Cybersecurity threats increase every day. As the Department of Defense (DOD) diligently works to set regulations for protection, they’ve identified the high levels of risk small businesses face as technology continuously advances. These risks can also make the DOD, and ultimately American warfighters, vulnerable due to the huge amounts of unclassified information shared throughout the defense industrial base. More and more often, American small businesses are the target of hackers, ransomware, and information breaches.

According to statements by the Office of the Under Secretary of Defense for Acquisition and Sustainment (USDAS), information attacks cost the country $600 billion annually. As the near-unlimited bandwidth of 5G becomes a reality, the new Cybersecurity Maturity Model Certification (CMMC) was designed specifically to aid small businesses in developing processes for protection of their most vital assets, including DoD designated Controlled Unclassified Information (CUI).

An improvement to the current DFARS regulation requiring compliance with NIST SP 800-171 standards, the tiered CMMC system levels the playing field by creating regulations and compliance requirements dependent on business type and industry. The one (least secure) to five (most secure) scale expands upon the existing NIST two-tiered system, providing a more comprehensive and effective defense against attackers. Instead of working through the known Plan of Actions and Milestones (POA&M) concept to become compliant with 110 controls over time, CMMC lays out exact requirements that must be met to achieve each level of certification.

blankFor small businesses, the new regulations could pose challenges. Without the resources and sophistication to adhere to the required level of CMMC certification, they may fail to comply with the standard. They’re challenged to weigh the necessity for protection against the cost and effort to implement changes. Ultimately, by the fall of 2020, inability to comply to CMMC regulations could have major negative impacts when it comes to business opportunities with the DOD and the ability to bid on DOD contracts.

The Under Secretary’s representation stressed the importance of focus on small business cybersecurity. Remote work and the coffee-shop office are notable risk accelerators for companies, even when the information they’re dealing with isn’t classified or highly sensitive. The pipeline opens, the ability to self-defend is limited, and low-level vulnerabilities are suddenly easy targets for expensive exploitation. This is where the CMMC strengthens the infrastructure.

Regardless of industry, small businesses are functioning in a digital world. Customers use digital devices to connect with your brand, upload and download content, conduct transactions via app, send email, and share on social media. Your own employees – even if you’re a team of three – are functioning in a digital space in their professional and personal lives. Cybersecurity risk is now inherent. It’s deeper and more nuanced than old book and paper systems, and it’s unavoidable as companies grow in size and technology. CMMC can help mitigate that risk, whether related to DOD or other customer contracts.

CMMC will become an unavoidable requirement for small business success with the DOD. As we learn more about the details of the system and the positive impact it can have on American companies, we also recognize the potential for complication and challenges that will inevitably come with program implementation. Research for effective adoption is paramount – not only for success, but for long-term, dependable cybersecurity.

Contact us today about working toward compliance to NIST 800-171/CMMC.