As the Department of Defense moves forward with its phased implementation of the Cybersecurity Maturity Model Certification program, several studies have offered insights within the defense industry about contractor preparations and expectations on the department’s CMMC process.
A DOD interim rule, released in September 2020, provided a five-year CMMC implementation strategy with the goal minimize the program’s financial impacts on companies and avoid supply chain disruption.
Results of some industry studies suggest that CMMC compliance may come with an expensive cost, burden and possible bottlenecks.
From December 2020 to January 2021, Atlanta-based cybersecurity company Apptega, in cooperation with SecureStrux, conducted a study among 130 prime and subcontractors within the defense industrial base to get the CMMC perspectives of business owners and chief information officers.
The white paper, titled “CMMC Certification Preparation Study” showed that 81 percent of study participants consider CMMC as an essential measure to secure sensitive information.
However, one-third of the respondents said that the CMMC compliance would bring unnecessary burdens and costs, adding that the NIST 800-171 compliance was adequate even without the CMMC.
Meanwhile, a study led by IPC, a global trade association, indicated that the costs and burdens that come with CMMC compliance could affect the DIB supply chain.
The “Strengthening national security and supply chain resiliency by improving DOD cybersecurity certification” report involving 108 manufacturers that are members of the association found that 24 percent, or nearly one in every five, companies said they might be forced out of the supply chain due to expensive compliance costs.
Thirty-three percent of the participants said that CMMC could weaken a part of the electronics industrial base and 41 percent, or two in every five businesses indicated that implementing the CMMC clause to their respective suppliers could generate challenges within the chain.
The study also suggested that the DOD underestimated the cost of the Defense Federal Acquisition Regulation Supplement interim rule, as 68 percent of the respondents said that they were expecting the need to get a consultant or acquire third-party help for the CMMC evaluation.
Furthermore, limited resources or insufficient guidance for CMMC preparations could also affect the compliance process. Only 49 percent of the participants said they were familiar with the compliance requirements while 52 percent indicated that the DOD did not provide adequate guidance for CMMC preparedness.
John Mitchell, IPC president and CEO, said that while cybersecurity is crucial for national security, the costs and burdens in compliance through the recent strategy could drive many small and medium-sized businesses out of the supply chain.
“The objectives of CMMC are well-intentioned, but they must not be achieved at the expense of other key aspects of supply chain health,” he said.
Another anticipated obstacle in CMMC compliance is the possible bottleneck in the process. Under the interim rule, the 300,000 contractors supporting the DOD would need to undergo the assessment.
Redspin, a subsidiary of CynergisTek, recently secured CMMC Accreditation Body approval to serve as the first third-party assessment organization of the CMMC.
The security audit company can forge partnerships with organizations in need of certification as a CMMC 3PAO and perform evaluations under the first three compliance levels of the program.
Just a few months ago, Fedscoop reported that companies waiting for certified assessors licensing said they were experiencing bottlenecks in the process.
Johann Dettweiler, TalaTek director of operations, said “there is … a little bit of a log jam,” after finding out with other prospective C3PAO companies that they were facing challenges in meeting the CMMC Level 3 requirements.
With industry’s concerns over CMMC compliance, in addition to the rapidly evolving landscape of information technology that poses potential threats and vulnerabilities to national security, how is the federal government developing its plan to ensure robust cybersecurity in the DOD?
Find out more during the Potomac Officers Club’s 2021 CMMC Forum on Wednesday, June 16, at 8:00 a.m. EST, where federal leaders and industry experts will discuss the issues surrounding CMMC compliance, including the accreditation board’s top priorities. Register here.