Do you have an interest in doing business with the Department of Defence? The ever-changing Cybersecurity Maturity Model Certification can be a roadblock for many companies. Learn more here.
The Elusive Cybersecurity Maturity Model Certification
Have you ever done business with the Department of Defense? Do you ever hope to? With the Cybersecurity Maturity Model Certification (CMMC) now a requirement for participation in DoD request for information (RFIs) and request for proposals (RFPs), many companies are struggling through the elusive and cumbersome process. But CMMC is not optional and is designed to only allow businesses with a valid certification to bid on and win contracts with the U.S. Government. So now is the time to ensure your company understands the process and is on the right path to certification.
Automation Alley has an active history of working with the Department of Defense (DoD). So, when we became aware that all entities desiring to continue as contractors, or even sub-contractors, to the DoD will be required to get a Cybersecurity Maturity Model Certification (CMMC), we decided we better get on it. (See my blog from June regarding our initial reaction, entitled “Are You Ready for CMMC? Neither Are We!”).
The intent of the CMMC is to ensure that a company complies with Federal cybersecurity regulations around Controlled Unclassified Information (CUI). What is CUI? According to the National Archives, it is “unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies.” Our work under the Army contracts we’ve received to date may not necessarily contain any CUI, but we want to be ready for whatever may come. And we already had a security plan in place for complying with NIST 800, upon which most of the CMMC requirements are based.
The CMMC framework was announced by DoD officials in June of 2019. Initially, the framework was scheduled to go public in January 2020, with its requirements starting to appear in requests for information (RFI) by June 2020. It was supposed to then become a regular feature of Defense procurement by September of 2020. I looked at an RFI with a response date of Oct 15, 2021, and I didn’t see anything about CMMC. Needless to say, things got delayed, and the pandemic certainly didn’t help speed anything along. Wondering what the new dates might be, I went to the website of the Office of the Under Secretary of Defense for Acquisition & Sustainment and was surprised to discover that their last update was dated December of last year!
All that aside, we were fortunate to get connected with the Defense Cybersecurity Assurance Program (DCAP) at University of Michigan’s Economic Growth Institute. They were able to get us into a cost-share contract with the National Science Foundation (NSF). Working with the DCAP and NSF folks made us realize that despite all of the confusing signals and constantly changing schedules, we can do this! After wrestling with all the requirements on the NIST SP 800 - 171 Compliance & Cybersecurity Maturity Model Certification (CMMC) v1.02 Defense Industrial Base (DIB) Contractor & Subcontractor Factsheet, which is as complicated and confusing as its title implies, we were ready to be evaluated.
Working with our terrific IT team, we submitted what we had accomplished. And on September 13 we received our CMMC Assessment from NSF. And despite a few annoying red UNSATISFIEDs, we could see that we were in the homestretch, and the finish line was in sight. Especially when just a few days later, we received our Certificate of Conformance. We made it! Now we need to actually get our CMMC. We just need a CMMC Third-Party Assessor Organization (C3PAO) to issue our certification. And how do we do that? Well, there are no C3PAO’s designated by the DoD yet. So…we wait. And then comes the really hard part – convincing our subcontractors that they need to do the same thing!