the system, but they also set a target for the culture of the entire organization—both the company culture and the cybersecurity culture.
It is imperative that the executive team stays informed about the process moving towards CMMC certification. For the organization to succeed, they need to listen and respond accordingly when resources are requested. Too many organizations haphazardly throw an unbillable junior person at CMMC with the help of an often-clueless MSP. How many small businesses have competent information security personnel that can lead an effort like CMMC that aren’t already totally inundated with their normal day-to-day responsibilities?
The executive team must stay informed, and they must focus on real information—not the latest webinar hype or fear-based sales tactics purveyed in a cold email. They must ensure that the cybersecurity culture permeates all levels of their organization. Above all else, they must invest in tools that make sense, invest in people and processes that make sense, and realize that it takes an entire team rowing in the right direction to get across the finish line to a successful cybersecurity assessment.