Navigating the Cybersecurity Maturity Model Certification (CMMC)
by Ariel Grant
What does Cybersecurity Maturity Model Certification (CMMC) mean, and how does Centre’s designation help contractors and subcontractors?
Centre Law & Consulting is now a Cybersecurity Maturity Model Certification (CMMC) Accreditation Board (AB) Registered Practitioner Organization (RPO). We are one of the first law firms to get this designation. But that is a lot of acronyms in a very short amount of space; what does that mean? More importantly, how does it impact the services that you can expect from Centre?
What is the CMMC-AB and what are they designating?
The Department of Defense (DoD) (now you understand why there are so many acronyms) has been attempting to improve the cybersecurity of its vendors for years. In 2016, DoD promulgated DFARS Clause 252.204-7012, which imposed cybersecurity requirements on certain contractors. Unfortunately, not every contractor complied with these requirements.
The DoD worked with John Hopkins Applied Physics Laboratory, the Carnegie Mellon University Software Engineering Institute, and others to develop a new method to help address this problem: the CMMC framework.
The CMMC framework requires an independent assessment of a contractor’s cybersecurity program. Assessing all the defense industrial base’s cybersecurity is beyond the DoD’s capabilities. To handle this workload, the DoD contracted with the CMMC-AB, a non-profit, which will train and oversee the private entities that will conduct the actual assessments: the CMMC 3rd Party Assessor Organizations (C3PAO). In short, DoD defines the standards, while the CMMC-AB manages the ecosystem.
The CMMC-AB has created additional designations for organizations in the CMMC ecosystem, because the CMMC requires more than assessors to be successful. In addition to the C3PAOs, the CMMC designates RPOs, Licensed Partner Publishers, and Licensed Training Providers, among others. Centre has achieved the RPO designation.
C3PAOs are not permitted to provide consulting services to organizations that they are assessing (they can consult with organizations they will not assess). RPOs, and the Registered Practitioners (RP) who work for them, provide “advice, consulting, and recommendations” to organizations seeking a CMMC maturity level. In other words, an RPO helps an organization prepare for an assessment, and a C3PAO conducts an assessment.
But why would someone hire a law firm as an RPO?
Law firms offer several advantages as an RPO.
Government contractors frequently have existing, and sometimes extensive, cybersecurity obligations. The legal consequences for a failure to meet those obligations can be severe. The federal government has pursued False Claims Act cases related to insufficient cybersecurity. Other enforcement agencies have pursued claims related to cybersecurity, going to so far as to put at least one company out of business. Civil litigation is also a concern.
Law firms are well positioned to evaluate clients’ compliance efforts in a confidential manner. Organizations that are unsure about whether they currently meet their obligations should retain legal counsel to evaluate their obligations and assist in improving their cybersecurity posture, if necessary. These efforts may be protected by attorney client privilege and work product protection, which is especially important in the wake of a data breach.
Law firms are also well positioned to link a cybersecurity program into broader corporate governance, including the controls necessary to protect company executives from personal liability. Cybersecurity is the responsibility of senior leadership in any organization, and cybersecurity failures can be attributed to leadership, both at publicly traded companies and private entities.
Finally, cybersecurity often impacts other legal disciplines, such as licensing, employment, and intellectual property. Having a single entity capable of advising on all these interrelated concerns can be more cost effective, provide more consistent and effective guidance, and reduce stress, especially for small businesses.
By combining law firm expertise and the training necessary to become an RPO, Centre is well positioned to advise clients on cybersecurity generally and CMMC compliance specifically. Many clients find it useful to start with a small, discrete engagement, such as a tabletop exercise or a risk assessment, before engaging in a more long-term partnership.