By Kathryn Daily, CISSP, CAP, RDRP
So, in the last edition of the newsletter I wrote about the need for verification of NIST 171 compliance from DoD contractors, suppliers and vendors who process controlled unclassified information (CUI). Well, the DoD sure delivered on that request. A mere days after the last article was published, DoD came out with the Cybersecurity Maturity Model Certification (CMMC).
Essentially there are five levels that an organization can achieve with CMMC ranging from Level 1, basic cyber hygiene through level 5, state of the art cybersecurity practices. Each level has a different subset of requirements that builds upon the previous level(s) with level 5 having the most requirements. Each organization will be required to have an assessment done by a third party (to be determined later) and verify that they are compliant at the level they claim.
Sounds great, right? Well not exactly. NIST 171 was only required for organizations that possessed CUI. CMMC is required for every organization doing business with the Department of Defense If you make a nut that is used on a ship, you’ve got to be compliant and no one knows what the required level is for the vendor making that nut as that is up to the individual contracting office. We are supposed to be compliant by Fall of 2020 when the CMMC levels are added to new contracts (what happens with existing contracts is a whole different story that is still TBD), without knowing what the levels on the RFP will require. It’s entirely possible that an organization will be assessed to a certain CMMC level only to find out that all of the contracts they would have bid on require a higher level CMMC. Another issue is cost. Cybersecurity compliance is never cheap, even when implemented at a low to moderate level.
Katie Arrington of DoD is in the process of a nationwide listening tour and has stated that cost should not be an issue to small business because this won’t be terribly expensive. I’m saying she must not have worked for small business. This will absolutely be costly for small businesses and could be a barrier for small business and startups to get into the DoD space. Small businesses that are in the DoD space could be forced out, even when they don’t process any CUI.
I like where the DoD was headed with the verification process for NIST 171, but I feel like they may have missed the mark on the compliance and certification process. Of course, the CMMC document is still a DRAFT and may very well change before the projected January, 2020 publication date.
If you are interested in learning more about our CMMC training course, check out our course description here.