After months of anticipation, the Department of Defense’s (DoD) new Cybersecurity Maturity Model Certification (CMMC) was published on January 30. Under the current timeline, CMMC requirements will begin to appear in DoD Requests for Information (RFI’s) as soon as June, 2020, and all private contractors that do business with the DoD must become CMMC certified by September 2020 in order to bid on new contracts.
Here’s what CMMC means for defense contractors, and what you should be doing now to prepare for its roll out.
What is CMMC?
Under CMMC, all contractors who provide products or services to the U.S. Department of Defense will be required to demonstrate that they meet rigorous cybersecurity requirements before they can win defense contracts.
While CMMC is new, the requirement that government contractors put in place robust cybersecurity protections is not. There has been a DoD regulation (DFARS) in place for several years requiring contractors to comply with NIST cybersecurity standards.
In the past, the DIB has been able to self-certify their compliance, and the big difference with CMMC is that they now will require third party validation to prove compliance.
CMMC specifically aims to protect two kinds of information:
- Federal Contract Information (FCI): Information provided by or generated for the Government under contract not intended for public release.
- Controlled Unclassified Information (CUI): A category of unclassified information defined in a directive on May 9, 2008, by President George W. Bush. CUI replaces categories such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU) and Law Enforcement Sensitive (LES) categories.
The CMMC framework measures cybersecurity maturity using five levels and has a corresponding set of processes and best practices that should be put in place based on the type and sensitivity of the information being protected.
While CMMC includes some new elements, such as a certification, it builds on a number of existing standards including:
- The basic safeguarding requirements for FCI specified in the Federal Acquisition Regulation (FAR) Clause 52.204-21
- The security requirements for CUI contained in National Institute of Standards and Technology (NIST) Special Publication 800-171
- Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012
CMMC adds four control families that are not currently contained in the NIST standards. They include asset management, cybersecurity governance, recovery and situational awareness.
The DoD has stated that it expects every company with which it contracts, regardless of the type of work it does or the information it handles, to become CMMC certified, even if it’s only to Level 1.
Why did the U.S. Government Create CMMC?
Cyberattacks have become increasingly commonplace and the ability of threat actors to gain access to intellectual property and sensitive data represents a critical, growing national security threat to the United States.
Malicious actors are opportunistic and tend to target the easiest points of entry to an organization. Because it is comprised of a large number of very small companies, this makes the U.S. defense industrial base (DIB) an attractive attack surface for adversaries looking to gain a competitive edge with respect to commercial innovation or military might, as well as wage more direct attacks.
While there are a number of existing regulations (such as DFARS and NIST SP 800-171) already in place to address cybersecurity amongst the DIB, many organizations have been slow to come into compliance with them. This is especially true of smaller defense subcontractors, many of which handle CUI about DoD systems and manufacturing - something that makes them valuable targets for foreign adversaries looking to gain insight into U.S. national defense strategies.
The overarching purpose of CMMC is to provide DoD with assurance that the contractors in its supply chain are taking the necessary precautions to ensure that data and information it shares with them is fully protected, and to offer DIB contractors a means to benchmark themselves against a clear and consistent set of security processes, practices and methods.
What Level of CMMC Do You Need to Achieve?
Because DoD is moving quickly to implement CMMC, it is important for defense contractors to begin immediately by determining the degree to which they are in compliance with NIST 800-171, and identify the level of CMMC compliance they will need to achieve.
There are five levels of maturity within the CMMC model, beginning with Level 1 (“Basic Cyber Hygiene”) and culminating with Level 5 (“Advanced/Progressive”). The levels are cumulative, meaning that organizations wishing to achieve a certain CMMC level must satisfy all requirements for the preceding levels. Failure to meet any single item required for a given level will result in an organization being certified at the level below it.
To reach any given level, organizations must satisfy the required processes and practices specified for that level.
All defense contractors will be required to achieve at least Level One certification.
According to Version 1 of CMMC, here’s what is required at each of the five levels:
- Level 1 - Basic Cyber Hygiene: This level focuses on the protection of FCI and requires that organizations comply with the basic safeguarding requirements in 48 CFR 52.204-21. Process maturity is not assessed at this level.
- Level 2 - Intermediate Cyber Hygiene: Level 2 is a transition step from protecting FCI to protecting CUI and is the first stage at which organizations must establish and document practices and policies to guide CMMC implementation. Organizations wishing to achieve Level 2 certification must comply with all requirements of Level 1 and a subset of the requirements in NIST SP 800-171.
- Level 3 - Good Cyber Hygiene: Building on Level 2, Level 3 requires that organizations have a plan for ensuring practices are implemented and focuses on the protection of CUI. To achieve Level 3 certification, and organization must meet all of the security requirements of NIST SP 800-171 and other standards including DFARS clause 252.204-7012.
