720-891-1663
CYBERCECURITY

CMMC
Why and How the DoD is Implementing the CMMC

The DoD has been working to improve cybersecurity over the last several years as news of nation-state sponsored theft of defense secrets makes the news on a regular basis. The biggest source of leaks of sensitive intellectual property is the hundreds of thousands of contractors that have access to sensitive but unclassified information called CONTROLLED UNCLASSIFIED INFORMATION or CUI.

US Army Cyber Operations Center - Fort Gordon, Georgia

In 2013 the DoD created a security requirement in the Federal Acquistion Regulations called DFARS 252.204-7012 and then a few years later, NIST released a security requirement named SP 800-171. While both of these were a start to improving security for the defense industrial base, they didn't solve the problem.

In early 2019 DoD upped the ante by releasing the Cybersecurity Maturity Model Certification (CMMC). This is the first time DoD has required contractors, sub-contractors and suppliers to be certified to participate in the DoD supply chain.



The CMMC is currently being developed by the Pentagon, here is the current status:

  • Version 1.0 of the standard was released on January 31, 2020
  • The CMMC Accreditation Body (CMMC-AB) has been stood up and 15 board members and a chairperson have been selected
  • The CMMC-AB has created an organizatinal structure (see below)
  • In spite of the coronavirus, work is continuing on the certification process, both for certifiers and the DIB
  • The CMMC certification requirement will be included in RFPs mid-2020
  • And then included in contract requirements during DoD FY 2021

Here is the CMMC-AB organizational structure:

cmmc organizational structure

What is new with the CMMC regulaltion is that there will be a requirement for all 350,000 DoD supply chain members to be certified by an independent third party and that third party has to be certified in order to certify DoD supply chain members. Additionally, DoD has determined that CMMC certification costs can be treated as "allowable costs" by contractors.

In addition, certifications will expire. At the lowest level, certifications will last three years. While it is still in flux, itis likely that higher level certifications may expire more frequently.

It is also possible or even likely that the Pentagon may require that classifed network owners be certified as well, although they have not said this publicly. Yet.

NOTE: We will update this web page as more information is released by the Department of Defense.

The CMMC Model

The CMMC will encompass multiple maturity levels that range from "Basic Cybersecurity Hygiene" to "Advanced". The intent is to identify the required CMMC level in RFP sections L and M and use it as a "go / no go decision."

In its final form, the CMMC intends to combine various cybersecurity control standards such as NIST SP 800-171 (Rev. 1 & Rev. B), NIST SP 800-53, and AIA NAS9933s into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.

What the CMMC Means for DoD Contractors

The DoD has built upon existing DFARS 252.204-7012 regulation and developed the CMMC as a “verification component” with respect to cybersecurity requirements. The DoD has entrusted DoD contractors to achieve compliance and with continued pressure to ensure 100% adoption of cybersecurity controls, the DoD is updating its policies.

NOTE: DoD Contractors will need to become CMMC Certified by passing an independent third party CMMC Audit to verify they have met the appropriate level of cybersecurity for their business. DoD supply chain members at all levels will have to be certified at one of the five maturity levels described below.

  • The Prime contractors must flow down the appropriate CMMC requirement to sub-contractors.
  • Phase 1 of CMMC only applies to the contractor's networks and does not apply to their products.

Current CMMC Certification Status

To verify that DoD Contractors have met the appropriate level of cybersecurity controls, the DoD will deploy certified independent 3rd party organizations to conduct audits on DoD Contractor information systems and inform risk. It is from this audit that a DoD contractor will be awarded a certification or not. The details of how this certification process will work is a work in progress. CyberCecurity, LLC is following the process closely as we will be an accredited certification provider.

Important Dates and Milestones for ALL DoD Contractors, Subcontractors and Suppliers

  1. Now: Evaluate your current NIST SP 800-171 compliance status and implement a plan of action with milestones to remediate any non-compliance issues.
  2. January 2020 - DoD released the CMMC standard.
  3. An update to the spec was released in March 2020 and is available here: https://www.acq.osd.mil/cmmc/draft.html
  4. Mid 2020 - CMMC requirements will begin to be included in a subset of RFPs.
  5. Late 2020 - Certification will begin to be included as a requirement in select contracts for primes and subs and in many cases, also for suppliers.
  6. Ultimately, DoD contractors will not be allowed to bid on RFPs unless they are certified at the required level. This is different that what has been the norm historically. Historically, contractors get certified after the fact. The plan has changed. Now you will have to be certified in advance.

Becoming Certified

DoD Contractors will need to coordinate directly with an accredited, independent, commercial certification organization to request and schedule a CMMC assessment. DoD Contractors will specify the level of the certification requested based on the DoD Contractor's specific business requirements including what the contract specifies. Contractors will be awarded a certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.

