Coalfire Federal recently was named as one of the first firms authorized to perform Cybersecurity Maturity Model Certification audits by the CMMC Accreditation Body.
It’s a big win for the company and a turning point for GovCon in general. While CMMC will initially help to cyber-harden Defense Department contractor systems, it may evolve to become the standard across a range of federal civilian agencies.
We talked with Coalfire Federal President Bill Malone about what it means to become a CMMC Third-Party Assessment Organization, or C3PAO, and what CMMC will mean for GovCons going forward.
Why is this a significant step for Coalfire?
The CMMC program that we have been rolling out is a natural extension of the work that we do in the compliance space as the leading FedRAMP 3PAO. It’s a validation of our capabilities and credentials.
We sense that this may become a de facto standard across the federal government market. From that standpoint, we are getting in on the ground floor, helping to advise and shape the program.
What kind of business opportunity does this represent?
As defined by the Department of Defense, it is a very large addressable market: Roughly 300,000 businesses make up the DOD supply chain. From that standpoint alone, it’s an enormous market. There are a vast number of companies that will need to certify to the department that they have the appropriate level of cybersecurity and process maturity within their infrastructure and across their enterprise.
Within GovCon, the large system integrators, their top subcontractors and sub-tier suppliers will need to certify at specific maturity levels to be award eligible beginning in 2021. But a majority of the 300,000 companies within the defense industrial base are companies that provide goods and services to the DOD: everything from the company that builds a single component for an aircraft carrier to the firm that runs the cafeteria at the Pentagon.
There is a wide array of providers that together make up the DOD supply chain ecosystem — and every one of those companies will need to achieve and demonstrate good cyber hygiene to fortify the supply chain’s security posture.
Can you tell us about Coalfire’s early involvement with CMMC?
As the process began over the course of 2019, and the department came out with its pronouncements, we looked for opportunities to engage. Having been involved at the inception of the FedRAMP program, we felt we could bring the lessons learned from that experience, and more importantly, a practitioner’s perspective to bear.
The department stood up a CMMC Accreditation Body, which in turn established working groups to address everything from policy to training requirements and so forth. We volunteered to participate and support a couple of these working groups. We thought that was the best way to bring our expertise and past experiences to bear.
It allows us to help shape the program in a positive way, and it helps to establish our credentials with the vast number of other firms that have applied to become C3PAOs and individuals who have applied to become certified assessors.
How do you separate the wheat from the chaff? I think in the initial selection process, those that participated early were able to establish their credentials with the selection body. Not only have was Coalfire Federal selected as a C3PAO, but members of our team were also selected as provisional assessors. Their expertise in compliance and CMMC will have an immediate, positive impact on the program’s launch.
While Coalfire Federal is well known within the federal government, we are building awareness of our brand across GovCon and across the broader defense industrial base. We are doing this by taking an active role in the launch of CMMC and through opportunities to provide thought leadership and educate the market.
What does the coming of CMMC mean to the GovCon community?
At a very high level, they need to know that the program is real. In this town, there are a lot of good ideas that somehow just never get implemented. We’re convinced that the Department of Defense is committed to this program.
Cybersecurity is a bipartisan issue. I don’t think there’s anybody in the new administration that’s going to come in and say that the DOD supply chain should not be more secure. Additionally, the General Services Administration has embraced the CMMC requirements in the development of new acquisition vehicles such as STARS III and Polaris.
GovCons need to get smart on the program. There are five levels of certification that are based on the types of information you need to protect, the types of acquisitions you’ll be handling. More information will be forthcoming from the CMMC-AB, but satisfying all of the CMMC requirements and completing the certification process will take time.
Our advice to GovCon is begin your CMMC planning and preparation now. We believe the planning and preparation aspect of CMMC readiness is the most critical — you can be pre-posturing now and getting in shape to be assessed when it is your time. That will be time well spent.
As a 3PAO, how do you plan to approach the market?
Being in that first class helps us: It helps to establish our credibility, and it will allow us to do business when a lot of the other folks are not yet able to. Being first to market matters.
The biggest challenges are around scale and bandwidth: If 300,000 firms are affected by CMMC, how’s that going to get done? We’re going to have to digest the market in a way that helps us understand where the sweet spot is for Coalfire Federal. We’re not going to be able to do everything for everybody, so we need to figure out how we can organize and scale our business to meet the demand.
We are looking at ways to tech enable, to help automate some aspects of this. Compliance has historically been a very laborious “people and checklists” process. There are aspects of that that could be technology enabled, that could be automated. Then you have greater capability and bandwidth to do more. That’s where we are looking for opportunities to scale.
You’ve been in GovCon for almost 30 years. What’s the significance of this moment for you personally?
My focus is on protecting the federal mission. I feel like, through CMMC, we’re making a meaningful contribution to the federal government in terms of its ability to deliver its services to the American people… safely and securely.
CMMC isn’t a singular opportunity. It would be very easy to see this evolve across the entire federal government and beyond. It’s very fulfilling to be in at the beginning of a program that’s going to have an enduring impact like that.