In a recent letter to the U.S. Department of Defense (DoD), SysArc, a U.S. based Managed Security Service Provider (MSSP), advocates on behalf of private DoD suppliers for a streamlined and cost-effective process for suppliers to comply with the Government’s mandated cybersecurity standards.
Since 2017, SysArc has focused primarily on helping small and mid-size DoD suppliers across the U.S. implement cybersecurity programs in their organizations in order to comply with DFARS / NIST 800-171 and, more recently, with the upcoming Cybersecurity Maturity Model Certification (CMMC). CMMC builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements. SysArc’s dedicated team of cybersecurity experts have consulted with hundreds of DoD suppliers and gained a wealth of knowledge about the current challenges faced by these companies. The vast majority of the feedback they received from suppliers were concerns about the perceived costs associated with compliance and the complexity of deciphering the NIST 800-171 controls in order to understand exactly what it takes to meet the compliance standards.
To overcome these challenges, SysArc has worked over the last 3 years to significantly reduce the cost and complexity of getting companies to compliance by refining the assessment and remediation processes it uses to assist suppliers on compliance. This is what makes SysArc qualified to advocate on behalf of its DoD supplier customers and provide written comments regarding the Draft CMMC v0.4. SysArc will be doing the same when Draft CMMC Model v0.6 is released for public review in November 2019.
SysArc’s comments to the DoD with regards to the Draft CMMC v0.4 are summarized as follows:
- Ensure that the CMMC standards that many suppliers have already been working on (110 security controls of NIST 800-171) don’t change significantly or at all. Keeping the standards relatively the same will ensure suppliers can bid on 80-90% of DoD contracts and not have to incur additional costs by adding or modifying current controls.
- Provide advanced guidance to suppliers, before they go to get certified, on the CMMC Levels they are likely going to need to achieve in order to compete for the type of business they typically go after.
- Reduce technical jargon by using natural language where possible and to define some of the time constraints in the controls more definitively.
- Refrain from moving security controls from higher Levels of CMMC compliance to lower Levels, which makes it more difficult for suppliers to achieve compliance.
For more information about the Cybersecurity Maturity Model Certification and the Levels within it, please see SysArc’s guide to CMMC compliance written for DoD suppliers.