The Cybersecurity Maturity Model Certification (CMMC) is a new initiative by the Department of Defense to improve the cybersecurity posture of the defense industrial base. The CMMC standard will be rolling out over the next five years by which all defense contracts will mandate CMMC compliance for all contractors and subcontractors. Big or small, businesses must meet these new standards.
What Level of CMMC do Small Businesses Need?
The expected level of compliance—ranging from Level 1 to Level 5—depends on the requirements of a specific contract, but all contractors and subcontractors who process Controlled Unclassified Information (CUI) will be required to achieve at least Level 3 compliance. If your organization only processes Federal Contract Information (FCI), you will have to meet at least Level 1. The CMMC framework is designed to guide contractors through the process of achieving higher levels, with Level 2 compliance intended as a transitional step between Levels 1 and 3.
NIST 800-171 and the CMMC have very similar requirements and small businesses may need to meet one or both requirements in order to reach the CMMC Level required to bid on contracts. In fact, full NIST 800-171 compliance is very similar to Level 3 CMMC compliance. A major difference between the two is that NIST 800-171 allows self-certification, while CMMC requires a third-party audit. While adding a step can be a struggle for some small businesses, having that extra verification ensures that policies are set up the right way and protocols meet standards efficiently and effectively.
CMMC Compliance Challenges for Small Businesses
CMMC compliance is expected to be a challenge for all defense contractors. However, small businesses—which don’t have the same resources and current level of compliance as large enterprises—will face a number of challenges when working towards CMMC compliance. Some examples of these challenges CMMC presents small businesses include:
Awareness of Requirements
The CMMC is a new regulation, and many of the companies affected by it don’t even know that it exists. A survey of government contractors in November 2020 found that 58% of them didn’t know what CMMC was. For small and medium-sized businesses, awareness of the regulation and their responsibilities under it is likely to be significantly lower.
CMMC has multiple levels of compliance, and the number of requirements grows rapidly as the level increases. For example, Level 1 compliance mandates 17 security controls, but Level 3—which most DoD contractors will be expected to achieve—has 130 required controls.
Lack of IT Staff
Many small businesses have small or non-existent dedicated IT teams. This will make it difficult for them to achieve, demonstrate, and maintain compliance with the new CMMC standards. For example, the on-the-ground inspection process for Level 3 compliance is expected to take three to four days on average to validate all evidence and documentation exist with each security control.
CMMC is designed to secure the entire supply chain of the defense industrial base, meaning that contractors are responsible for ensuring that their subcontractors and suppliers are compliant as well. In general, only 12% of defense contractors are confident in the cybersecurity of their vendors. Small businesses often lack full visibility into their supply chains and will likely struggle with ensuring full CMMC compliance.
Competition for Auditors
The first contracts requiring CMMC compliance roll out this year, but the auditor certification process is yet to be defined. With an estimated 300,000 companies impacted by the CMMC regulation, it can be difficult and expensive to schedule a slot for the required third-party audit.
Preparing for CMMC for Small Businesses
The CMMC will be rolled out over several years, but the timeline is much shorter for some organizations. Ten contracts will require CMMC compliance in 2021, which will affect an estimated 1,500 organizations. Companies wanting to bid on defense contracts in the future need to start preparing today.
For small businesses without the necessary cybersecurity and regulatory expertise in-house, this means working with a trusted partner that can guide you through the process. Contact us to learn more about getting started with NIST 800-171 and CMMC compliance.