Defense Leaders Urge Compliance With Final CMMC Cybersecurity Rule
Pentagon leaders say businesses should start complying with current standards to avoid costly changes later.
Defense leaders urge contractors to prioritize compliance with the department’s upcoming Cybersecurity Maturity Model Certification (CMMC) 2.0 rule set to publish next week.
“Don’t sit on the sidelines. There are things that you can do today that are no cost or low cost [to ensure compliance],” said Farooq Mitha, director of the Defense Department Office of Small Business Programs, at the Professional Services Council’s Defense Conference in Arlington, Virginia, Tuesday. “The more you can prepare for what’s coming, the better it’ll be for your business.”
The department’s update to the CMMC program outlines security controls for all three CMMC security levels, establishes processes for monitoring compliance and defines roles ensuring cybersecurity for the federal government, contractors and third parties. The rule applies to all DOD contractors and subcontractors that process, store or transmit federal contract information (FCI) or controlled unclassified information (CUI) on contractor information systems.
Mitha noted that contractors of all sizes can take steps to implement self assessments now.
“We want all our suppliers — small, medium, large — to be compliant with the current standards,” said Mitha. “It’s already required just that they’re able to solve the test [of self-assessments required by CMMC]. We’re hoping that companies are compliant, and they are doing more to move toward compliance once [CMMC 2.0] rolls out. It gives a competitive advantage to the small business to make investments early.”
Pentagon Senior Information Security Officer David McKeown added that DOD is examining how to include previously assessed businesses in compliance with CMMC when 2.0 is finalized.
“If you did get one of those early assessments [prior to the rule’s release], we’re looking at ways that we can potentially grandfather either part of that certification that you went through … or grandfather in to where it’s a full three-year accreditation,” he said at the conference.
McKeown and Mitha spoke to some of the concerns in the contracting community that CMMC compliance would be too expensive.
The DOD Office of Small Business Programs provides resources to small contractors to help them achieve compliance, Mitha said, because small businesses are often most vulnerable to cyber attacks.
“In my office, we launched a platform several years ago called Project Spectrum,” said Mitha. “I think there is a [bipartisan] consensus in industry, government … that our small businesses are the most vulnerable part of our industrial base, prime contractors and subcontractors.”
McKeown noted that compliance is necessary for the DIB to strengthen cybersecurity and cited recent breaches and intellectual property theft.
“When you look at the Chinese F-35, the Russian space shuttle and all the intellectual theft that has gone on,” said McKeown, “all of us have worked hard on [these projects] and spent taxpayer dollars to develop them. It’s a shame to see that go out the door so quickly and easily.”
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Looking Back at the First Trump Administration's Tech Priorities
In his first term, Donald Trump supported cybersecurity, space policy and artificial intelligence development.
4m read -
Securing the Expanding Attack Surface in Cyberspace
Agencies undergoing digital transformation face a more intricate threat landscape and a wider threat target for adversaries looking to exploit vulnerabilities. This panel dives into strategies agencies are undertaking to safeguard these complex environments, including zero-trust architecture, vigilant monitoring and robust cybersecurity training.
30m watch -
Elevating Cybersecurity in the Intelligence Community
The Intelligence Community is developing strategies to protect data and strengthen resiliency against emerging cyber threats.
30m watch -
AI Revolutionizes Cybersecurity by Doing What Humans Cannot
Leaders from NSA, GAO and industry say that artificial intelligence can augment the cybersecurity workforce, but the work must be auditable and explainable.
4m read