CMMC and the Intel Community

From IC Insider SoundWay Consulting, Inc.

By Carter Schoenberg, VP Cybersecurity – SoundWay Consulting, Inc.

When I hear the term, “Intelligence Community”, visions of the Central Intelligence Agency in Langley or the National Security Agency at Fort Meade come to mind.  According to the Office of the Director of National Intelligence (ODNI), there are a total of 18 organizations.  Historically speaking, as a former U.S. Government Contractor (GovCon) that has supported two of these 18 organizations in the past, there has always been a culture of how the intelligence community buys and it does not necessarily align with how most Government organizations procure goods and services. There has been a pride of ownership that leans towards a belief of more secured and stringent procurement activities.

When the Department of Defense (DoD) began evolving the Defense Federal Acquisition Regulations Supplement (DFARS) back in 2016, it included supply chain language requiring more cybersecurity best practices be adopted by the GovCons through self-attestation. At the same time, the Intel community did not really make significant changes as there was a line of thought that their more stringent requirements reduced their risk exposure to harm.

CMMC Timeline

Starting in 2019, the DoD began down a path we now know as the Cybersecurity Maturity Model Certification (CMMC). CMMC is a certification process that is built of the backs of both the National Institute for Standards and Technology (NIST) Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations” and the Carnegie Mellon “Resilience Management Model” (RMM).  An Interim Ruling took effect on November 30th, 2020 that now requires the adoption of CMMC into contract language as well as something Industry was not expecting – a formal score that is self-attested and uploaded into the Supplier Performance Risk System (SPRS).

Both the General Services Administration and Department of Homeland Security have announced intentions to adopt CMMC as well. So now there are two members of the intelligence community and the single largest procurement gateway for the U.S. Government declaring their allegiance to this procurement certification methodology. Multiple examples of GovCons bad behavior (intentional or unintentional) helped the decision makers decide that CMMC will become a requirement.  Some examples include adversaries targeting GovCons that resulted in technical specifications for the F-35 Strike Fighter in China, offensive cyber weapons for the NSA that were used against U.S. enterprises, and most recently, ransomware of a GovCon working on sensitive programs. Lest we forget the recent SolarWinds compromise that was made very public.

Impact and Understanding

CMMC will have a profound impact on the Intelligence Community (IC) because there may be some existing suppliers who either cannot or will not adopt CMMC Maturity Levels that are consistent with the procurement requirements AND the acquisition workforce for IC acquisition authorities will have to undergo comprehensive training to ensure mistakes previously made by the U.S. Government are not repeated.

Arguably the single biggest issue to date pertaining to cyber risk considerations in DoD and other solicitations was an approach that threw in a specific DFAR clause without any further detail. For those of you reading this article and have deep experience reviewing solicitations, the Government will have pages of tables that direct the bidder’s attention to specifics of contract clauses to ensure knowledge transfer. I have previously seen an IC solicitation valued at over $1 Billion where clause 252.204.7012 was a single sentence in over 60 pages. This creates a recipe for problems. First, the bidder is not paying attention to it because it is not denoted in the table format I just described. Second, up until now the Government never policed it. This created a “kick-the-can” mentality of GovCon business owners.

With CMMC, the pre-existing culture by GovCons to adopt best practices “if awarded” (if at all) is now obsolete. With CMMC, if you do not have the appropriate certification at the appropriate maturity level, your submission will likely be discounted and ultimately you will not receive the award. Because CMMC has five maturity levels, the higher up you go, the more time is required to demonstrate the goals and objectives have been “operationalized”.  This creates a whole new paradigm shift as cyber is now forcibly being removed from the mindset of “it is an IT matter” to “it’s a business risk matter” no different than fire, theft, or flood considerations.

The authoritative source on CMMC is the Accreditation Body (AB). What I like hearing is that both the AB and the DoD are advertising they know that the CMMC will endure hardship at first but lessons learned will be applied towards future endeavors to make it a premier certification process that is also being looked at by North Atlantic Treaty Organization (NATO) nations as well.

Where to Start

Sometimes the hardest thing to do is to know where to start. There are many firms that claim they can help you. Buyers beware! There are some great, some good and some not-so-good firms out there that advertise CMMC readiness consultation engagements. A sound approach is to use what is called an RPO “Registered Provider Organization”. RPOs are firms that have undergone vetting by the CMMC-AB and have Registered Practitioners (RPs) that have undergone training, background investigations and have defined levels of experience acceptable to the AB.  Here is a marketplace of qualified RPOs for your consideration.

SoundWay is a proud RPO and a Certified Third-Party Assessing Organization (C3PAO) Candidate.  We have proven past performances helping small GovCons navigate the requirements utilizing our proprietary assessment methodology as well as help with ongoing remediation solutions that are business and cost justified.

About SoundWay Consulting, Inc.

SoundWay is a HUBZone, WOSB, and SDVOSB that is conveniently located in Silver Spring, Maryland. We have helped clients ranging from Maryland to Colorado and are ready to assist you today.  To learn more, please contact us at or call us at (571) 210-0624.

About IC Insiders

IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.