Industry Voice: Sustainment, the forgotten CMMC requirement

By Mike Olivier | Mar 22, 2021

As discussed in my last several columns, the impending requirement for manufacturers in the defense industrial base is the Cybersecurity Maturity Model Certification (CMMC). The bottom line is that soon all contractors will need to be certified to an appropriate level. The focus is on protecting information and safeguarding your systems from cyber-attack. The two most common levels in the CMMC framework are Level 1, with 17 practice requirements, and Level 2, with 130 practice requirements; these two certification levels will make up about 90 percent of all companies in the defense industrial base.

The question is then, always, what level will I need to be at? That will depend on the value of the information you receive from the government or the information or thing that is produced as a result of the contract. In general, the estimate is that 60 percent of the companies will be CMMC Level 1, and 30 percent will be Level 3. As mentioned, there is a big difference in the number of requirements for each level.

To make this simple for any level, there are two aspects to certification. First is meeting the practice requirements, which is a function of the CMMC Level and the number of requirements. It is also a function of the organization's size. The bigger the organization, the bigger the attack surface, and the harder it is to control and secure. The second is sustainment; this is proving you are executing your plan and you are managing the organization's system security. Most of the chatter regarding CMMC certification is about meeting the practice requirements; it is focusing on what the organization can do to meet a requirement. Most organizations are fixated on requirement compliance, and sustainment is the next thing to do when there is time. This is understandable as for most in the IT or cybersecurity world, meeting compliance is what people do. It is the problem-solving aspect of compliance that motivates some people; there is a beginning and end to the process, resulting in solving the compliance puzzle and achieving compliance. On the other hand, sustainment is repetitive; it is without end; it ensures there is the documentation of meetings where the discussion is often focused on the obvious.

What is most often overlooked is that sustainment will be the most expensive element in CMMC compliance. The sustainment of systems requires hardware and software upgrades, and it requires making decisions in terms of the direction of the organization. Most importantly, it is the staff time devoted to supporting the domain policies. For Level 3, the requirement is for a budget and resource allocation in support of policy maintenance. This would include policy reviews, staff training in cybersecurity awareness, and technical training for system administration. Consequently, sustainment is more than developing a policy; in CMMC language, it is the institutionalization of the system security plan through daily practice. It is the development of artifacts of compliance.

Achieving compliance for any size business will be a challenging process that will take time. The policies need to support organization operations, and they will need to be reviewed and approved by the management. In order to simplify this process, our recommendation is to establish roles in the organization for policy administrators -- individuals in the organization assigned responsibility for specific policies. The goal is to delegate responsibility and a degree of authority to the policy administrators. By distributing policy development and sustainment, the compliance process will become more efficient.

The second point is that meeting the sustainment requirements can be done concurrently. By having the policies managed by a group of policy administrators, the maturity process will accelerate. Another factor to consider is that meeting sustainment is not the same for all requirements; some actions can be taken before the policy is in place. An example is training; this is a long lead item as most companies are not going to halt operations for a day or two to complete the list of training requirements, cybersecurity awareness being only one of these. Meeting the training requirements can start at any time, and to complete the training requirements will take some time.

The CMMC level practice requirements are just half of the compliance picture; sustainment is the other half of full compliance. Delegating authority to policy administrators for domains or subject areas within the system security plan is a way to ensure the required sustainment actions are met. No small business has the resources for a dedicated compliance individual or staff. The solution is to delegate responsibility and a degree of authority to the policy administrators. Ensuring they understand the requirements and take ownership of the processes is a means to accelerate the compliance path and to ensure sustainment.

With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at