Preparing for CMMC Compliance
Key Takeaways:
- To ensure continuity of operations, the practical strategy and checklists for Cybersecurity Maturity Model Certification (CMMC) compliance will build resiliency in the Defense Industrial Base (DIB).
- CMMC, National Institute of Standards and Technology (NIST) 800-171, and cybersecurity best practices overall fit into each company’s overall readiness plans for all major hazard types.
With less than 100 employees, DIB-Co has earned its reputation from the team’s decades of dedication to manufacturing precision components and its state-of-the-art 24/7 fully-automated machining centers. Everything DIB-Co does connects to networked capabilities, and DIB-Co’s employees continuously upskill on their increasingly sophisticated automation.
DIB-Co proudly produces its US-made precision components, which make their way into more complicated electro-mechanical end products for customers, including the Department of Defense (DOD). However, if the regulatory compliance with the DOD ever seemed too costly for DIB-Co to remain profitable, DIB-Co, like thousands of other suppliers, would likely drop fulfillment of DOD contracts and switch all production over to commercial customers.
How could that be? The company has a deep sense of patriotism, but DOD contracts only account for a minority portion of DIB-Co sales. Consequently, DIB-Co prioritizes the diversification of its customer base by market category and by geography. In DIB-Co’s industry, that means focusing on commercial clients first, not the DOD. Consequently, DIB-Co views DOD mandates on cybersecurity as important but peripheral requirements. In many cases, DIB-Co did not even realize that its customer’s customers were DOD contractors.
What does the example of a small business like DIB-Co tell us about how to make cybersecurity best practices and compliance the norm?
Nationwide DOD initiatives cannot succeed as a standalone approach. Success of DOD-led cybersecurity needs to be part of local, regional, national, and international private sector-led mobilization. ISO 9000 managed to accomplish this decades ago for quality assurance. All DIB companies understand their ISO 9000 requirement, but few worry about complying with the ISO standard for cybersecurity. No such nationwide ISO cybersecurity campaign exists yet for ISO-related procedures needed to secure suppliers’ business continuity. This question raises the complications currently coming up of how small business sub-suppliers comply with the new regulations related to foreign compromised communications equipment.
Today, many of those sub-suppliers face the same existential threats driven by the pandemic as the rest of the economy. Consequently, they rightfully worry about any additional costs or personnel burdens from new regulations, particularly on cybersecurity risk understanding, containment, and reduction. Sub-suppliers also question whether they will find the right resources for CMMC upskilling and assessment, heightening those worries. These concerns merit attention given that the US still lacks a “whole of nation” public education campaign on the massive cybersecurity upskilling and assessment efforts that will be needed. From a magnitude perspective, the CMMC efforts will require direct participation from:
- 12,000+ suppliers contracted directly by the Defense Logistics Agency;
- 300,000+ DIB members who support them.
Ultimately, all 30 million US businesses will need to do their part in cyber readiness along with their international trading partners. Addressing cybersecurity in these non-defense sector US businesses goes beyond the DOD’s mandate. However, degraded security in the non-defense critical infrastructure sectors will directly impair the security of the defense sector that depends on them.
Meanwhile, the financial and communication resources dedicated to a nationwide effort have been limited despite important efforts by NIST and various agencies working on the CMMC. In addition to the limited dollars, the US still lacks a “whole of government” alignment for CMMC that would be an American parallel to the Chinese government’s mobilization. In the People’s Republic of China model, President Xi Jinping has combined a unified industrial effort comparable to President Kennedy’s Space Race. The whole of China mobilization also includes a comprehensive public relations campaign comparable to the way JFK rallied the US to his President’s Physical Fitness Program by writing articles in Sports Illustrated.
ESTABLISHING 300,000 POINTS OF LIGHT FROM THE FIELD
Despite the baseline of inaction on cyber-readiness, role model businesses do exist. For example, DIB-Co worked with resources from its local chamber of commerce to upskill on cybersecurity and addressed the 110 cyber controls from the NIST 800-171 standard. This also prepared DIB-Co for a higher level Cybersecurity Maturity Model Certification.
DIB-Co already cites value received from documenting the overall protection of its customer and supplier relationships. As evidenced during COVID-19, cybersecurity breaches are only one of the eight major hazards that put all companies, including DIB-Co, and their value chains at risk (i.e., Information Technology, Biological, Utility Outage, Meteorological, Supply Chain Interruption, Accidents, Hazardous Materials, Fire/Explosion).
CMMC, NIST 800-171, and all the best practices for responding to hazards make sense for a company regardless of any mandate. In the words of DIB-Co’s CEO:
“We don’t have an IT Staff. We depend on our expert business and process team to build in cybersecurity to our standard operating procedures. As we start working out the contingencies, we’re documenting how our processes operate now. When I retire or anyone else transitions, we’ll still have those capabilities understood in a systemic way. ISO 9000 got us a long way, but this is what we needed to do to deal with a larger group of disruptions, including cyber-attacks. The goal is to have our supplier and customer interdependencies understood well enough that we get alerted to those disruptions across the network. Likewise, we’re all getting various attacks and resolving them, but we need an affordable way to exchange those lessons learned with companies across the supply chain and industry overall.” —CEO of DIB-Co, a small precision manufacturer
CALL TO ACTION: ENGAGING EXISTING DOD RESOURCES
DOD’s Defense Industrial Base Cybersecurity (DIB CS) Program, executed via the DOD Cyber Crime Center (DC3)/DOD-Defense Industrial Base Collaborative Information Sharing Environment (DCISE), provides a clearinghouse and exchange among Defense Industrial Base suppliers as the:
- No-fee operational focal point for a voluntary partnership of 770+ Cleared Defense Contractors
- Single repository for all cyber incident reports affecting unclassified networks
- Subject Matter Expert (SME) in Analysis of Advanced Persistent Threats (APTs) targeting the DIB
Since 2008, DC3/DCISE has used multiple official and industry data streams to:
- Perform more than 74,240 hours of no-cost forensics and malware analysis
- Publish more than 11,123 cyber reports
- Share more than 446,983 actionable, non-attributional indicators
Since the DIB CS Program’s inception in 2008, the voluntary partnership has grown steadily, including 50% expansion for each of the last three consecutive years. While it began with a focus on large prime contractors, the program has recently seen higher growth in the number of small and medium-sized companies joining.
With new companies added nearly every week, the voluntary DIB CS Program currently consists of:
- 57.09% Very Small (less than 250 employees)
- 18.84% Small (250-1,000)
- 9.14% Medium (1,001-5,000)
- 3.54% Large (5,001-10,000)
- 11.38% Enterprise (10,001+) companies
DCISE offers products and services tailored to support defense contractors based on industry sector and cybersecurity maturity. In support of a DIB CS Program pilot, DCISE has extended its offerings to a small pool of non-cleared defense contractors, with the intention of expanding these offerings once the initiative moves out of the pilot phase.
“According to a partner survey, information from DC3/DCISE has helped reduce risk for 80% of the participating organizations and has alerted 65% of those organizations to a previously unknown threat.”
—Ms. Krystal Covey, Director of the DOD Cyber Crime Center’s DOD-Defense Industrial Base Collaborative Information Sharing Environment (DC3/DCISE)
By Ted Rybeck, Chair, Benchmarking Partners, & Chair, NDTA Cybersecurity Best Practices Committee