CMMC Compliance Time Running Out for DoD Supply Chain Businesses
With the CMMC roll out already in high gear, the time to enlist a managed IT cybersecurity specialist was yesterday. The DoD deadlines are fast approaching.
The federal government is gravely serious about the U.S. Department of Defense supply chain outfits meeting cybersecurity thresholds, and the clock is winding down on critical deadlines. Cybersecurity Maturity Model Certification (CMMC) guidelines have already been rolled out, and companies that think this will be business as usual could find themselves on the outside looking in as their competitors gain the lion’s share of lucrative DoD contracts.
In the past, the federal government’s response to defense industry outfits that failed to comply with cybersecurity mandates resulted in stiff fines. This time around, you either meet one of five cyber hygiene levels that secures the controlled unclassified information your business stores or you cannot engage in DoD work.
“Our adversaries are working hard every day to exfiltrate, hack, and breach our supply chain. CMMC is about creating critical thinking skills for Cybersecurity, and not another checklist. I don’t want to lose a single supplier. Still, the culture of the DoD has changed, and cyber best practices are now mandatory,” Katie Arrington, CISO for Assistant Secretary for Defense Acquisition, reportedly said.
This mandate extends to every outfit, whether you are welding the hulls of submarines or supplying toiletries on a government deal. And, self-audits are now off the table. That’s why the following deadlines, cybersecurity levels, and procedures require proactive attention.
Important CMMC Compliance Deadlines To Know
The official CMMC guidance was released in January. The first wave of assessors began training to audit contractors and vendors in February. The training process is expected to run through May 2020, and that’s when things could start to get dicey for businesses who are lagging.
From June through September, third-party audits will get underway. These apply equally to large defense contractors as well as small and mid-sized companies. To even enter a bid on a DoD contract, your business must meet its respective compliance level. Outfits that haven’t leveled up by October could be looking for private-sector work to fill the void they lost from the federal government. Arrington has indicated she will not have any second thoughts waving goodbye to non-compliant companies because the risk to national security remains too high.
How To Determine Your CMMC Cyber Hygiene Level In Time
The CMMC unifies a variety of cybersecurity measures and brings them under one roof. These largely include controls from NIST SP 800-171A, SP 800-181B, as well as NIST SP 800-53 and ISO 27001, among others. Those who operated under NIST SP 800-171 may recall this guidance allowed some outfits to self-certify. That’s no longer the case. You will now need a third-party audit in the coming months based on the following thresholds.
- Level 1: Basic Cyber Hygiene
- Level 2: Intermediate Cyber Hygiene
- Level 3: Good Cyber Hygiene
- Level 4: Proactive Cyber Hygiene
- Level 5: Advanced 24-7 Cyber Hygiene
Supply chain organizations may discover that they need heightened cybersecurity that goes above and beyond what once satisfied the federal government. The goal of this CMMC roll out appears to be to outpace rival nations trying to pilfer off valuable defense data and get American businesses thinking in terms of digital defense.
“We need to level-set because a good portion of our defense industrial base doesn’t have robust cyber hygiene. Only 1 percent of (Defense Industrial Base) companies have implemented all 110 controls from the National Institute of Standards and Technology,” Arrington reportedly said. “We need to get to scale where the vast majority of DIB partners can defend themselves from nation-state attacks.”
The expansive cybersecurity protocols required to maintain government work will be complex and compliance standards rigorous. But there’s an urgency factor that many are not seeing. The vast military-industrial base in the U.S. is likely to create a backlog in the managed IT cybersecurity industry. It’s crucial to promptly have your network analyzed by a professional to know which level applies before that log-jam occurs. Entrepreneurs and decision-makers who procrastinate could miss critical deadlines and lose out on the 2020 bids.
Contact A CMMC Compliance Expert Today
At Hampton Roads Communication Technologies, we work with DoD supply chain businesses in the Mid-Atlantic Region, Hampton Roads Virginia, north into Williamsburg and south into the Outer Banks of North Carolina, as well as throughout the country. If you are not fully immersed in CMMC compliance, contact HRCT immediately for a complimentary consultation.