Cybersecurity Maturity Model Certification

CMMC: More than a controls audit.

At Optiv, we think about the Cybersecurity Maturity Model Certification (CMMC) differently. Most organizations view this as another compliance check-the-box requirement, not realizing the impact CMMC can have on their entire company if implemented in a silo.

This is more than a compliance audit; it’s a new way of doing business with the Federal Government. Without a certification at one of five maturity levels, an existing or potential defense contractor will not be able to view nor bid on new contracts once CMMC is fully implemented. This, along with new interim requirements going into effect November 30, 2020, means the Defense Industrial Base (DIB) must prove compliance through a CMMC Independent Third-Party Auditor (C3PAO) or risk losing any future business with the DOD.

Meeting CMMC requirements without slowing down your business isn’t easy. That’s why Optiv is here to help you think through a fully integrated federal business strategy. In addition to process and practice requirements, we guide you through your business growth, regulatory compliance, contract compliance, and operational needs to design a sustainably compliant and scalable solution.

The Basics of CMMC

The roll-out of CMMC means significant changes are coming to the DOD supply chain starting in 2021. As a measure to protect sensitive information, CMMC is designed to verify and provide DOD the assurance that a Defense Industrial Base (DIB) Contractor can adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Contractors will be required to meet one of five maturity levels of data security maturity – ranging from basic hygiene to “State-of-the-Art” – to have bidding opportunities for future work with the DOD. To achieve these levels, contractors must certify with independent, third-party auditors. Without that certification, contractors will not be able to view contracts they aren’t certified for, let alone bid on them.

While You Wait for CMMC

To reduce risk as CMMC is rolled out, the DOD has implemented several interim rules on the Federal Register that requires the DIB to meet certain requirements by November 30, 2020.

So, what do you need to do?

Use the NIST SP 800-171 DoD Assessment Methodology to prepare a NIST SP 800-171 Assessment Score for submission to the Supplier Performance Risk System (SPRS)
Provide the government with access to your facilities and systems for Medium and High NIST SP 800-171 assessments - DFARS 252.204-7020
Obtain the required CMMC level at time of award via a C3PAO and maintain the certificate for the duration of the contract – DFARS 252.204-7021

What are the CMMC Maturity Levels?

CMMC maturity levels serve to measure your organization’s process maturity or process institutionalization. Tasks and activities should be, to an extent, embedded or ingrained in the operations of the organization. The CMMC model consists of practices and processes that map across the five levels for all capabilities and domains.

Each of these five maturity levels consists of a set of processes ranging from ‘Performed’ to ‘Optimizing,’ and the practices range from ‘Basic Cyber Hygiene’ to ’Advanced/Progressive.’ Based on your supply chain, business goals, and current capabilities, you may need a strategy and operating plan for each level to run your Federal business successfully.

As you can see, CMMC is far bigger than “checking a compliance box.” Having non-compliance discovered in a required audit means fines and even losing your DOD business entirely.

Seems Like a Big Deal. Is It?

We know this seems like an awful lot of work and, depending on your organization, it might be. Here are some things to consider as you discuss these changes with your team and your leaders.

Do I really need more than a controls assessment?

Yes. Without a fully integrated federal business strategy and a clearly delineated system security boundary, your entire business could come to a halt due to a government audit. Growth, scalability, backend business support, and other similar elements should all be considered upfront, too, so you build a sustainably compliant model from the start.

Why should I care if I am non-compliant?

Contract termination: If your organization is found to be non-compliant, its contract will be terminated. Plain and simple.
Breach of Contract Lawsuits: Legal action by the government could be taken due to surrounding negligence for not maintaining contract and regulatory requirements
Fines: The Federal Trade Commission (FTC) has the authority to investigate, and fine companies that are found to not be meeting the stated requirements
Loss of Future Revenue: Non-compliance could lead to permanent exclusion or temporary suspension from participating in some or all federal contracts in the future

General David H. Petraeus, USA (Ret.)
Partner, KKR
Chairman, KKR Global Institute
Optiv Board of Directors

“U.S. businesses are experiencing a dramatic escalation of threats in cyberspace – from nation states, criminal organizations, extremists, company insiders, and hactivists – and the threats have been growing in sophistication, as well.

