It’s been nearly a decade since the Defense Federal Acquisition Regulation Supplement, or DFARS, was signed into law. DFARS mandated that all Department of Defense contractors integrate and follow cybersecurity standards according to the NIST SP 800-171 framework.
However, adoption of the protocols has been slow. This is why the DoD has now released the Cybersecurity Maturity Model Certification, or CMMC, that ensures cybersecurity standards are being addressed and adhered to throughout the defense supply chain.
Here’s a closer look at CMMC and what it means for defense contractors.
First and foremost, any company doing business with the Department of Defense, either as a prime contractor or lower-tier subcontractor, will be required to achieve CMMC certification. There are five potential maturity levels of CMMC, beginning with protecting Federal Contract Information (Level 1), safeguarding Controlled Unclassified Information (Level 3), and reducing the risk of Advanced Persistent Threats (Level 5).
Technically speaking, CMMC is being presented as a rule change that will be incorporated into DFARS. The key difference between CMMC and DFARS is that DFARS allows contractors to self-attest to NIST SP 800-171 standards after winning the contract, while CMMC requires contractors to be certified prior to being awarded the contract.
The proposed rule change is expected to gain approval in Fall 2020, with the first RFIs and RFPs to include CMMC by the end of October 2020. However, the actual timeline for the complete rollout is expected to last through 2026.
The good news is that any existing contracts will not retroactively be affected by CMMC.
CMMC is expected to impact as many as 300,000 companies and contractors. It will likely appear in OTAs and other non-procurement contracts that are more common with small- and medium-sized companies. This may pose a problem, however: smaller companies make up the majority of defense industry companies, and they also tend to have fewer resources to invest in cybersecurity improvements.
However, instead of viewing CMMC as yet another costly hurdle to clear, companies should view this certification as a way to differentiate themselves from competitors. Obtaining certification early (i.e. before it’s required) can take a forward-thinking approach to maturity, make their contract bids more attractive, and potentially avoid assessment bottlenecks.
It’s also worth noting that foreign companies are interested in adopting CMMC requirements, which can present unique export opportunities to companies who achieve the certification.
We’ll be bringing you updates on CMMC as new information becomes available. Until then, head back to the etaGlobal blog for more A&D insights.
Casey Johnston has been promoted to President of etaGLOBAL, a supply chain services, and distribution solutions company serving the aerospace and defense sector.
In his tenure with etaGLOBAL, Casey has held a number of senior management and executive leadership roles in quality, operations, and supply chain management solutions.
Prior to his current appointment, he was Chief Operation Officer of Aeromed Group, a rising private equity firm that specializes in supply chain technology and tail spend solutions for the aerospace and defense sector. Casey oversaw all aspects of the day-to-day administrative functions and business processes, from supply chain management to human resources.
A skilled leader with exceptional problem-solving strategies, Casey ensures complete regulatory compliance and precision in lean tactic implementation and execution. His creativity and initiative allow him to exceed operational performance goals and elevate a company-wide standard of excellence while building on etaGLOBAL’s objective of ensuring the delivery of continuous customer value.
With over 12 years of corporate leadership experience in the aerospace and defense industry, Casey has a proven track record of solving complex supply chain challenges with high-quality, scalable solutions that result in tangible, favorable outcomes.
As the new President of etaGLOBAL, Casey illustrates the broad range of responsibility and authority he carries as well as the overall sales and operations responsibilities he has performed for the company. He is the steadfast voice of quality and the leadership needed to guide etaGLOBAL toward its promising future.