As a federal contracting attorney and former contracting officer from the Defense and Homeland Security departments, Michael Gruden has the unique ability to look at the implications of DOD’s Cybersecurity Model Certification program.
Now a partner at the law firm Crowell & Moring, Gruden continues to connect with companies looking to prepare for the rollout of the CMMC standard amid a growing focus on securing information systems and really.
“Every day, I’m hearing from major maintenance contractors struggling with requirements and running down their contractors and suppliers,” Gruden said at the Washington Technology CMMC Summit in on November 9. “So. later that same day, I was talking to suppliers and manufacturers, saying ‘We don’t have infrastructure. We don’t have compliance plans. We don’t have funds. How are we going to do it? what?’”
“This” refers to CMMC 2.0, the second phase of the DOD security standard being developed to require the defense industry base to certify their networks and systems to security standards.
Gruden explained the legal implications and risks facing the CMMC. Like many of the speakers cited, defense contractors shouldn’t wait until the final rule comes out next year.
Contractors currently warrant that their systems are secure. But despite the development of security standards over the past decade, there is no way for the DOD to enforce the contractor’s rule.
“The data is still broken,” Gruden said, meaning self-referencing doesn’t work.
The draft law is a good indication of where DOD is headed and the CMMC’s change from the original version to the second, Gruden said, stood out in three ways.
CMMC 2.0 allows performance plans and benchmarks, known by the acronym POAMS, that allow companies to document controls that have not yet been fully implemented. These plans should outline how companies expect to achieve compliance.
DOD has put a cap on open POAMS for 180 days. That time is for suppliers and manufacturers to be certified by the CMMC as they work toward full compliance, but the plan must remain in place.
“That’s a big change,” Gruden said.
The second change that Gruden emphasized is related to the way that company leaders recognize and provide evidence of achievement.
If the company violates the security standards, the company may be open to lawsuits under the False Claims Act.
“This can bring a huge cost to a company, and we’re talking huge financial losses,” Gruden said.
At the same time, the Department of Justice has launched a cyber fraud program targeting companies that do not meet expected security standards.
CMMC’s key recommendations and Justice’s online initiative indicate that companies have new hope for success.
“Now the government is saying we expect you to keep your word and we can count on that,” Gruden said. “If not, we have legal recourse that we can take.”
The third major change from CMMC’s first release to its second is the focus on cloud computing security.
“If you’re a government contractor that manages confidential information (CUI), and you’re relying on an external cloud service provider to handle any of your CUI, then you want to make sure that your CSP meets certain cybersecurity standards,” Gruden said.
The standards for cloud security are different than the ones CMMC has in place, Gruden said. Cloud offerings must be certified through the FedRAMP certification process or a similar method, such as documented security controls.
Cloud companies and federal government businesses are also part of the security requirements to meet under the CMMC. They must comply with DOD security requirements guidance.
Gruden sees the CMMC 2.0 model as important for cloud services.
“What that tells me is that the CMMC is looking at the broader view of compliance,” he said.
Quoting former spokesman Robert Metzger, Gruden said companies shouldn’t wait to start working on compliance issues.
“If you’re not taking steps now to comply with cybersecurity laws, you’re going to be behind all of your competitors,” Gruden said.
There are three clear things for companies to do, according to Gruden:
Corporate governance. A comprehensive compliance team should include the CEO, head of business operations, IT leadership, chief security officer, general counsel and human resources.
“You need all the stakeholders in the same room, all agreeing and understanding what’s at stake and what’s needed to get the job done,” Gruden said.
Focus on corporate governance policies and procedures. Clean it up if it’s there and start developing it if it’s not, Gruden said. This is important because in some cases, a third-party assessor will review the company’s policies and procedures to assess the CMMC level.
The third step is to understand your data and flying anywhere.
“If you can isolate your CUI, then you can reduce the compliance issues that you have,” Gruden said.