Challenges in Adopting CMMC Standards

challenges in adopting CMMC standards

Many small businesses owners have expressed concerns about the challenges in adopting CMMC standards.  While the Department of Defense (DoD) has been stressing the necessity for contractors to reach various levels of Cybersecurity Maturity Model Certification (CMMC) for years now, many businesses are at a loss as to how to implement an effective program despite the fact that failure to reach certification may hinder their ability to be eligible for DoD contracts.

This situation continues despite efforts by the DoD to ease implementation through the creation of CMMC 2.0, which was created following push back from the DoD contractor community.

Cybersecurity is Complex

In an interview with Federal News Network, Dr. Kelly Fletcher, principal deputy CIO for the DoD, recounted feedback from small business owners who were confounded by CMMC requirements.  In one instance when Dr. Fletcher was giving a presentation to the public on cybersecurity, the owner of a building contractor company politely stated, “Lady, I don’t know what you are talking about”.

This is a good summation for many in the business world.  While they may have high levels of competence in their respective fields, they are not cybersecurity experts.

The requirements laid out in CMMC are well intentioned.  There is a definite need for data security for government contractors who handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  Adversaries of the United States are actively engaged in stealing this information in efforts to duplicate technologies under development.  There are, however, real challenges in incorporating these security practices into the daily operations of a small organization.

CMMC 2.0 Requirements

Currently CMMC 2.0 requirements are divided into three levels of compliance:

  • Level 1 – Foundational is comprised of the 17 practices described in FAR 52.204-21 and requires an annual self-assessment.
  • Level 2 – Advanced is comprised of 110 practices which are aligned with the NIST SP 800-171 Revision 2 This is a set of security practices and security standards for non-governmental organizations that handle CUI.  It requires that a third-party assessment by conducted every three years for information deemed critical for national security.  It also requires an annual internal assessment
  • Level 3 – Expert includes over 110 practices based on the NIST SP 800-17 cybersecurity standard and includes further controls.  There is also a requirement for triennial assessments conducted by government representatives. 

Upon further investigation, one will find that NIST SP 800-171 involves references to over half a dozen other documents which are comprised of thousands of pages.  While these documents describe the implementation of controls and development of a risk management framework, they often fail to provide solutions easily integrated into business practices.

NIST SP 800-171 and Business Management

While NIST SP 800-171 does contain a number of requirements for establishing and maintaining a cybersecurity program, it often comes up short in detailed descriptions on how non-IT functions are to be executed.  This is particularly the case for critical functions such as auditing and management review.  These functions must be performed properly to insure that accurate assessments have been conducted.

Businesses operating in the defense sector often utilize ISO management systems to effectively and consistently provide products and services.  These management systems can address quality, legal and regulatory compliance, environmental compliance, and information security requirements for a company. They share a harmonized approach to business management that includes a methodology for continual improvement.

ISO-27001 Information Security Management Systems

An Information Security Management System is a collection of policies, procedures, and controls that systematically address information security in an organization.  It is a framework based on risk assessment and risk management.  The most widely recognized and instituted ISMS in the business environment is ISO 27001.  It shares many of the features of a quality management system such as ISO 9001. 

Because ISO 27001 is configurable to your company’s requirements it is an effective means of organizing data security.  This is because it includes a complete process and involvement of all stakeholders in monitoring and preventing cyberattacks.  An ISMS can readily address numerous issues because centers it around policies and processes that are adopted from top management down and includes all stakeholders including third parties. 

Because an ISMS is a management system it incorporates mitigation strategies beyond technical controls.  It specifically addresses auditing, training, and management review.  Additionally, because it shares the basic structure of other management systems, it can be more easily implemented and maintained in the daily operations of a business.

CVG Strategy Information Security Management System Consultants

To assist businesses meet the challenges in adopting CMMC standards, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

We can help you meet your information security management system goals.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more. 

Jamie Hamilton

Share this post