For defense contractors and the companies that work with them, compliance with U.S. Department of Defense (DoD) cybersecurity requirements can mean the difference between significant business growth and losing key DoD contracts.
How valuable is a DoD contract? According to The Balance, estimated spending by the DoD for the period of October 1, 2020 through September 30, 2021 will be $705 billion—making up the majority of the $934 billion estimated spending for the U.S. military spending during the same period.
For companies that are currently defense contractors or who want to work with the DoD, this represents a massive opportunity for business growth. However, to earn this opportunity, businesses need to meet DoD compliance requirements for standards like NIST 800-171 and CMMC certification.
How the Business of Defense Contractors Is Changing with CMMC
The Cybersecurity Maturity Model Certification, or CMMC, is a relatively new DoD compliance requirement that builds off of several previously-existing security rules. It is intended to help businesses protect controlled unclassified information (CUI) and federal contract information (FCI) that they may process or store as part of a DoD contract.
The DoD’s implementation of CMMC (also known as DFARS Case 2019-D041) will force contractors working with the DoD to place a greater emphasis on cybersecurity than ever before.
Is Your Business DoD Compliance-Ready? Download our “Not Your Typical CMMC Webinar” for more info!
DoD Compliance Requirements You Need to Know
A special publication from the National Institute of Standards and Technology (NIST). NIST 800-171 Rev 2 is a standard for protecting the confidentiality of CUI in “Nonfederal Systems and Organizations” that consists of fourteen different families of controls.
There are 14 “families” of controls specified in an NIST compliance checklist:
- Access control
- Awareness and training
- Audit and accountability
- Configuration management
- Identification and authentication
- Incident response
- Media protection (Note: this refers to storage media)
- Personnel security
- Physical protection
- Risk assessment
- Security assessment
- System and communications protection
- System and information integrity
The Defense Acquisition Federal Regulations Supplement (DFARS) section 252.204-7012 calls on contractors to safeguard covered defense information and report cyber incidents. This includes a clause to “implement NIST SP 800-171, as soon as practical.” If security controls vary from NIST 800-171, a request must be submitted “in writing to the Contracting Officer.”
48 CFR 52.204-21
The Code of Federal Regulation (CFR) rule that specifically addresses “basic safeguarding of covered contractor information systems.” Under CFR 52.204-21, contractors have to meet 15 separate security requirements and controls.
Many of these requirements center around limiting access to information systems to “authorized users,” implementing monitoring systems for said systems, and protecting against malicious code or intrusions.
A new DoD compliance standard that businesses will need to meet to be able to keep winning DoD contracts moving forward. It encompasses security rules and guidelines from several existing standards and divides them into 17 distinct “domains.”
It’s important to note that not every contractor will need to meet every CMMC certification requirement. There are five levels of CMMC compliance for contractors to know, each with a different number of specified controls that contractors will need to meet.
- Level 1: “Basic” cyber hygiene practices and controls. Mostly concerned with protecting FCI.
- Level 2: “Intermediate” cyber hygiene that leverages documented practices from NIST 800-171 and other security standards.
- Level 3: “Good” cyber hygiene that follows all NIST 800-171 requirements. This is the highest level that most contractors will need to achieve.
- Level 4: “Proactive” cybersecurity policies and procedures that strongly limit risk and protect CUI.
- Level 5: “Advanced/Progressive” cybersecurity that is deep and sophisticated enough to counter advanced persistent threats (APTs) and protect CUI.
Level 1 compliance certification requires meeting 17 security practices. Meanwhile, level 5 compliance requires meeting 171 distinct security practices.
3 Ways to Leverage DoD Compliance to Boost Business
So, how does compliance with DoD standards such as NIST 800-171 and CMMC certification boost business? Here are a few ways to leverage that compliance to gain some revenue opportunities:
1: Working with the DoD and Other Government Agencies
The most obvious way to increase revenue after meeting DoD compliance standards is to work with the DoD (or other government agencies). With billions of dollars in government spending up for grabs, working with the DoD can be an enormous revenue opportunity.
Plus, by meeting compliance requirements like CMMC before competitors do, companies can enter a more limited market with less competition.
2: Collaborating as a Sub-Contractor to DoD Contractors
Instead of trying to win DoD contracts directly, DoD-compliant companies could opt to work as subcontractors for other organizations working on DoD projects. Many DoD contractors may need to outsource specific tasks (such as procurement, IT development, or manufacturing) to other companies that specialize in them.
Being compliant with DoD cybersecurity requirements can be crucial for earning work as a subcontractor. Because government contractors need to ensure that their vendors/partners are able to protect CUI and FCI data as comprehensively as they can.
3: Gain a Competitive Edge with Your Stronger Security Posture
Given the ever-present threat of data breaches that result in identity fraud and other major types of fraud, being able to protect sensitive information can be an enormous selling point. Customers who have been exposed to fraud from identity theft or who understand modern info security risks may prefer companies that have strong cybersecurity.
Showcasing how your business complies with security standards like NIST 800-171 or CMMC can be highly effective for catching the attention of security-conscious customers in both the public and private sectors. If you can demonstrate the ability to effectively protect sensitive data, it can be a valuable competitive advantage when your products and services are otherwise similar for quality, price point, and speed.
Why? Because you would be able to provide the same products or services at a lower risk.
To demonstrate your security advantage, you may need to thoroughly document your security policies, procedures, and tools.
How to Get DoD Compliant with NIST 800-171 and CMMC Certifications
When preparing for NIST 800-171 or CMMC certification, there are several key steps to take, including:
- Select a CMMC Certification Level. What level of CMMC certification does your business need? In most cases, a level 3 compliance certificate is all that a business will need. Knowing your target compliance level is important for accurately scoping what getting into compliance will cost.
- Create an IT Asset Map. What are the IT assets on your network? Have you identified everything? Creating an IT asset map can be crucial for ensuring that no asset is left unprotected and identifying critical security gaps before compliance assessors do.
- Run a Gap Analysis. After selecting a desired compliance level or standard, assess your current security controls and policies. Then, compare that to the requirements for your compliance goal. Where do your security measures fall short? These are the things you most need to address to achieve compliance.
- Document Your Entire Process. Having documents detailing your cybersecurity policies, procedures, and tools can be crucial for getting DoD compliance-certified. It can also help to create a CMMC or NIST 800-171 compliance checklist so you can verify which items have been met already.
- Go Beyond the Minimums Required Whenever Possible. To ensure that security gaps are closed, it can help to go just a bit beyond the specified security controls and procedures listed in CMMC or NIST 800-171. For example, instead of just have two-factor authentication for access control and identity verification, you could use a multi-factor authentication solution that is even tougher to breach.
- Don’t Forget Your Vendors. Do you partner with other companies that have access to one or more of your IT assets? Be sure to verify that their cybersecurity measures meet DoD compliance requirements to avoid potential “insider” threats.
- Practice a Policy of Least Privilege. Make sure that users on your network only have access to the things that they need to do their jobs efficiently. If a user leaves the company, their access privileges should be revoked immediately to prevent abuse of their credentials.
If you have any questions about CMMC, NIST 800-171, or other DoD compliance standards, reach out to the Systems X team today! We’re here to help connect you with what’s next in cybersecurity compliance so you can be ready for the future of business!