CMMC – What We Know and What We Don’t

By Kathryn Daily, CISSP, CAP, RDRP

So by now, I’m sure you’ve seen a ton of articles on the Cybersecurity Maturity Model Certification (CMMC) initiative. A lot of information has been released but there are still a lot of unknowns.

What We Know

We know that it’s mandatory for all contractors who wish to do business with the Department of Defense. We know that there are 5 levels of compliance ranging from level 1 (basic cyber hygiene) to level 5 (state of the art cyber program). We also know the full control set now with the release of CMMC Version 0.7 that came out last month.

What We Don’t Know

We don’t know who will make up the accreditation body and how assessors will be validated. It’s great that we have the control set, so that we as contractors can begin working on our compliance, but until we know the entire process, it’s hard to map out a project plan. Will there be a limited number of assessors that will cause a backlog of contractors waiting to get certified? Currently there are marketplaces popping up that purports to have a repository of auditors for the CMMC validation. One such marketplace has 120 (as of last week) auditors listed in their directory. At some point this makes no sense, we don’t even have an accreditation process or body to oversee said process. At a minimum, it appears folks are seriously jumping the gun.

Which contracts will be coming out in the fall of this year with CMMC requirements? It’s unfathomable that all contracts will include CMMC requirements out of the gate. Will it be specific DoD agencies that begin rolling out the CMMC requirements? Specific industries? Completely random? Who knows. We may not get an answer to this until fall.

Another unknown is which contracts will require which level of certification. Will a contract currently held by a small business eventually require a level 5 certification, thus requiring a state of the art cyber program that only a top defense contractor can comply with? DoD spokesperson Katie Arrington has stated several times that it won’t be cost prohibitive for small business, and level 1 and 2 might be tolerable… and maybe level 3 but a small business with 5 employees will never have the resources to comply with a level 5 CMMC certification.

What will this all cost? Ms. Arrington has stated that CMMC compliance is an allowable cost. That means to me that subs will pass that cost onto primes and primes will pass it on to the government. This is going to result in contracts that are much more costly to the government. It will be interesting to see just how much overall this initiative ends up costing in the long run. Now I’m not saying security isn’t worth an additional cost, because it is, but the end number should be interesting.

Conclusion

While we know enough to get us started, there are still a lot of unknowns that make planning for certification difficult. That being said, OUSD has stayed true to their word with respect to the schedule thus far, which is promising and helps us to prepare for milestones to come. Hopefully some of our unknowns will be answered with the release of V 1.0 that is scheduled to be published this month.

Posted in: