How new cyber security requirements will affect business working with the federal government

In order to work with the federal government, businesses will need to meet the proper standards of the new Cybersecurity Maturity Model Certification. For small businesses in need of help, there are several resources that can simplify the process.

Posted Updated
Abbey Slattery
, WRAL Digital Solutions
This article was written for our sponsor, the North Carolina Military Business Center.

According to a study from the University of Maryland, hackers attempt an attack around every 39 seconds, translating to an average of 2,444 tries per day. If there's any entity that's wholly aware of that threat, it's the federal government — and proper protections don't just stop with their own agencies.

In fact, any business that has access to the federal government, especially those in their employ, must have a certain level of cyber security in place, and in many cases, the government won't work with businesses who don't meet certain benchmarks of security.

At the North Carolina Military Business Center, Laura Rodgers works to simplify some of the more complex cyber security requirements and help local businesses understand what they need to accomplish in order to secure a federal contract.

"The Department of Defense has had requirements in place for a number of years for companies to self-attest that they complied with the SP 800-171 requirements [which is just a framework for developing your cybersecurity system] when in fact, they might not," Rodgers said. "Something obviously had to be done because 70 percent to 80 percent of DoD data resides on contractors' networks. That's a lot of data for companies to house and to handle properly. The concern, of course, is that it won't be handled properly, or that even if it is handled properly, that they'll get hacked."

Even now, it's estimated that $600 billion a year is lost to cyber theft. In order to help curb this issue, the government developed the Cybersecurity Maturity Model Certification to ensure there are uniform standards for DoD acquisitions.

The model operates on a basis of benchmarks for quality management, so it's a bit more complicated than simply checking off the right boxes to pass. Any organization in the DoD supply chain needs to comply with the CMMC whenever they're involved with processing, storing, transmitting or protecting Controlled Unclassified Information — in other words, information that isn't necessarily classified, but is still sensitive enough to require safeguarding or dissemination controls.

While the CMMC isn't used throughout the federal government yet, it's expected to gain widespread implementation once the kinks are worked out.

"The CMMC framework was developed by the federal government to protect two things: federal contract information and 'Controlled Unclassified information,' or CUI. The five levels of compliance were created because not all companies are required to have a robust cyber security program, depending on what they're doing for the government," said Elizabeth Cole-Walker, information security specialist at the N.C. State University's Office of Information Technology. "This fundamental shift that the federal government's taking is good in some ways because it's spreading consistency across the federal government and it allows everyone to know the rules and be competitive on the same playing field."

Taking the time to understand and implement CMMC standards is, understandably, intimidating — especially for small businesses with limited budgets for cyber security. But, as Cole-Walker mentioned, the new requirements level the playing field in a way.

At the NCMBC, Rodgers and her team work to break down the rules and regulations of cyber security standards. Not all businesses will need the same levels of compliance.

"If your company is at the bottom of the supply chain, say you're supplying steel to a machine shop, you're probably never going to process controlled unclassified information or federal contract information, because you have no idea where that steel is going, so you wouldn't have to comply with CMMC," Rodgers said. "But the next level up, say the machine shop, they might know the details of what kind of contracts they're building these widgets for, and if they know that, then that would fall into the federal contract information realm and they would have to be compliant with CMMC at Level One."

From there, the further up you go in the supply chain, the higher level of CMMC compliance you'll need. Moving up in compliance, any companies that deal with CUI will need to reach level three, while level four and five is reserved for high value assets and advanced persistent threats.

In order to enforce the CMMC, companies will have to be certified by a third party that has been trained and certified by the CMMC Accreditation Board, which then passes the information onto the Department of Defense. The DoD then uses that information to know who is eligible for contracts and who is not.

Rodgers advises businesses to be wary of companies that claim they offer CMMC certification. In fact, as of now, no one has been trained to do so. Small businesses in particular should be careful not to pay exorbitant fees for companies that can't deliver what they promise.

Overall, however, the CMMC could be good news for small businesses, as it helps level the playing field.

"The good news is, so many times we go into these companies and we start assessments and they tell us what they're not doing right. That they're not doing this, they don't have this, but being a small business is a positive. It actually can be a big strength, and I always try and get small business folks to understand that," Cole-Walker said. "They have an opportunity to start from the ground up, thinking about security essential to their business model and integrating it in their company culture. You put the security-centric focus into developing your company culture and having people understand the importance of each person in that company and that really does transfer to some of those overhead costs. They invest at the beginning, they're more agile, and they can make changes and improvements quickly."

For small businesses interested in pursuing contracts with the government or those adjusting to the new security standards, there are a number of resources that help in doing so.

Rodgers and her team at the NCMBC are more than happy to offer their expertise. Additionally, Walker-Cole recommends the FBI Office Private Sector's program InfraGard, which helps exchange information with industry, as well as programs like the Information Systems Security Association and the Information Systems Audit and Control Association.

This article was written for our sponsor, the North Carolina Military Business Center.