Driving CMMC across the supply chain

Prior to data breaches such as SolarWinds, and dozens more that occurred over the preceding years, DoD contractors could attest to their own compliance against a standard known as NIST SP 800-171 – the requirement that any non-Federal computer system needs to follow, in order to store, process, or transmit Controlled Unclassified Information (also known as CUI), or to provide security protection for such systems. 

Today, in one of many steps to increase cybersecurity capability, the CMMC requires an approved third-party organization – known as a Certified Third Party Assessor Organizations (or CTPAO) – to assess and certify that contractors have met their cybersecurity requirements. This includes the security of their supply chains. The penalties for those found to be non-compliant can be significant, with termination of a contractor’s DoD agreement a very real possibility.

The implications of not meeting strict CMMC requirements can be daunting, to say the least. Equally daunting is the myriad of information that can be found by a DoD contractor – or would be contractor – when researching the steps they need to take in order to ensure compliance across their business, and throughout what can often be an extensive supply chain.

With a growing number of CTPAOs, and a small but powerful range of compliant solutions available, the good news is that significant steps towards CMMC for contractors, and their supply chain partners, can be less complex than people may think.

The following, simple steps are just a few of the ways in which any contractor can progress their compliance journey, starting today;

• Develop your compliance plan. Whether it’s something as challenging as CMMC, or as comparatively simple as next week’s marketing campaign, everything – and everyone – benefits from a clear, written plan. If you’ve not yet got yourself some expert advice to help you build your compliance plan, a good place to start would be to seek out a CMMC Registered Provider Organization.  
  
• Identify CMMC-approved providers. While CMMC is complex, whether your software provider is compliant or not isn’t. It’s a yes, or it’s a no. Solutions such as @Cocoon Data are compliant, cost-effective, and easy to adopt, enabling contractors to take significant – and rapid – steps on their CMMC journey.
  
• Mandate the extension of your plan, to your suppliers. With so much focus on in-house compliance, suppliers are often left unchecked, or with little more to do than confirm their own compliance. Extending your policies, and choice of certified, compliant data management products to your supply chain, is a fast, simple, and highly effective way to boost compliance at a low cost.Monitor and maintain. 
  
• Cybersecurity never sleeps, and neither should your policies. By working with reputed, certified providers, and staying close to their teams, you can quickly and easily stay abreast of changes in policy and any implications for your internal and supply chain compliance models. 

Of all the points on our checklist, and of all of the obligations placed upon contractors to DoD and Government more broadly, the onus on securing an organisation’s entire supply chain can understandably feel like the most challenging.

Simple steps and the consistent utilisation of chosen systems across the supplier base can help dramatically ease the road to compliance. And, while the cost of extending in-house data management software to suppliers may feel concerning, the costs of auditing and reviewing your suppliers' own choice of software will almost inevitably be greater. And the costs of losing a precious and hard-fought Government contract? Greater still.

For more insight, advice and guidance as to how to build to CMMC compliance, both internally and across your supply chain, reach out to us via the link below. 

Book a call