- Level 4 - Proactive: In Level 4, organizations must review and measure the degree to which their practices are effective, and must put in place practices to protect CUI from advanced persistent threats (APTs). This involves compliance with Draft NIST SP 800-171B along with additional cybersecurity best practices.
- Level 5 - Advanced/Progressive: Organizations that achieve Level 5 certification will have standardized and optimized process implementation across their organizations and put in place practices that increase the depth and sophistication of their protection from APTs.
To understand what level of CMMC your organization needs to achieve, you must first determine the type and sensitivity of information that will be handled as well as the threats you may be facing.
CMMC Implementation Timeline
Version 1 of CMMC was published by the DoD on January 30, 2020 and the agency has stated that it plans to release 10 RFIs and 10 RFPs this year that will require CMMC certification when the contract is awarded.
DoD has estimated that it will have at least 15 contracts with CMMC requirements and 1,500 certified contractors by FY 2021.
The number of CMMC contracts is expected to grow steadily year over year, from 15 in 2021, to 75 in 2022, 250 in 2023, and 479 in 2024, before being required as part of all new contracts in 2025/26.
Becoming CMMC Certified
Prior to CMMC, defense contractors were allowed to self-certify that they met federal government regulations regarding security and submit a Plan of Actions and Milestones (POA&M) detailing how they would work to address any shortfalls while still actively engaging in contracts with DoD.
Under CMMC, this is no longer the case and all defense contractors must become CMMC certified via a third-party audit. The certification will be issued by a CMMC Accrediting Body (CMMCAB), an independent, not-for-profit entity that will also be charged with developing assessment standards and training.
Once the Accrediting Body is up and running, DoD contractors will be able to apply for CMMC certification through a marketplace portal, and certification will be valid for three years.
DoD still has not identified a list of approved third party auditors (called “Certified Third Party Assessor Organizations, or C3PAO’s), but is expected to do so by June, 2020, leaving just a few months between publication of this list and the September, 2020 compliance deadline for organizations to undergo audits and achieve certification in order to bid on new contracts.
What Does It Cost to Become CMMC Certified?
While the National Defense Industrial Association (NDIA) estimates that the cost for a small to medium sized defense contractor to achieve Level 3 certification could total as much as $250,000, the total cost for organizations to come into CMMC compliance will depend upon both the organization’s current security posture and the level of compliance it is seeking to achieve.
The lack of cost information notwithstanding, DoD has recognized that smaller defense contractors may find it difficult to fund the security improvements mandated by CMMC and has indicated that security will be an allowable cost under its contracts. This means that contractors should be able to command higher prices for their more-secure services.
According to Katie Arrington, DoD’s CISO for Acquisition and Sustainment, “Because we're saying security is an allowable cost and putting this in a context where I'm putting the CMMC as a technical requirement, I understand that there's an assumed cost to it.”
In short, defense contractors, as well as any company that wants to provide goods or services to the DoD, need to look at CMMC certification as a cost of doing business - but that cost should be able to be passed on to the Government as a customer.
In addition, the Small Business Cybersecurity Assistance Act, if approved, would provide small and medium sized businesses with cybersecurity education via the SBA’s Small Business Development Centers.
The DIB is comprised of more than 300,000 contractors, all of whom will need to become CMMC certified. Because there is a limited pool of organizations that will be capable of carrying out CMMC audits, this is likely to strain the capacity of the system for assessing companies and issuing certifications, at least in the near term. This makes it especially important for organizations that rely heavily on government contractors for revenue to be proactive about becoming certified.
Many of the contractors in the DIB are small and do not have in-house IT staff. Very often, they participate in DoD engagement as subcontractors, so it will be incumbent upon larger DoD contractors to mentor and/or facilitate the process of their subs achieving the appropriate level of certification.
Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, said this with respect to small contractors: “We know that this can be a burden to small companies in particular. At this point, I don't rule anything out, but I'm not envisioning waivers. I am envisioning the primes and the industry associations and the government with industrial policy really working as kind of the help desk, the help agent, enabling these companies to be compliant with a lot of support."
The Time to Begin Is Now
The time to begin preparing for CMMC certification is now, particularly if DoD contracts make up a significant part of your organization’s revenue. As new RFIs are released with CMMC requirements included beginning in June of 2020, those contractors who have achieved CMMC certification will be best placed to win awards.
Because much of the CMMC assessment model will be based on existing NIST 800-171 controls, the best way to begin this process is by ensuring your organization is in compliance with the requirements of that standard. At the same time, keep an eye on updates regarding approved CMMC auditors so that you can be amongst the first to enter into the assessment process and get certified.
Finally, while becoming CMMC certified will position contractors to win new DoD awards, it should not be viewed as a marketing tool. DoD’s Katie Arrington puts it best: “Don’t post your CMMC level certification on your website. If [hackers] know you’re at level 2, they know they know you’re only doing these types of things,” and that information provides them with what they need to tailor their attacks.