Skip links

CMMC Listening Tour Takeaways

Flag Blog Banner Acronis SCS

Last month, I attended one of the stops on the Department of Defense’s (DoD) Cybersecurity Maturation Model Certification (CMMC) listening tour to gain a better understanding of future cyber hygiene expectations for the defense industrial base (DIB).

The CMMC, which was first announced in June, is the Department’s fresh undertaking to better measure and mitigate cyber risk across the DIB via a set of uniform cybersecurity standards. The standards, once finalized, will require members of the supply chain to meet a number of controls before they are able to bid on contracts with access to controlled unclassified information (CUI).

The move reflects a long-overdue reckoning with the very real national security threats facing our nation, and the critical role our supply chain plays in safeguarding sensitive information from adversaries. Though the Department plans to release the next draft of standards next month for public comment, the listening tour has made clear: there is still a long ways to go in the CMMC process.

For fellow small/medium-sized businesses awaiting the CMMC’s outcomes but unable to attend the Department’s listening tour, here are some of our main takeaways from the discussion:

While tax write-offs will not be an option to help companies foot the bill for certification, contractors will be allowed to include cybersecurity compliance spending within contract overhead costs. The question remains though, will this trickle down to tier two or three subcontractors, particularly small or medium-sized businesses with limited cyber protection budgets? Although the question was raised at the session, the Department’s answer lacked specifics. Without a plan in place to protect small subcontractors, who will also be required to comply with the standards, there is a very real chance they could get steamrolled.

Another key takeaway – the Department is sticking with its “go/no-go” criteria, meaning members of the supply chain must be certified by a third-party at the appropriate level (levels range from one to five) before bidding on a contract. This begs the question, is the original timetable for implementing the CMMC framework still feasible? The Department seems to think so, though it did analogize the process to a “fast-moving train.”

To alleviate concerns that companies will not have enough time between when the standards are finalized by January and when they will be incorporated into contracts next fall, the Department plans to provide both contractors and third-party certifiers with “desk guides” designed to make expectations and steps crystal clear. This is a smart and necessary move, but many companies will likely still find it difficult to comply in time.

As a result, the defense industrial base must take stock of its cyber hygiene and start making changes now, rather than waiting for the final framework to come out. Luckily, there are concrete steps your organization can take today to be more cyber fit. For tips on how to shore up your internal security model using zero trust and least-privilege access frameworks, check out our recent post on the topic. If Acronis SCS can serve as a resource to your company as you navigate the CMMC process and make changes to your cyber protection, please don’t hesitate to contact us.

After all, this is not just about being able to bid on future contracts – it’s about ensuring we, as members of the defense supply chain, do our part to keep both our companies’ proprietary data and the country’s sensitive national security information safe from persistent and very real threats.