Last Updated on January 15, 2024
The US Department of Defense (DoD) audit-based Cyber Maturity Model Certification (CMMC) program went live on January 31, 2020. The rollout timeframe is five years; CMMC certification won’t be mandated in all DoD RFIs and RFPs until 2026. The DoD anticipates that third-party assessors will certify about 1,500 suppliers in 2021, about 7,500 more in 2022, about 25,000 more by 2023, and so on… but you know this by now.
That means SMB suppliers can safely back-burner the CMMC for several years, right?
Well, yes… if you want to be sitting on the sidelines and losing business—potentially right now or very soon—to provably secure, lower-risk competitors that DoD prime contractors will choose ahead of you.
This question of “can we dodge the CMMC?” is a focal point of the latest episode of The Virtual CISO Podcast. It features Stuart Itkin, VP of Products and Marketing for Exostar, a service provider whose secure platform transacts something like 65% of the DoD’s direct spend. As always, hosting the podcast is Pivot Point Security’s CISO and Managing Partner, John Verry.
John notes that the five-year CMMC timeframe could give some DIB suppliers a false sense of complacency about their security postures: “Realistically, you’re either implementing [NIST] 800-701 in a provable, auditable manner or you’re implementing CMMC in a provable, auditable manner, correct?”
Stuart concurs: “For organizations that are sitting there saying, ‘Well, gosh, it’s only 1,500 out of 300,000…’ You don’t know when your number is going to be called.”
Not only that, but the DoD’s prime contractors are ahead of this curve, and they want to engage with subcontractors that are up there with them. It’s all about managing third-party risk.
“The primes… they’re looking at this in a little different way,” asserts Stuart. “We’ve heard the primes talk about CMMC is really a good start. But they’re looking beyond compliance and trying to truly understand the risk they’re taking on when they put together a capture team; the risks they’re taking on when they take on a bid.”
Stuart sends this key takeaway message from the primes to the rest of the DIB:
“’This is something you need to be doing sooner rather than later, because we are going to favor people whose risk profile we understand and can better measure.’ So that it really becomes an advantage for suppliers to take this step early, to be ready to be [CMMC] certified, and to really have kind of a competitive advantage against others as they’re looking at individual contracts.”
As a service provider, Exostar is focused on giving DoD prime contractors a “360-degree view” of third-party risk. This includes not only cyber risk but also financial and reputational risk, conflict minerals concerns, ITAR (International Traffic in Arms Regulations) risk, and more.
“So cybersecurity is step one. But for the primes, the tools that we’re ultimately working on building is to try to provide a much broader understanding of the risk they take on when they choose to work with any individual supplier,” Stuart emphasizes. “… Everybody is in this together. The dependency that primes have on their supply chain, the vested interest in ensuring that the supply chain is not only accredited and certified to be able to work with them, but truly is secure, and that it’s managing its risk.”
To listen to the complete episode with Stuart Itkin and explore the rest of the series, including the episode with Katie Arrington, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.