Key Takeaways from WT’s CMMC Summit

Much advice and insight flowed at the Washington Technology CMMC Summit, which covered the intricacies of this four-letter acronym for the Department of Defense’s cybersecurity initiative.

The Cybersecurity Maturity Model certification is the DOD’s program to ensure the defense industry base’s systems that contain sensitive government data are secure.

The concept and purpose of CMMC is easy to understand, but it has several complexities and nuances that speakers at Thursday’s event tried to convey.

Government contractors have up to three levels of CMMC certification they can obtain, with Level 1 being the lowest and Level 3 being the highest.

To achieve Level 1, organizations can self-certify to the National Institute of Standards and Technology’s 801-171 standard, which outlines the required controls for assurance systems.

But when the final CMMC rule comes out next year, most defense companies will need to be at Tier 2, and that will require a third-party assessment of their systems.

The final rule will also describe how to reach level 3. The catalyst that will force companies to move from Level 2 to Level 3 is not yet clear.

March 2023 is the earliest timeframe for the release of the final rule, but it likely won’t go into effect for a few months. The requirements are not retroactive, but appear in certain new contract requirements.

DOD will phase out the requirement over several years until all defense contracts include it.

Here are four key takeaways we gleaned from speakers at last week’s event.

Waiting is the wrong way

As Robert Metzger pointed out in his opening remarks, it is a mistake for defense companies to wait for the final rule before taking steps to meet the NIST standard.

Metzger is considered by many to be the “father of the CMMC” for having co-authored a report outlining the standard’s guiding principles.

He urged companies to use CMMC and the NIST standard as starting points for building secure networks and systems.

“Covering yourself up front for your employees, your lenders, your customers, your customers, your investors,” Metzger said.

One size will not fit all

The NIST standard 801-171 describes 110 security controls. Which controls organizations should focus on depends on the systems and the data they contain. Metzger said that a “smoothly spread the peanut butter” approach isn’t the right thing.

Speakers said organizations can make the greatest impact by taking these fundamental steps: understanding systems and the data they contain, how that data flows through systems, and focusing security investments on areas that will make the greatest impact.

For example, some companies may only have contract and procurement data in their systems. You only need CMMC Level 1. Other companies whose systems have technical plans may need to invest more in other areas to protect this information.

This is a guide to determine if CMMC Level 1 is sufficient or if you should move to Level 2.

Small business resources are available

CMMC has been a challenge for many small businesses. But after the DOD paused the initiative and then restarted it as CMMC 2.0, the department also increased its efforts to provide resources and support to small businesses.

Also speaking at the summit was Kelley Kiernan, director of Deep Blue Cyber ​​– an Air Force initiative that brings her to the Navy to provide training and other information to small businesses at no cost.

She hosts a weekly “Ask-Me-Anything” small business session through the Deep Blue Cyber ​​website. The site also features forthcoming training events on a range of topics including policies and guidelines, oversight and a variety of how-to presentations.

Complementing Deep Blue Cyber ​​was a presentation on Project Spectrum, another DOD organization focused on cybersecurity. They personally work with companies to help them achieve a better cybersecurity posture.

Kareem Sykes, Project Spectrum program manager, said organizations can help small businesses take a step-by-step approach, starting with the current cybersecurity posture, identifying next steps, and then moving on to measuring progress.

“Once you know your starting point, you see risk differently,” Sykes said. “The risks you thought you had are sometimes not the risks you have.”

That’s the starting point for determining where to invest, what training is needed, and how to stay current.

Make cybersecurity a way of life

Sykes and other speakers emphasized that cybersecurity and the CMMC standard, if in place, is more dependent on people and organizational culture.

“Your company is your fortress and your people are the guards,” Sykes said.

Viewing CMMC as a checklist is the wrong approach. Documentation is required to earn Level 2 certification, but that’s not the point, several speakers said.

Organizations need to show how they implement policies and procedures, or essentially that actions need to reflect policies. This ranges from the network administrator to the receptionist at the front desk.

More resources

The entire CMMC Summit is available upon request on the Washington Technology website. Click here.


Leave a Reply

Your email address will not be published. Required fields are marked *