The Defense Industrial Base (DIB) is under constant threat of cyber warfare activities by cybercriminals and state-sponsored actors. To help prevent losses of intellectual property and CUI, SEI researchers helped the federal government develop CMMC, a program built upon established cybersecurity standards and best practices to reduce the risk of cyber threats in the DIB. This intention is exemplified by a quote from the architects of the Cybersecurity Maturity Model Certification (CMMC 1.0) framework

“In addition to protecting the confidentiality of CUI data, the DoD wanted a model that would change organizational behavior to be more security conscious. The CMMC meets that objective by adding practices to those included in 800-171 to ensure an organization is implementing a well-rounded security program.”

In 2019 it was announced in essence by the Department of Defense (D0D) Office of Acquisition that Cybersecurity Maturity Model Certification 1.0 (CMMC 1.0) will be required by DIB companies to do business with the Department, to transition from a mechanism of self-attestation of their basic cyber hygiene used since 2017 by DIB vendors. The DIB has close to 350,000 companies varying in sizes from very small organization to mega multi-national corporations with hundreds of thousands of employees. There was appreciation that not every company needs to have the most stringent controls in place. The CMMC-AB the organization chartered to build CMMC, after months of effort came up with a framework akin to CMMI with five levels of cybersecurity maturity ranging from ad-hoc cyber processes and practices at Level 1 to advanced proactive measures, processes and practices at Level 5.

CMMC 1.0 was updated to CMMC 2.0 in November 2021 which now has essentially 3 levels Low, Medium and High and companies at the Low end of the risk spectrum will be able to self-certify. As a business oriented CISO with an entrepreneurial mindset I personally believe that pushing to downgrade the compliance requirements is an opportunity lost by most small and medium enterprises.

CMMC in my opinion will raise Cybersecurity from realm of being a “Cost” to the realm of being a “Business Enabler”. Many CISO’s lament and rightly so, that cybersecurity is viewed as a “cost and a burden” by management and almost always faces the first sweeping cuts when there are budgetary issues. If you talk to most CISO’s they will tell you that most of their time and energy is spent in negotiating for better operating budgets so that they can better protect the organization. CMMC provides an opportunity to companies that realize the critical importance of cybersecurity and move to meet the compliance at the required level will benefit from winning more work from the government given the level of trust in their security program that certification will exhibit to the government.

Companies that adopt the framework early and comply with its requirement will have the “first mover’s advantage” and the ability to grow faster by being in a better position to win business than the companies that procrastinate. It is a reality of our times that cybersecurity is an existential threat and in the case of our DIB a major National Security concern. Companies that work on maturing their cybersecurity processes and get better at it stand to win.

CMMC is the first of its kind effort to require vendors to have robust security programs, which the industry is watching keenly. The market is moving towards a scenario where big businesses will require robust and secure environments at their vendors who they share their data with. Every business conversation will have security and privacy as major points of discussion it and it will eventually become a reality. Similar frameworks will come up that the civilian and commercial industry will implement to ensure that their information supply chain pertaining to security and privacy risks. For the DIB, CMMC is the enabler that CISOs need to be invited to discuss business!

Jitendra Chandna is the Chief Information Security Officer at Maryland Department of Human Services and a mentor and advisor to many startup companies, helping them identify their market niche, assisting them in building their product strategies to succeed in the market and also to build strong companies from the ground up by focusing on high performing diverse teams. He has been a MACH37 Stars Mentor since 2014.