Cyber Compliance? Says Who?

The federal government has mandated that all contractors and subcontractors in the Defense Industrial Base (DIB) that come into contact with Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) must meet requirements as laid out in the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041). They outline a phased rollout with a deadline of October, 2025 for compliance.

Am I affected?

Well the requirements seem about as clear as a brick wall to someone that doesn't know the language. It often sounds as if they are telling you two different things. Will this affect me or won't it? The easiest answer is that all businesses will need to achieve a compliance of Cybersecurity Maturity Model Certification (CMMC) Level 1 at a minimum before engaging in contracts. Until October, 2025 however, only contracts that specifically mention CMMC will flow down its CMMC requirements to all subcontractors. That is to say, all DIB entities will need to have CMMC Level 1 by October, 2025 or as required by contracts specifically. To avoid missing out on participating in contracts now and to prepare for the inevitable, Trawvid Sec recommends to get started ASAP.

What are the requirements?

As of writing this, to achieve any level of compliance to CMMC, an audit of your business practices and processes will need to take place. CMMC is fairly new and there are not many certified assessors so don't be surprised if this changes, but don't count on it changing either. To achieve level 1 your business will need to implement 17 selected controls that appear in NIST 800-171A. The list of controls can be seen here in the CMMC official guide to a Level 1 assessment. If a business is already familiar with the FAR 52.204-21 requirements, then CMMC Level 1 requirements should be familiar. It is important to note that CMMC Level 1 is not the same as a NIST 800-171 Basic Assessment. We at Trawvid Sec have seen a lot of small and medium sized businesses confused on the difference between the two, and although they overlap, they are not the same. The next article will dive into those differences. For now, just understand that CMMC Level 1 is most similar in concept to FAR 52.204-21, but will require an audit by a CMMC certified assessor (all levels of CMMC require a certified assessment).

How much will this cost me?

The good news is that it may be possible to take advantage of small business grants for development and training. For our clients, we have been able to successfully procure grants that allow them to fund CMMC specific training and development that we provide. While not all businesses may be awarded these grants, it is an avenue that should be explored. If a contractor doesn't want to comply to CMMC Level 1, then, as stated above, they won't be required to until October 2025. However, if a contract shows up that stipulates a CMMC Level, know that you will have to pass on accepting that contract. CMMC has already begun to show up and flow down to subcontractors. One of our clients had it pop up on every single contract! If you try to save a few bucks now by waiting to comply, you could end up losing more money by missing out on contracts that specifically require it. So not complying with CMMC now could cost you very little or everything. Every business is unique. The only sure thing is that you will need to comply eventually. We recommend you get ahead of it. Whether you take on a full-time, salaried employee to handle your compliance issues, or you want to talk with a consultant only when needed to make sure you don't pay extra, someone will need to take this workload. Small businesses are usually stretched thin already so it may be impossible to expect a current employee to also become a cybersecurity expert. Trawvid Sec offers a free initial consultation for your business to assess your situation and the best path forward. Our line is always open, feel free to use the chat widget on Trawvidsec.net or our contact page.

Summary

Cybersecurity is an ever-changing field that is impossible to stay on top of without some sort of framework or dedication. CMMC is being mandated by the US government in an effort to make sure all entities are taking care with their cybersecurity posture. This will undoubtedly place administrative and operational stress on any small business, but with a good plan to tackle the issues at hand, you can overcome it. Please reach out to us if you have any questions, as we want to see you succeed.