CMMC and the C-Suite: Hard Business Truths for Government Contractors
Unless you have been asleep under a rock, you know or have heard about the emergence of the Cybersecurity Maturity Model Certification (CMMC) requirement for doing business with the Department of Defense. While there have been other cyber risk compliance rules from the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) in the past, these older guidelines were based on “self-attestation” and not widely embraced by the DoD’s supply-chain and Defense Industrial Base (DIB). Make no mistake about CMMC – it is a game-changer. For the C-Suite, CMMC will forcefully impact how organizations bid and win contracts, run daily operations within their businesses, and how they manage cyber risk and reporting to their Boards and insurers.
What percentage of your company’s yearly earnings are derived from government contracts? Perhaps you only do 30% of your total business with the DoD and you are willing to put off certification in 2021. Others may argue that since the DoD is implementing a phased rollout of CMMC, they can put off addressing this until it becomes fully implemented (now slated for October 1, 2025.) Do not be distracted or comfortable with that end date!
An interim rule aimed to jump-start the DIB to meet this requirement is already in effect (as of November 30, 2020). In plain terms, your existing DoD contracts are likely to already have CMMC related clauses incorporated within them – meaning you are required to comply with these requirements for protecting the confidentiality of controlled unclassified information (CUI) and demonstrate your provisions of adequate security. If you have done your due diligence and self-certified by way of NIST 800-171, that does not mean your business is grandfathered into CMMC. It is, however, a good starting point.
From changes that we are seeing with the Department of Homeland Security under the new administration, it appears DHS may soon start requiring CMMC levels in their contracts as well. It stands to reason that we will see a steady chain reaction among federal civilian agencies that follow suit and adopt the basic tenets of CMMC.
Internal departments and corporate functions will be permanently affected by CMMC, requiring designated employees to take on compliance officer roles to maintain continuous awareness of the company’s cyber risk posture. CMMC will require organizations to operationalize their cyber risk management and reporting, with the DoD imposing regular, independent assessments of your CMMC compliance that will affect your company’s ability to even bid – let alone win – contracts.
A key element of CMMC is that all parties to a contract must be CMMC compliant, including the smallest subs. CMMC will surely shake up partnerships and make organizations reexamine these alliances to reduce their risk by association and to bulletproof their CMMC posture to bid on future opportunities.
Another component that ought to put Corporate Executives on alert is how CMMC will affect the risk profile of your organization. Without CMMC compliance and a formal Cyber Risk Management protocol, your business is in danger of devaluation in M&A profiles. Your Board of Directors will have questions about your scorecard if reports demonstrate that your organization is not in step with the cyber risk standards of the world’s largest employer. Unwillingness to respond to the CMMC mandate will surely affect your business’ cyber risk insurance premiums as well.
Getting on board with CMMC is the price of doing business with the DoD and the Federal Government. It is the agencies’ way of making parties responsible for their parts in protecting government data and information. It is also true that if we want to stay in business, we must do more to develop stronger internal cyber security infrastructures, governance, and incident response protocols. We know it is only a matter of time before a bad actor potentially breaches our organization’s walls – it happens every day to major contractors, vendors, and agencies in the federal government ecosystem. CMMC is also another reminder to CEOs, CFOs, and Counsel that cybersecurity and cyber risk management must have representation at the C-suite table. Implementing valid and responsive cybersecurity models and frameworks is the best strategy for staying in business within government contracting as well as protecting your organization and our collective national security.
Les Buday is a cybersecurity expert and Director of Cybersecurity at HumanTouch, LLC in Tysons, Virginia. He is also a PMP and member of the Department of Defense CMMC Advisory Body.