The US Department of Defense (DoD) supply chain is vast – with over three-quarters of a million suppliers making up what is known as the Defense Industrial Base (DIB). Each supplier supports an array of defence projects, and a data breach at any of these contractors could have material national security consequences.

Recent incidents such as the SolarWinds supply chain attack show how important supply chain security can be, and that is why the US DoD has taken pre-emptive action and introduced tough new security requirements into defence contracts in the form of the Cybersecurity Maturity Model Certification (CMMC) programme.

If you’re in the DoD Supply Chain, particularly in the UK and Europe, you should be treating CMMC with the utmost importance. Read on to find out what you need to know to get CMMC ready.


What is the CMMC?

The CMMC programme is an accredited independent cybersecurity assessment conducted before a DoD contract is awarded. Anyone currently obligated to comply with the National Institute of Standards and Technology’s  (NIST) 800-171 framework will need CMMC by 2026 and, depending on contract type, will be required to achieve certification at one of five levels ranging from Level 1 (Basic Security Hygiene) up to Level 5 (Optimised and Sophisticated).

Each level requires suppliers to demonstrate the application of a cumulative series of cybersecurity practices. These practices become security capabilities, which in turn form security domains. In addition to increasing practice requirements, each certification level is also a step-up from the prior level in terms of management:

  • CMMC Level 1 – 17 practices performed.
  • CMMC Level 2 – 72 practices performed AND documented.
  • CMMC Level 3 – 130 practices performed AND documented AND managed.
  • CMMC Level 4 – 156 practices performed AND documented AND managed AND reviewed.
  • CMMC Level 5 – 171 practices performed AND documented AND managed AND reviewed AND optimised.

Contractors will have to confirm, through submission of an accredited certificate issued by a CMMC Third Party Assessment Organisation (C3PAO), that they meet the maturity level required.


What is CMMC trying to achieve?

The CMMC aims to improve the overall cybersecurity posture of the DoD’s Defense Industrial Base. Previously, contractors were not required to provide independent assurance of effective security controls which meant that some companies’ security practices were deemed inadequate.  This has led to the removal of self-certification under the new CMMC regime, with contractors now required to commission an independent assessment of their security controls, conducted by a C3PAO. Once issued, the CMMC will be valid for three years and, if the contractor is found to have inadequate controls, they are now much more likely to face enforcement action.


CMMC Level three – The challenge for organisations

Whilst some organisations will be required to achieve higher and lower CMMC levels, many organisations will fall into the CMMC level three category, particularly those that process Controlled Unclassified Information (CUI).

Level three assessment covers 76% of the total number of controls required of a level 3 organisation. Certification also requires the organisation to create a plan demonstrating the management of activities for implementation that may include information on missions, goals, project plans, resourcing, required training, and the involvement of relevant stakeholders.

A common misconception is that this plan is a “future-state” action plan to deliver the level three capabilities after assessment. Such an assumption is the most likely place where organisations may fail. The plan must show how practices are active, managed and resourced within the organisation at the time of the assessment. Organisations may fail at assessment if they think they can simply provide a plan showing how they will deliver level three practices at some point after they have won the contract.

Other challenges that may also arise include a misalignment in policies, procedures, and delivery; the inadequate flow-down of CMMC practices into a prime contractor’s supply chain; an over-reliance on the certification of cloud providers and failing to cover the additional controls outside of the current NIST 800-871 rev2 standard.


CMMC Timescales and Assessment Process

It is important to note that certification will take preparation and it is therefore essential organisations plan for CMMC now and begin collecting evidence ready for assessment. It is expected that by 2026, all 300,000 contractors in the DIB will be expected to have achieved CMMC certification which means that, if your contract is up for renewal between now and 2025, you should expect a request for evidence of CMMC assessment as part of the renewal process. Depending on the state of your security programme currently, and the level of CMMC maturity required, preparing for certification may take 6 months or more. Prime Contractors are also required to demonstrate they have “flowed-down” CMMC requirements to their sub-contractors.



Consequences of failing to maintain CMMC standards

The CMMC programme raises the bar on cybersecurity for organisations in the Defense Industrial Base. The consequences of failing to prepare could be significant. Lucrative contracts could be lost as a result of failing to achieve CMMC ahead of a Request for Proposal (RFP) submission. Failing to maintain the controls underpinning CMMC, or making fraudulent claims about compliance, could result in legal action and would likely have a detrimental effect on an organisation’s standing in future contract bids. Getting CMMC must therefore be a management imperative.


Get in contact to find out more

Raytheon UK, a leading cyber and digital technology organisation, is pleased to be working with iSTORM® Privacy-Security-Pen testing, an award-winning SME providing Governance, Risk and Compliance (GRC) consultancy to public and private sector organisations. As a Registered Provider Organisation (RPO), we work with the wider Defence Industrial Base in preparation of the upcoming CMMC assessments.

If you’re a defence contractor in the UK and Europe working within the United States, get in contact today to discuss how we can help you in your journey to become a CMMC Certified Supplier.