The Cybersecurity Maturity Model Certification is the new gold standard for contractors looking to support national defense.
It establishes cybersecurity standards and best practices, mapping these across maturity levels ranging from basic to advanced cyber hygiene. Primes and subs looking to support defense contracts going forward will need to demonstrate compliance, as determined by third-party assessors.
As CMMC comes online, the key thing to know is this will not be a one-and-done.
“Cybersecurity under CMMC will continue to evolve and GovCons will need a strategy to keep pace with those changes,” said Stephen Pipino, Salesforce principal security specialist. “It’s not going to be something as simple as saying: Oh, we’re going to be compliant today, and that’s it. The nature of cybersecurity is that new threats, and these compliance frameworks will likewise continue to evolve.”
How can contractors position themselves today to meet this moving target in the future?
Pipino argues as-a-service products — especially software-as-a-service and platform-as-a-service offerings — deliver the means for GovCons to meet the emerging CMMC requirements in both the short and long term.
Salesforce, for example, offers a range of SaaS and PaaS tools already government compliant and inherently designed to remain so, even as the regulations evolve.
“U.S. government contractors have been using Salesforce for years to achieve different compliance requirements,” Pipino said. “We have our Government Cloud, which has FedRAMP Moderate and DoD Impact Level (IL) 2 and 4 authorizations. We have our Government Cloud Plus, which has FedRAMP High and DoD IL 2 authorizations, and was recently assessed against NIST SP 800-171.”
All these U.S. government-specific authorizations are relevant to CMMC compliance. It’s likely the rules as eventually articulated under CMMC will allow for some backward compatibility: Solutions that meet existing regulations may be deemed good-to-go under emerging CMMC requirements.
Moreover, the Salesforce business model ensures as-a-service offerings will maintain parity with evolving requirements over time.
“With as-a-service tools, government contractors can rely on the service provider to anticipate what is going to happen over time, rather than carrying that burden themselves,” Pipino said. “As a cloud provider, we’ve been constantly targeting those higher levels of compliance within government. This isn’t a new thing for us. CMMC is just the next iteration.”
A new opportunity
It’s tempting to view the CMMC as merely a business challenge, another hurdle to doing business with the government. It’s true in the effort to safeguard data from prying eyes, the new model does set a high compliance bar for the GovCon community. Those who previously could self-certify their cyber protections now will be subject to third-party assessment and validation. That’s not trivial.
At the same time, Pipino pointed out, contractors stand to benefit from the CMMC requirements. This isn’t just about protecting the Pentagon and its agencies, after all. It’s about securing the entirety of the defense industrial base.
“The contractors themselves are obvious targets for malicious foreign nation-states and other bad actors,” Pipino said. By establishing more rigor around cyber practices, “CMMC will allow them to protect their intellectual property,” he added. “It will help them to properly secure their information.”
When people talk about the security of the defense industrial base, conversation tends to focus on the megaplayers. In fact, smaller organizations may be equally vulnerable. Even those who produce components for much larger systems can be the target of compromise attacks. CMMC helps to ensure that GovCons at all levels of maturity meet certain minimum thresholds — thus not only ensuring the security of the military supply chain, but also their own future livelihoods.
A starting point
GovCons looking to comply with CMMC may find themselves in a sticky place. Most are eager to ensure they meet the new bar — that’s the price of admission for future military contracts, after all. At the same time, some aspects of the program are still in flux, and it can thus be hard to know where to begin.
Pipino suggests starting in the middle. CMMC defines five levels of cyber readiness. By aiming for Level 3, organizations can put themselves in a strong position going forward.
“Most government contractor organizations I’ve spoken to are targeting CMMC Level 3, and rightfully so,” he said. “That’s the threshold for managing controlled unclassified information, or CUI. Contractors can use that as a baseline and then do a gap analysis, identifying deficiencies and making immediate investments in systems and infrastructure.”
Contractors should be following the Defense Department’s CMMC updates, participating in webinars and interacting with those individuals within government tasked with bringing the new standards to life.
“There is no shortage of information,” Pipino said. “Contractors need to take advantage of those resources and then try to understand the CMMC ecosystem, even as it continues to evolve.”
Finally, GovCons can be looking to partner with SaaS and PaaS providers, as a means of ensuring both short- and long-term compliance with emerging CMMC practices and protocols. In the long run, it makes sense to offload as much of the compliance responsibility as possible onto these service providers.
“There is no good reason to go it alone,” Pipino said. “At Salesforce, we were tracking this before it was even called CMMC. We are no stranger to these conversations, and we’re no stranger to helping our customers meet government requirements. All this is very much second nature to us.”