Defense Leaders Urge Compliance With Final CMMC Cybersecurity Rule

Defense leaders urge contractors to prioritize compliance with the department’s upcoming Cybersecurity Maturity Model Certification (CMMC) 2.0 rule set to publish next week.

“Don’t sit on the sidelines. There are things that you can do today that are no cost or low cost [to ensure compliance],” said Farooq Mitha, director of the Defense Department Office of Small Business Programs, at the Professional Services Council’s Defense Conference in Arlington, Virginia, Tuesday. “The more you can prepare for what’s coming, the better it’ll be for your business.”

The department’s update to the CMMC program outlines security controls for all three CMMC security levels, establishes processes for monitoring compliance and defines roles ensuring cybersecurity for the federal government, contractors and third parties. The rule applies to all DOD contractors and subcontractors that process, store or transmit federal contract information (FCI) or controlled unclassified information (CUI) on contractor information systems.

Mitha noted that contractors of all sizes can take steps to implement self assessments now.

“We want all our suppliers — small, medium, large — to be compliant with the current standards,” said Mitha. “It’s already required just that they’re able to solve the test [of self-assessments required by CMMC]. We’re hoping that companies are compliant, and they are doing more to move toward compliance once [CMMC 2.0] rolls out. It gives a competitive advantage to the small business to make investments early.”

Pentagon Senior Information Security Officer David McKeown added that DOD is examining how to include previously assessed businesses in compliance with CMMC when 2.0 is finalized.

“If you did get one of those early assessments [prior to the rule’s release], we’re looking at ways that we can potentially grandfather either part of that certification that you went through … or grandfather in to where it’s a full three-year accreditation,” he said at the conference.

McKeown and Mitha spoke to some of the concerns in the contracting community that CMMC compliance would be too expensive.

The DOD Office of Small Business Programs provides resources to small contractors to help them achieve compliance, Mitha said, because small businesses are often most vulnerable to cyber attacks.

“In my office, we launched a platform several years ago called Project Spectrum,” said Mitha. “I think there is a [bipartisan] consensus in industry, government … that our small businesses are the most vulnerable part of our industrial base, prime contractors and subcontractors.”

McKeown noted that compliance is necessary for the DIB to strengthen cybersecurity and cited recent breaches and intellectual property theft.

“When you look at the Chinese F-35, the Russian space shuttle and all the intellectual theft that has gone on,” said McKeown, “all of us have worked hard on [these projects] and spent taxpayer dollars to develop them. It’s a shame to see that go out the door so quickly and easily.”