Phil Lewis, Titania COO, took part in the recent webinar hosted by CREST USA on the US DoD’s new Cybersecurity Maturity Model Certification program. The panel included representatives from the CMMC Accreditation Body and the DoD as well as from other agencies involved in developing and promoting the CMMC program. Here are some of the highlights from the webinar (which you can listen to in full here >)...

CMMC – the North Star

The CMMC will initially apply to only US defense contractors, including their subcontractors, who handle Federal Contracting Information (FCI) and Controlled Unclassified Information (CUI). However, Charlie Tupitza from America’s Small Business Development Center (SBDC) confirmed that representatives from other industry sectors are also tracking the DoD’s CMMC efforts. Tupitza announced that CMMC could become the “North Star” for US small businesses, helping establish a common cyber security direction and foundation that all companies can use to protect their networks and data.

Resources Are Available

Although it may not be until the Autumn that the CMMC will be codified into law – through a change to the Defense Federal Acquisition Regulation Supplement (DFARS) – Katie Arrington, CISO for the Office of the Under Secretary of Defense for Acquisition, explained that CMMC was designed so that industry wouldn’t have to wait until the DFARS change to begin baseline compliance assessment and implementation plans. “We need to help those who see this as a challenge that they need to overcome,” said Arrington. The panellists also highlighted the various resources that are available to companies – DreamPort, Project Spectrum, the Small Business Administration, and the DoD itself all have information to assist businesses to prepare for CMMC.

CMMC’s Maturity Levels Offer Flexibility

The CMMC draws heavily from many other standards frameworks – NIST 800-171, NIST Cybersecurity Framework and UK Cyber Essentials, amongst others. However, one of the fundamental differences between CMMC and these other frameworks is that the CMMC consists of five maturity levels. “As a small business ourselves, what we like about CMMC is that it’s not a one-size-fits-all approach,” offered Lewis. Businesses will only have to achieve the maturity level commensurate with their work and level of sensitivity of the data that they handle, which would mean that the overwhelming majority of the defence industrial base will only require the lower CMMC maturity levels and to adhere to their respective security practices.

Commitment to Protect Supply Chain

Another fundamental difference with other frameworks is that the CMMC requires businesses to now verify that they meet CMMC’s security practices. This reflects the US government’s wider push for greater accountability within its supply chains. Indeed, one of the key recommendations of the Cyberspace Solarium Commission (CSC), published in March 2020 with the goal of developing a strategy of layered cyber deterrence, is for the US government to increase its support of supply chain risk management efforts. Ms Arrington, therefore, was keen to point out that the DoD has been clear that, because CMMC will be required by the DoD, security will now be considered an allowable cost and that companies will be able to build cyber security expenses into their rates. “The government should pay for what it’s asking for,” which is not currently the case for the existing cyber requirements (e.g. NIST 800-171).

Reliable Automation Key to CMMC Success

Although CMMC is not designed to be a one-size-fits-all model, consistent accuracy of compliance assessments will be critical to its success. If certified assessors use tools that are either inaccurate or provide inconsistent results, the efficacy of the CMMC to protect the DoD’s data will come into question. Mr Lewis concluded by sharing how Titania has been developing its capability to provide companies and auditors alike with consistently accurate CMMC assessments through the Titania Nipper tool: “We’re going to be working with CIS and other players to try and help automate CMMC compliance further and improve the ability to comply, and above all, improve companies’ actual security and ability to protect critical information.” To discover how Titania Nipper can help assess your business’ compliance with the CMMC framework - request a demo today > 

Matt Malarkey