Cybersecurity Maturity Model Certification Program Is Here to Stay

The DoD publishes proposed rule on CMMC, showing slow but meaningful progress

If you logged on to work on December 26th or just snuck a peek at your LinkedIn while trying to take a holiday, you may have noticed that the Department of Defense (DoD) was not taking the day off. They announced their next steps in implementing the Cybersecurity Maturity Model Certification (CMMC) program, which was originally introduced in September 2020. 

CMMC is a new framework being developed by the DoD to ensure the security of controlled unclassified information (CUI) used or held by defense contractors in the national supply chain. According to the DoD in a Regulatory Impact Analysis report: “The CMMC Program is intended to: (1) align cybersecurity requirements to the sensitivity of unclassified information to be protected, and (2) add a certification element, where appropriate, to verify implementation of cybersecurity requirements.” 

Ready or Not CMMC Is Coming

Although the five-year implementation period that went into effect on November 30, 2020, feels like a long time, it’s important to note that not even COVID-19 could derail the introduction of the framework. The DoD has continued to make steady progress on the initiative, introducing CMMC 2.0 in November 2021. The Proposed Rule announcement underscores the DoD’s commitment to CMMC. 

The close of five years is looming large. It’s time to get serious about preparing. 

While this process is moving slowly, it’s important to start preparing now as this isn’t going away. Your preparations may include:

• Thoroughly reviewing all CMMC documentation to assess the requirements applicable to your organization
• Analyzing and identifying gaps between your current controls for NIST 800-171 and the proposed CMMC requirements
• Creating a strategic plan and allocating necessary resources to meet compliance when it goes into effect

The publication of the rule is a good reminder for federal contractors to assess what they will need to do to comply with the framework and to join the review process, if they haven’t already, to provide feedback. 

This is especially true for smaller contractors, for whom implementation may have a more significant impact on resources. 

CMMC 2.0 

Fortunately, CMMC 2.0 provided additional clarity and a tiered approach to certification. The updates came after a period open for comments and internal review similar to the period now open for comments on the published rule. 

Concerns about the burden on small contractors were at the heart of the revisions to the first iteration of the CMMC. According to the December 26th press release, “With its streamlined requirements, the CMMC program now provides for:

• Simplified compliance by allowing self-assessment for some requirements
• Priorities for protecting DoD information
• Reinforced cooperation between the DoD and industry in addressing evolving cyber threats”

These changes bridge the gap between the self-attestation model with NIST 800-171 and the unilateral compliance requirements of CMMC 1.0. The progress and additional clarity being provided for different levels of DoD contractors show positive movement toward both compromise and increased compliance oversight. 

CMMC Is a Good Thing

At the end of the day, CMMC is a really good thing. It paves the way for better security standards within the DoD contracting industry and also provides additional streamlined access for all contractors. 

Even if you are not impacted or compelled by CMMC, it’s still another solid framework for organizations to contemplate. I’ve often said that 80% of compliance frameworks largely focus on the same fundamental security practices that everyone must deploy and maintain. For example, all frameworks will expect you to have modern and robust access controls around your data and critical systems. They’ll require strong password hygiene, multi-factor authentication, logging, monitoring, IR planning, etc. Then each framework may deviate in how it emphasizes other security controls that are more related to the domain.  

CMMC serves as a great baseline because it outlines a solid foundation that will serve well for anyone needing to adhere to some form of security framework. It should be a great benchmark for the foreseeable future because it elucidates the federal government’s priorities. It informs organizations what the government considers deeply important for how data is handled at different classifications and what depths of security testing are required depending on the types of contracts you may have. Thus if you set your bar within a CMMC rating, it will absolutely translate across other frameworks if you’re compelled to comply with something different in the future.

Successful cybersecurity is hard, time-consuming, and expensive to achieve. And it is definitely an ongoing process rather than a box to check. CMMC is a move in the right direction toward compliance and more consistently securing our most sensitive information throughout the whole supply chain. 

CMMC will be a significant lift, but it’s one worth making. 

See our three-part series on the CMMC for a deep dive into the topic. Or learn more about leveraging PlexTrac to manage and report on your penetration testing and assessments.

Dan DeClossPlexTrac Founder/CTODan has over 15 years of experience in cybersecurity. Dan started his career in the Department of Defense and then moved on to consulting where he worked for various companies. Prior to PlexTrac, Dan was the Director of Cybersecurity for Scentsy where he and his team built the security program out of its infancy into a best-in-class program. Dan has a master’s degree in Computer Science from the Naval Postgraduate School with an emphasis in Information Security. Additionally, Dan holds the OSCP and CISSP certifications.