CMMC: It is time to ‘get over it’

If you are reading this in hopes of the “easy answer to CMMC,” or more reasons why “CMMC is hard and should be delayed,” leave now. You will be disappointed!

I freely admit that CMMC is not perfect. There are questions that need to be resolved, lawyers and contracting officers will continue to have debates, and there is an abundance of people who will lecture about a better way it could be implemented.

Those who were engaged more than a decade ago – as I was – understand that the DoD and the Defense Industrial Base (DIB) are still debating the best way to implement the cybersecurity framework known as NIST 800-171.

But I have not met an experienced CISO who does not agree that NIST 800-171 (v1 or v2) is the ground floor for basic cybersecurity. 171 is not even a complete cyber program – it does not cover elements of availability and integrity, as an example. It is just part of what any organization (even those not in the DIB) needs to be doing.

So, why are we still debating this more than a decade later?

Some point to Controlled Unclassified Information (CUI), but CUI really should not be any more difficult than “your really important stuff you don’t want to be public”: brainstorming ideas for a new product line, planned upgrades to your award-winning application, even the diary you keep with your personal thoughts. If it is important to you, as CUI is important to the government, and not meant to be public, it is CUI. That is not the formal definition of CUI, but it is the intent, and by extension, every individual and organization has CUI and wants to protect it.

Maybe the resistance is about the rulemaking. After all, through the CMMC rules, the DoD requires us to be perfect at NIST 800-171, and perfect at anything is difficult, some claim impossible. This argument would hold more credibility if the DoD had not given the DIB years to implement NIST 800-171. They essentially said, “Promise us, via self-attestation, that you will implement all of NIST 800-171, and when it is not 100% implemented, track your gaps in a Plan of Action & Milestones (POAM) to assure us that you are closing the gaps.” In other words, you can implement NIST 800-171 on your schedule, but make reasonable progress toward 100% (documented in your POAM), and you will be good. Instead, across the DIB, most organizations have failed to make meaningful progress over the years.

There are other nits, like the DoD memo around cloud service organizations, or the real fact that it is impossible to write rules, regulations, or other guidance that perfectly fit every scenario that will arise across the DIB. But none of these are legitimate reasons to avoid reality. You need to implement NIST 800-171 now! Full. Stop. No more debate, hesitation, or other excuses.

What’s more: This applies to all organizations, not just those in the DIB. While those in the DIB have a need to move faster and have known this longer than most, it is high time for all organizations to act.

If we think of cyber maturity as a scale from 0 (nothing in place) to 10 (best of breed), many organizations – maybe even most – that are not forced by regulation to have a level of cybersecurity fall at or near the 0 mark. They may do a little more than 0 if required by their cyber insurance carrier, but certainly not enough.

Now, if we put NIST 800-171 on the scale, it would come in around 6. Let’s face it, going from 0 to 6 is a big improvement. I would argue that every organization should be required to meet cyber maturity in the 3 to 4 range. Going from a 3 or 4 to 6 is an improvement, but it is not onerous. The lack of a minimum cyber requirement for these companies makes CMMC appear more burdensome than it is. ?We need to stop pretending that a cyber maturity of 0 – 2 is appropriate for any organization.

It is time to “get over it” and implement NIST 800-171 v2. And as you do so, make sure you read and understand the v3 draft and are preparing for it. Cybersecurity is a journey, and moving from v2 to v3 will be part of that journey. Building out a culture within your organization that understands and embraces this is also part of the journey. NIST 800-171 alone is not the answer, but it is a key part.

I know many will be put off by my “get over it” statement. Those that are not, understand my real intent. We all need to protect our important stuff, our CUI. The longer we delay, the more damage is done, and the harder the journey is. And for those in the DIB, putting NIST 800-171 in place while others continue to debate it will put you at an advantage, as you will be ready to capture more work from the DoD while those who delayed scramble to play catch-up.

For those still delaying implementation, ask yourself, why? Are you intimidated by the size or cost of the task? Do you disagree that the threat actors are winning? I know you are not OK with failing your customers and supply chain partners. I assure you that the threat is real, the time to act is now, and there are no good reasons to delay. (Read my recent article on more common objections to CMMC implementation and why they don’t hold up.)

When you improve your cyber maturity, you also improve your situational and operational awareness. While the direct benefit is the ability to detect issues more quickly, it also improves your bottom line. The faster issues are resolved, the less likely they will become an outage or disruption to your daily operations. If they do rise to the level of a true cyber incident, it is well-documented that the earlier they are detected, the less it costs to resolve them. Thus, improving your cyber maturity also improves the resilience of your day-to-day operations across your entire organization, and you lower the cost of incidents and reduce the number of operational (non-cyber) disruptions.

It is the responsibility of every person, organization, and entity (public, government, for-profit, non-profit, etc.) to adequately protect its assets. It is time we all did our part – especially those in the DIB with information that every adversary pays its hackers to steal.

How CohnReznick can help

CohnReznick can help you with NIST 800-171. We were there in the beginning, we have had a DIBCAC audit, and we are a CMMC Third-Party Assessment Organization (C3PAO) that knows how to help you prepare for yours and thus be better prepared for the future.

If you are not in the DIB, we can help you reach your cyber goals, too. CMMC applies to the DIB, but NIST 800-171 – and many other cyber frameworks – apply to you.

If you are ready to improve your cyber maturity, no matter what your maturity is, CohnReznick can help. Reach out today to get started.

For more reasons to move forward now with your CMMC / NIST 800-171 implementation, read my article: 6 reasons to (not) skip CMMC

Subscribe here to receive CohnReznick’s CMMC insights and updates via email.

About the author

Steve Gilmer formed one of the earliest cybersecurity departments in a Fortune 500 company. He supplied input into the original drafts and discussions of Cyber DFARS and NIST 800-171, which included discussions held at times in Sensitive Compartmented Information Facilities (SCIFs) about the DFARS, NIST 800-171, and the threats the DIB faced.