Four years ago, I started on a journey to be part of the process to protect America’s Defense Industrial Base and I am proud to say that I still believe in that mission. As one of the first CMMC-Registered Practitioners, I saw the need to increase cyber security in manufacturing and wanted to do my part to make it better. After four years of helping companies, mostly smaller companies under $5 million, work to compliance I see some major flaws in this approach.
CMMC (Cyber Maturity Model Certification) is the standard for cyber security compliance that the Department of Defense (DOD) is implementing to create a more secure industrial base for their contractors. This intent of this is truly critical for the nation. Having a more secure industrial base would mean that foreign attackers, like our friends in China, Russa, North Korea, and Iran would have a harder time stealing our production information.
When I first got my training, I was told that the Department of Defense (DOD) did not expect that implementing CMMC would be very expensive or cause any increase in pricing for the federal government. As a small business owner and cyber security professional, I knew that implementing new cybersecurity requirements is expensive and can be frustrating as it will require major changes in how a company does business. It was very unrealistic to expect that costs would not go up sharply. In the end, it is estimated that each company will pay between $2,000 and $3,000 per employee to reach compliance with a minimum of $25,000 just to get the assessment. Most small companies are looking at $75 to $100 thousand to get to compliance and thousands every year to maintain it. You also have to reassess every 3 years.
CMMC is based on three levels numbered 1-3, however, most companies are going to be required to meet level 2. The reason for this is because most companies have CUI (Controlled Unclassified Information). This is one of the first problems for a small company – many do not even know what CUI they have or what it is. When working with the government, they are required to properly label and track CUI, but the business is responsible for protecting CUI even if it is not labeled correctly. This can be very confusing as CUI is very nebulous and it is even possible that the company is creating CUI in the manufacturing process and not knowing that they have.
CMMC is based around NIST (National Institute of Standards and Technology) 800-171 a series of 110 practices that are designed to protect CUI so most of the controls are around that action. For most companies, defining the security footprint that needs to be protected, known as scoping in CMMC, determines which parts of the network need to be assessed because they contain CUI. This also is a problem as many of the companies do not know what CUI is and where it is stored. From a risk analysis standpoint, I understand the importance of knowing where vital information is stored, but I also know that if you don’t know what is “vital” that becomes a hard process.
The process to get to CMMC Level two begins with a company doing their SPRS (Supplier Performance Risk System) and then entering in the score at this site https://www.sprs.csd.disa.mil/. This is the beginning of the problems that I see. We have helped many companies work on their SPRS scores over those four years and I cannot remember one company that filled out the score and had been accurate. One of the main areas that I have seen is around Multi-Factor Authentication (MFA,) or more commonly called 2FA (Two Factor Authentication), the process of having two forms of identification before being able to get into a system. For many companies they list this as being done but they do not have MFA on their systems, only on items like their bank accounts. They do not understand the difference.
That leads to another area that is very confusing for small businesses. There are 110 Practices in NIST-800-171 but the government has multiple objectives for each control and that is defined in a different area (I have provided it here for people CMMC L2 Assessment Guide). This then takes an overwhelming feeling of 800-171 and expands it to 320 objectives.
What is a small business to do?
- Evaluate if you can afford to be CMMC compliant
- Do you have the government income to cover that additional cost which can be thousands of dollars?
- Can you adjust your pricing to absorb the additional costs?
- Are you ready to potentially change the way you do business?
- How important is the government work to your businesses growth?
- Do your SPRS. I would suggest working with a company like On Technology Partners to help you in this process; the practices can be confusing, and you need to be sure you are accurate.
- Perform a GAP analysis. This is the process of seeing what you are doing today against what you need to do to meet CMMC. Many companies may already have some level of certification, such as ISO or CIP, and their journey may be easier.
- Create a Plan of Action and Milestones (PoA/M). This is the roadmap that your company will take to get to compliance.
- Implement the practices and all objectives.
- Document the entire process so you can give the assessors all the documents. It is important to remember that the more you can give to the assessor the less time and hopefully money it will take to get assessed.
- Perform pre-assessment audits. This will help you find where gaps exist in your journey.
- Fix any issues found in your audit. You do not want to have a failed assessment because of known issues.
- Select your Certified Third-Party Assessment Organization (C3PAO) this company will do your assessment.
- Perform the assessment.
- Maintain the compliance. This is a critical step as the government has stated that it will come down hard on companies that file for contracts but do not have the proper process in place and maintained.
This is not a simple process, and over half of the companies we reviewed CMMC with have chosen to give up on government work or postpone CMMC implementation until they were shown it would be implemented.
This leads to my last concern with CMMC: it is possible that by having such a robust security standard with so many objectives that we could be causing a danger by driving out capable companies and reducing the number of suppliers that can provide critical services for the DOD.
For many smaller government contractors, CMMC will be too hard to get and maintain. They will be forced to stop doing government contract work. This will result in the number of suppliers getting smaller and the ability of foreign agents to target these companies easier because there are fewer of them. It is not hard to imagine a situation where what is now provided by ten companies could be provided by only one after the CMMC process.
Compliance is critical but it should not be the only thing, keeping a robust and diverse defense industrial base is critical to national security as well and there is a possibility that CMMC, with all its good intentions, could move us the opposite direction.
Ken Fanger is a CMMC-RP and he and his team have worked with hundreds of companies on CMMC compliance. He is the author of “RELAX: A Guide to True Cyber Security” and a believer in Humanizing Security, the process of bringing people back into cybersecurity. If you would like to learn more about CMMC or get assistance with the process, contact us here: https://ontechnologypartners.com/contact/