We all know cybersecurity is a critical component of doing business in this day and age, but for the more than 1,100 aerospace-related companies in the state of Oklahoma good cyber hygiene is not just critical – it’s a mandate, or at least almost.
The on-again, off-again rules around the Cybersecurity Maturity Model Certification (CMMC) have left everyone frustrated but we may be closer to a solution and that’s good news for Oklahoma’s aerospace industry, contractors, and sub-contractors.
Recently, the federal government surprised the cybersecurity community by revealing considerable changes to the Cybersecurity Maturity Model Certification (CMMC), a set of cybersecurity standards intended to protect sensitive information in the defense contracting sector. Cybersecurity professionals have been working with companies around the nation to prepare for an eventual mandate of the CMMC and DoD signaled changes to the CMMC are on the way in response to comments from the private sector.
In a town hall meeting on Tuesday, November 9, federal representatives responsible for the change acknowledged that the original set of regulations, dubbed “CMMC 1.0”, were too burdensome and restrictive on small and medium-sized businesses. They further admitted that the original iteration cast too wide of a net. The new revision, titled “CMMC 2.0”, aims to reduce the burden for those businesses by allowing room for waivers, plans of action in response to deficiencies, and requiring fewer companies to undergo third-party audits.
“Based on what we know now, CMMC 2.0 appears to include a level of common sense that was not apparent in the first iteration,” said Guernsey Director of Cybersecurity Consulting Tim Fawcett. “The new iteration makes a clear effort to be truly risk-based and shows the DoD’s commitment to supporting small and medium business while still requiring cybersecurity best practices for all DoD contractors.”
The requirements under CMMC 2.0 are based on standards that Defense Industrial Base (DIB) companies have been required to meet for nearly a decade, the difference being that the annual self-assessment will now require the signature of a company executive, ensuring accountability for meeting the regulations is tied to an individual. Another welcome change is that CMMC 2.0 will only pull requirements from National Institute of Standards and Technology (NIST) publications, which is the appropriate body for defining standards for cybersecurity. While CMMC 1.0 relied heavily on NIST guidance, it also included multiple practice requirements unique to CMMC. To that end, any changes in guidance would be required to go through the standard change process at NIST, which requires public comment. This is a smart approach in that that not only does it remove the DoD as a standard making body, it will also make it easier for other federal agencies to adopt CMMC as a compliance vehicle.
The CMMC accreditation body estimates the number of DIB companies required to undergo a third-party assessment is around 40,000, down significantly from the estimated 300,000 with CMMC 1.0. This change will likely allow for more discernment of the organizations that will be performing these reviews, making it easier to control and ensure the quality of these assessments. “As an organization preparing to be a Certified Third-Party Assessor Organization (C3PAO,) we were concerned that the CMMC-AB would find it difficult to enforce quality. With the announced CMMC 2.0 changes we are far more optimistic about the long-term viability of the third-party assessments,” stated Fawcett.
When pressed for a timeline on when CMMC 2.0 will be mandated, CMMC representatives stated the new model will require a time window for public comment, internal review, and congressional review before adding the final specifics to the U.S. Code of Federal Regulations. While the overall timeline remains tentative, early signals indicate that the CMMC 2.0 could be required as early as the fourth quarter of 2022 with voluntary assessments beginning in early 2022. The DoD has noted on its new CMMC 2.0 website that “[They] are exploring opportunities to product incentives for contractors who voluntarily obtain a CMMC certification in the interim period.”
Guernsey has created a free CMMC Gap Analysis Self-Assessment to help companies measure their current ability to comply with CMMC.
Timothy Fawcett, CISSP, CISA, CSSA, is Director of Cybersecurity Consulting at Guernsey