The Defense Industrial Base (DIB) is complex and enormous, comprised of hundreds of thousands of companies across the country that – according to the Cybersecurity and Infrastructure Security Agency – are responsible for, “…[enabling] research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.”
And while America’s military looks at the DIB and sees the private industry partners that deliver the products, services, and platforms necessary for securing our nation, they also look at the DIB and see something else – a supply chain filled with potential cybersecurity vulnerabilities that could be leveraged to compromise national security.
To help increase the security of the DIB and eliminate the cyber threats ad vulnerabilities in its supply chain, the military has introduced a new cybersecurity certification known as the Cybersecurity Maturity Model Certification (CMMC). This new certification will soon be a requirement for many companies looking to do business – or continue doing business – with the military, and that could have massive ramifications for companies throughout the national capital region – even those that aren’t traditional government contractors.
On April 13, ACG National Capital will bring together a panel of experts to discuss the CMMC requirement and how it could impact organizations of all sizes and across many industries in our area.
In advance of that information and important panel discussion, we sat down with one of the participants – Neal Beggan a Principal at Cherry Bekaert and one of the nation’s first CMMC Provisional Assessors – to discuss exactly what CMMC is, what ramifications companies can face if they aren’t compliant, and why all companies – regardless of size or industry – in the national capital area should think about attending this event.
Here is what Neal had to say:
Corporate Growth, Capital Style (CGCS): For our readers that may not be familiar, what is CMMC and why is it being implemented?
Neal Beggan: CMMC stands for Cybersecurity Maturity Model Certification, and it’s a program that was originally developed by the DoD to help protect what’s called “Federal Contract Information” and “Controlled Unclassified Information” also known as “FCI” and CUI”.
In the model – itself – there are five levels of certifications that will be required, ranging from basic cyber hygiene all the way up to advanced. Moving forward, DoD contracts – some starting as early as this year – will require that contractors achieve a given level based on the services provided. And they will need to achieve that certification in order to be awarded that contract.
All told, CMMC is expected to affect more than 300,000 companies, which will result in approximately 450,000 assessments over the next five years. That kind of tells you the magnitude of this new requirement. But it’s being adopted for a good reason – to protect the security of the nation. The contracts are paramount to the security of our country.
CGCS: Does CMMC only impact large, prime government contractors, or are small and medium-sized businesses and subcontractors also potentially impacted?
Neal Beggan: All of the above actually. This is a certification requirement that could potentially affect everyone in the supply chain. That not only means traditional defense contractors and their subs, but it could also potentially impact their supply chains such as their IT providers when you think about things like managed service providers or managed security service providers.
“Starting in 2026, it is expected that every single DoD contract will have a CMMC requirement. So, it is absolutely a necessity…[and] our suggestion to anyone that will listen is to not wait and to get out in front of it.”Neal Beggan
It should also be noted that other agencies are considering CMMC as a way to further bolster the cybersecurity posture of the government contractors that they are doing business with and engaging with, as well.
CGCS: Other agencies, as in federal civilian agencies?
Neal Beggan: Correct.
CGCS: Is that only in the federal government, or do you anticipate this also rolling out to state, local and municipal governments as well?
Neal Beggan: Honestly, I think the sky is the limit – depending on how well the program is implemented over the next few years. I think there will certainly be people waiting on the sidelines to see how well it’s received and how well it’s implemented.
But, the intent all along was that [CMMC] would roll past the DoD to civilian agencies. And – assuming it does that – I would not be surprised at all if, years down the road, this is another widely accepted compliance program, akin to things like SOC audits and other more international-based IT security frameworks like ISO.
CGCS: Where are we in the CMMC implementation process? Is this still something that is years away, or is this something businesses have to be concerned about now?
Neal Beggan: More of the latter. This is something that’s absolutely happening right now, and it’s in process. I will say it’s still in its infancy in terms of life cycle of a compliance program. But these contracts are expected to start this year. And they have a five-year phased approach where they exponentially will increase the number of contracts year over year that have these CMMC requirements, over the next five years.
“The primary impact is that you will no longer be able to serve DoD contracts. And all contracts are expected to have this requirement by 2026. So, if [a government contractor] was intending on doing work with the DoD, they will need to have this third-party certification.”Neal Beggan
Starting in 2026, it is expected that every single DoD contract will have a CMMC requirement. So, it is absolutely a necessity that if you are intending to do business with the DoD that you ultimately will be compliant with an applicable level of CMMC. So, our suggestion to anyone that will listen is to not wait and to get out in front of it.
CGCS: What are the potential ramifications should a company fail to take action or prepare for CMMC requirements?
Neal Beggan: The overall impact is the inability to provide services to the DoD. But that could change should CMMC potentially extend well past the DoD and into other civilian agencies. So, there are many government contractors that do not currently serve the DoD that have this on their radar.
The primary impact is that you will no longer be able to serve DoD contracts. And all contracts are expected to have this requirement by 2026. So, if [a government contractor] was intending on doing work with the DoD, they will need to have this third-party certification.
CGCS: You’re going to be appearing at an upcoming panel discussion about preparing businesses for CMMC. What types of things will you be covering as part of that discussion?
Neal Beggan: It’s a great panel focused on covering the current state of affairs. As mentioned, this is still in its infancy and somewhat in flux. So there are constantly changes being made and adjustments being made, accordingly.
Any government contractors that either are currently serving the DoD or plan to in the coming years certainly should be paying attention to CMMC.Neal Beggan
We have good representation from the assessor side – folks who can help prepare but who also ultimately will conduct the required third-party certifications. We also have great representation from industry that can talk about what they have done already to prepare, what they are seeing, and what their expectations are when engaging with subcontractors. We even have a panelist from an MSP provider, so we’ll be able to tackle that angle as well.
Something for everyone – really looking forward to it.
CGCS: Who should be in attendance at this panel discussion, and why is this a “must attend” event for them?
Neal Beggan: Any government contractors that either are currently serving the DoD or plan to in the coming years certainly should be paying attention to CMMC. However, as I mentioned, originally the intent is DoD, but it’s expected to roll well beyond to other agencies.
For other contractors that serve civilian agencies and may be looking to get ahead of CMMC – recognizing that this ultimately is going to come down the pike – it’d be a good idea for them to attend. Then lastly, anyone hoping to provide services – in this case, predominantly IT services – to government contractors that are serving the DoD or other agencies should also be well versed in CMMC and what it means to them.
Cybersecurity is obviously a risk that is industry agnostic and should be addressed and discussed from the board level, all the way down to the employee and contractor level. It is something that needs to be addressed by all organizations. The CMMC’s intent is to help the supply chain – in this case of the DoD contractors. But addressing cybersecurity should really be paramount for any organization at this point.
To learn more about this event – or to register to attend online – click HERE.