HUNTSVILLE, Ala. – The threat of cyber security hacks and information breaches is an ever-present threat with serious consequences. In an effort to protect national security, all Department of Defense contractors will have to have a level of “Cybersecurity Maturity Model” certification to do business.
Nationwide, this will impact all of the defense industrial bases which include 300,000 companies in the supply chain and many of those are in north Alabama.
The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cyber security across the defense industry.
“There are five levels. Level one through five and at some point in the near future any contractor that does business with the D.O.D in the defense industrial base, they will be required to have a certain level of certification to participate,” says Gray Analytics VP and General Council Jay Town.
Town says the level of certification required for a company will depend on the type of work the government is asking them to do.
“If you’re selling tires, it’s gonna probably be a much lower level than if you’re building lasers for satellites and things like that,” says Town.
Gray Analytics is a Registered Provider Organization (RPO) and helps defense contractors get prepared for future certification audits from C3PAO (CMMC Third-Party Assessor Organization)
“Just like if you’re doing a financial audit, you don’t turn in your taxes before you let your accountant or some tax preparer look at it,” says Town. “So, the idea then is that they come to an RPO and we tell them where they’re at.”
He says Gray Analytics is certified by the government as an RPO.
“We know what a CMMC looks like. And we tell them (the defense contractor) where they are. [We] do a gap analysis, do some other things to make sure that their network is where it needs to be,” Town said. “Then they can do what’s necessary to fix it, get to the level they want, and then call the C3PAOs. They’ll come in and they’ll do the audit and sure enough, okay, they’re good to go, and then they get certified so they can bid on all these contracts.”
The new required certification will help the DOD keep information on defense contractor’s information systems from being compromised.
“There’s just a responsible way to do business to make sure that those foreign bad actors – hostile nations, hackers – aren’t getting into our intellectual property and taking it and robbing it and replicating it and replacing it in the global marketplace, and actually using the armaments that we have designed with American ingenuity against us because they’ve stolen it,” says Town.
He says defense contractors shouldn’t wait to get the certification since hundreds of contracts already require it to do business.
“As a subcontractor, or as the prime contractor, you have to have that level certification that contract requires and that’s happening now, not four years off in the future,” Town said.
Hundreds of defense contracts coming down the pike require CMMC certification.
“So the time is not to wait until the very end when 30,000 or 300,000 DOD contractors get in line,” said Town. “The time is now to start at least getting your auditing process done so you can fill those cyber gaps and have your company so you can get to that desired level of certification, when in fact you actually have the government come in and give you that certification,” says Town.
Town says CMMC is a responsible way for the defense industrial base to guarantee that the government has a level of cyber maturity to protect trade secrets and intellectual property from foreign hackers.
“CMMC is a rational solution to that, but it’s expensive,” says Town.
He said he believes there are still things the government needs to work out.
“Is that [CMMC] expense passed on to the government, how? To a small business that’s not doing, you know $500 million a year in sales, how do they account for the audit and then the actual pre-audit process… that’s all very expensive,” says Town.
How will the costs of CMMC be covered?
“Is that going to be able to be passed on the inside of that contract as an expense? Those are some things the government does need to work out and I think those are fair comments. At the same time some argue against CMMC because it costs money…to me, you know, maybe it’s worth the government paying for it if it’s an area where national security is involved,” says Town.
Previously contractors were responsible for monitoring their own cyber security and sensitive DOD information. Now a third-party assessment (C3PAO) will make sure the company is complying with cyber security practices and procedures to keep secured government information from foreign hackers.