Third party certification organizations will be available in mid 2020. We will update this guide as soon as this list becomes available.

About CMMC Levels

The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced.

Here is a chart of the CMMC levels and their respective requirements, including where those requirements came from:

cmmc level chart

Below is the Pentagon's explanation of the CMMC Maturity Processesion with higher levels building on the lower levels.

cmmc maturity process progression

 

Likewise, here is the maturity progression for practices with each level building on the level below it:

cmmc practice progression

 

 
  • The CMMC level of certification required for each procurement will be specified in the RFI and RFP upon release.
  • Contractors will be required to meet the certification level at time of award.
  • Unless a higher level is specified, all contractors and sub-contractors must meet at a minimum CMMC Level 1.

 

In January 2020, the official CMMC Levels and requirements were be released to the public. The government will determine the appropriate tier (i.e. not all contracts require the highest level of security) for the contracts they administer.

 For more information, a full list of frequently asked questions can be found HERE.

How to Prepare for a CMMC Audit

Option 1: Do it Yourself and Meet Requirements In-House

DoD contractors or suppliers who have the resources and IT staff available, can meet the appropriate CMMC level of cybersecurity in-house. Internal IT departments can use the "Self Assessment Handbook - NIST Handbook 16" provided by the National Institute of Standards and Technology (NIST). This handbook was created by NIST with the intention of assisting U.S. DoD contractors who provide products and services for the Department of Defense. Unfortunately, this handbook only covers NIST SP 800-171 Rev. 1 (A good starting point for certifications up to CMMC Level 3) and there is currently not a Self Assessment Handbook for NIST SP 800-171 Rev. B. However, a draft of the Rev. B can be found HERE. Note that this will not get you certified. If that process is successful, you will be awarded a certification at the appropriate level.

Option 2: Work with a CMMC Consultant

For many DoD contractors, the most effective way to meet the CMMC cybersecurity requirements is to outsource the task to a consulting partner that has the appropriate expertise and can work with you to become compliant. Remember that DoD contractors remain ultimately responsible for ensuring that their company meets the appropriate cybersecurity requirements, so it is essential to choose a provider that is reputable. Again, you will have to engage a third party for the actual certification process.

CyberCecurity, LLC is one such cybersecurity cconsulting company.

The Risk Assessment or Gap Analysis

The first step towards compliance is to determine how close the contractor is to full compliance. This process is called the risk assessment or gap analysis. Gap analyses are designed to discover areas where the company is not fully compliant with the regulations.

The results of the gap analysis may reveal issues related to:

  • How access to information systems is controlled
  • How managers and information system administrators are trained
  • How data records are stored
  • How security controls and measures are implemented
  • How incident response plans developed and implemented
  • And much more

Without a gap analysis, it's impossible to know what changes an organization needs to make before it meets the required CMMC Level. The gap analysis provides a roadmap to becoming compliant. Remember that the CMMC requirements will require compliance with different subsets of the NIST SP 800-171 requirements plus additional requirements out of documents such as NIST SP 800-53 Rev 5, depending on the CMMC certification level required.

Ongoing Cyber Security Monitoring and Reporting

Certification is a point-in-time event. Even if it covers some historical period like an AICPA SOC Type 2 audits do, it doesn't mean that you will be compliant in the future.

The DFARS also require almost instant notification (within 72 hours) of a security event to your prime contractor or to the government. Part of being compliant is being able to respond to these incidents in a time frame and with the required data to the appropriate party.

The Importance of Passing the First CMMC Audit

For many companies, DoD contracts make up a substantial percentage of their revenue and because CMMC certification will now be a requirement in many cases for bidding on contracts (check with your contracting officer), it's extremely important that contractors become certified. If a contractor fails a CMMC audit, they may be unable to offer products and services to the DoD until they do become certified.

CMMC Audit Preparation & Assessment Services

CyberCecurity, LLC is a full-service cybersecurity company that offers a wide range of cybersecurity and privacy services, including various certification services. More information about our certification services can be found at: https://www.cybercecurity.com/business-cybersecurity-certification- program/.

While no company has yet been authorized by the DoD to provide full CMMC certification services, CyberCecurity, LLC intends to be amongst the first authorized CMMC certification certifiers. In the interim, we are now able to offer you the following services:

  • CMMC pre-assessments.
  • Development of a SSP and POA&M
  • Implementation of the NIST 800-171 and anticipated CMMC requirements

Accomplishing the above items will facilitate the rapid passing of a CMMC audit and allow your organization to bid on and be awarded new DoD contracts. It will also make your company more competitive for DoD contracts.

Have more questions?

Here is a link to the Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification FAQ page.

Please call us for more information or if you have questions:

Mitch Tanenbaum, CISO, CyberCecurity, LLC
mitch@cybercecurity.com
720-891-1663