Moreover, all of this has come at a time of transformation in how businesses operate as a result of the measures taken to reduce the spread of the global pandemic. The combination of increased threats and new vulnerabilities has made cybersecurity ever more difficult.

Nowhere is the substantial increase in the quantity and quality of threats in cyberspace more important than in the companies that are part of the supply chain of the Defense Industrial Base; indeed, cybersecurity shortcomings in those companies can result in serious damage to federal operations and compromise our national security.

American firms must upgrade their cyber defenses, and Optiv is determined to provide American companies with the most effective and most efficient comprehensive, integrated, managed cybersecurity solution possible.”

Contracts with DOD require deep knowledge

Get it right the first time.

As an information security leader, you are challenged by evolving information security requirements and the threat of intrusion and data leakage – now more than ever. And, as a DOD Contractor, you are ultimately responsible for addressing the risks specific to your environment and furnishing adequate security.

Yet you face these challenges:

Insufficient Resources
Compliance can be time-intensive and technology capabilities can be cumbersome (E.g., monitoring the network, penetration testing, etc.). Federal contractors frequently do not have the resources to comply with CMMC requirements.

Lack of Formalization
Over 60% of the effort to comply with CMMC Level 3 requirements are based on formalization and documentation aspects (E.g., policies, procedures and resourcing plans). Getting the support and resources to focus on the time-intensive task of documenting how requirements will be met and by who, rather than the technology capabilities carrying these processes out, is not always easy.

Inadequate Training and Awareness
Often, federal security requirements are new to your internal stakeholders. Key contractors need to understand the requirements they must abide by and their importance to national security.

Optiv understands the challenges faced by Federal Contractors and has an established team of cybersecurity professionals experienced in national security, compliance, and security program transformation who are ready to help commercial entities achieve CMMC compliance.

Optiv’s End-to-end CMMC Solutions

We have the solution, and the team, including numerous cleared practitioners such as:

Wendy Overton
Managing Director, Strategy & Transformation
wendy.overton@optiv.com

Wendy is a former DOD civilian intelligence analyst who advises Fortune 50 companies and higher education institutions in building capable federal business strategies that meet regulatory compliance requirements.

Justin Williams
Managing Partner, Strategy & Transformation
justin.williams@optiv.com

Justin is a leader whose developed strategies are shaped by a deep technical understanding, threat awareness and passion to protect America’s National Security. His strategic approach creates value, while delivering practical risk reduction for businesses with a keen focus on operational and cost optimization.

Optiv’s Strategy & Transformation Team brings a wealth of knowledge to every client engagement. Many are former CISOs, government employees, and auditors with in-depth familiarity with DFARS 252.204-7012, CMMC, and all related requirements. We have premier security teams able to establish a plan, implement a compliant program and technology stack, and operate your environment.

Our team understands that successful CMMC compliance requires more than a simple assessment. No matter your business's size and needs, our tailored CMMC solutions will help keep it running, growing, and compliance-ready now and into the future.

We start by taking a look at your holistic business needs and designing a tailored integrated federal business strategy that enables success, no matter how complex your business might be. We also review your current state of readiness against CMMC practice and process requirements, your current contracts, and operating needs. Our solution culminates in a holistic roadmap that reflects our overall approach, focusing on three key elements:

People: Optiv knows your people are what is most important for a successful CMMC program, including a bespoke training program, stakeholder awareness and an optimized organizational design.
Process: Documented processes, policies, and procedures enable your organization to apply effective and compliant workflows consistently. Paired with a clear and thorough compliance package, process maturity is one of the most essential elements to making your certification audit more efficient.
Technology: CMMC certification will require your organization to have a compliant and hardened technology stack to protect infrastructure and applications within the defined CUI boundary.

Contact us, and we can:

Advise and collaboratively strategize on an approach that works for your business. We can develop an overarching federal business and CUI protection strategy, leveraging your existing resources to protect your current and potential revenue.

Implement a federal business and CUI protection strategy which may include organizational design, governance, processes and a compliant and scaleable technology stack to successfully adhere to CMMC requirements.

Operate and continuously monitor your federal business environment, designed to protect sensitive data. Unique opportunities and compliance needs are evolving, and your business needs to be prepared for recurring audits and a dynamic landscape.

Optiv’s CMMC Capabilities