CMMC 2.0: What Defense Contractors Need to Know
October 05, 2023
A former Navy intelligence officer and FBI Special Agent explains why complying with the DoD’s Cybersecurity Maturity Model Certification is vital.
Companies are constantly developing advanced technologies that defy what was once thought possible. But what happens when that technology falls into the wrong hands? What’s to stop a nation-state from stealing intellectual property, for instance, and weaponizing it? Without comprehensive cybersecurity measures, this hypothetical scenario can become all too real.
In 2010, the U.S. Department of Defense (“DoD”) responded to this growing threat by developing the Cybersecurity Maturity Model Certification (“CMMC”).1 The CMMC applies to two types of organizations that partner with the DoD: certified defense contractors (“CDCs”), whose work is classified, and defense industrial base (“DIB”) companies, which handle unclassified projects. The CMMC is intended to protect the DIB’s sensitive unclassified information from threat actors and nation-states.2
The DoD has continually updated the CMMC over the years. It is expected to roll out CMMC 2.0 by the end of 2023. The goal of this iteration is to simplify compliance for companies by more clearly outlining priorities for protecting sensitive information. Its framework also reinforces cooperation between the DoD and organizations across industries to address the evolving threat landscape.3
To help organizations understand CMMC 2.0, its benefits, and the importance of cybersecurity, the FTI Journal asked Enrique Alvarez, Managing Director with FTI Consulting’s Cybersecurity practice, for his perspective. Alvarez has more than 20 years of national security and law enforcement experience across the private and federal sectors. He previously served in Iraq as a Navy Reserve Intelligence Officer and spent close to two decades dealing with nation-state threats as a special agent in the cyber branch of the Federal Bureau of Investigation (“FBI”).
FTI Journal: What kind of organizations are going to be impacted by CMMC 2.0?
Alvarez: The refined regulations are aimed at CDCs and DIB companies. The difference between the two is that the CDCs have cleared personnel and work on classified military projects. They're making the guidance system score for missiles, avionics for aircraft — things like that. So they’re very tightly regulated by the Defense Department and are used to operating in that kind of environment.
DIB companies do not necessarily work on classified matters but are still extremely important in providing raw technology, software, widgets — you name it. While they may not cross over into the classified category, they are just as important in the overall scheme of work. So it’s vital that their data and intellectual property are protected. However, they may not be used to operating in such a highly regulated arena in which they can become a target of threat actors and nation-states. That’s why becoming certified under the CMMC is so important: It helps protect the country as well as DIB companies’ intellectual property by requiring better cyber hygiene.
FTIJ: From your experience, why is having good cyber hygiene so critical for today’s companies?
Alvarez: When I was at the FBI working on national security in both the Cyber and Counterintelligence Divisions, we constantly saw threats from nation-states who were exploiting poor cyber hygiene and targeting DIBs alongside CDCs. The DIB companies would develop dual-use technology that could help cars go faster, for example, but could also be used for several defense-related missions or platforms. The issue, though, was that they weren’t as protected because they didn’t have to go through the same rigorous compliance checks as CDCs.
During those early days, when the term “cybersecurity” was still nascent, we were doing everything we could to convince companies to prioritize cyber hygiene. The CMMC, especially the new 2.0 version, is a great catalyst for DIB companies to improve their cyber hygiene, because make no mistake, they are being targeted — even if they don’t think they are.
FTIJ: What benefits do the CMMC regulations provide outside of cybersecurity?
Alvarez: While deployed in Iraq in 2008, it was common for us to field new technologies, weapons and even uniforms. Previously, this was a slow process since everything had to be tested, approved, produced and deployed. Fortunately for all of us, there was an excellent feedback loop on the way threats were changing. For instance, I saw firsthand how CDC and DIB groups turned intel from the field into countermeasures that helped prevent casualties by stopping improvised explosive devices from detonating. People’s lives were saved because of those rapid innovations.
The technology and the intellectual property that these defense contractors have is incredibly valuable, especially now, since the timescale of combat has compressed. If we get involved in another active conflict, combat is going to happen much more rapidly, and that feedback loop will need to be even more swift.
FTIJ: What would you say to companies that believe they don’t fall under the purview of CMMC 2.0?
Alvarez: A company never knows when its intellectual property might become a key component of a new defensive system. In those instances, companies may not have a General Services Administration (“GSA”) schedule contract or meet the minimum requirements to be a CDC. Sometimes the GSA will fast-track their clearance because the mission overrides the bureaucracy. That's great from an innovation standpoint but bad from a security standpoint, because it leaves the company vulnerable to cyber threats.
FTIJ: What’s the most convincing reason companies should certify?
Alvarez: Many companies may already qualify for a GSA contract, or they may be asked to collaborate with the DoD in the near future. Meeting the CMMC’s compliance requirements is good not only for their businesses, but it can also get them on board for the Big Win, as they say. Oh, and Canada is working on their own version of the CMMC that will be nearly identical to the U.S. version. So there’s an opportunity in both the U.S. and Canada for companies to be proactive and prepare for these coming amendments.
1: U.S. Department of Defense, “About the Cybersecurity Maturity Model Certification,” Chief Information Officer.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
About The Journal
The FTI Journal publication offers deep and engaging insights to contextualize the issues that matter, and explores topics that will impact the risks your business faces and its reputation.