CMMC Sustainment the Forgotten Requirement

As discussed in the last several articles, the impending requirement for manufacturers in the Defense Industrial Base is the Cybersecurity Maturity Model Certification (CMMC). The bottom line is that soon all contractors will need to be certified to an appropriate level.  The focus is on protecting information and safeguarding your systems from cyber-attack.  The two most common levels in the CMMC framework are Level 1, 17 practice requirements, and Level 3, with 130 practice requirements; these two certification levels will make up about 90% of all companies in the Defense Industrial Base.

The question is then, always, what level will I need to be at?  That will depend; it will depend on the value of the information you receive from the government or the information or thing that is produced as a result of the contract.  In general, the estimate is that out of the five CMMC Levels 60% of the companies will be CMMC Level 1, and 30% will be Level 3. As mentioned, there is a big difference in the number of requirements for each level. 

To make this simple, at any level, there are two aspects to certification.  First is meeting the practice requirements, which is a function of the CMMC Level and the number of requirements.  It is also a function of the organization’s size.  The bigger the organization, the bigger the attack surface, and the harder it is to control and secure.  The second is sustainment; this is proving you are executing your plan and you are managing the organization’s system security.  Most of the chatter regarding CMMC certification is about meeting the practice requirements; it is focusing on what the organization can do to meet a requirement.  Most organizations are fixated on requirement compliance, and sustainment is the next thing to do when there is time.  This is understandable as for most in the IT or cyber world, meeting compliance is what people do.  It is the problem-solving aspect of compliance that motivates some people; there is a beginning and end to the process, resulting in solving the compliance puzzle and achieving compliance.  On the other hand, sustainment is repetitive; it is without end; it ensures there is the documentation of meetings where the discussion is often focused on the obvious.

What is most often overlooked is that sustainment will be the most expensive element in CMMC compliance.  The sustainment of systems requires hardware and software upgrades, and it requires making decisions in terms of the direction of the organization.  Most importantly, it is the staff time; this is the time devoted to supporting the domain policies.  In Maturity Level 3, the requirement is for a budget and resource allocation in support of policy maintenance.  This would include policy reviews, staff training in cybersecurity awareness, and technical training for system administration.  Consequently, sustainment is more than developing a policy; in CMMC language, it is the institutionalization of the system security plan through daily practice. It is the development of artifacts of compliance.

Achieving compliance for any size business will be a challenge; it is a process that will take time.  The policies need to support organization operations, and they will need to be reviewed and approved by the management.  In order to simplify this process, our recommendation is to establish roles in the organization for policy administrators.  The policy administrators are individuals in the organization assigned responsibility for specific policies.  The goal is to delegate responsibility and a degree of authority to the policy administrators.  The point is that by distributing policy development and sustainment, the compliance process will become more efficient.  The second point is that meeting the sustainment requirements can be done concurrently.  By having the policies managed by a group of policy administrators, the maturity process will accelerate.  Another factor to consider is that meeting sustainment is not the same for all requirements; some actions can be taken before the policy is in place.  An example is training; this is a long lead item as most companies are not going shutdown or halt operations for a day or two to complete the list of training requirements, cybersecurity awareness training being only one of the training requirements.  Meeting the training requirements can start at any time, and to complete the training requirements will take some time.

Meeting the CMMC Level practice requirements is half of the compliance picture, sustainment is the other half of full compliance.  Delegating authority to policy administrators for domains or subject areas within the System Security Plan is a way to ensure the required sustainment actions are met. No small business has the resources for a dedicated compliance individual or staff.  The solution is to delegate responsibility and a degree of authority to the policy administrators.  Ensuring they understand the requirements and take ownership of the processes is a means to accelerate the compliance path and to ensure sustainment.