The Cybersecurity Maturity Model Certification (CMMC) is a new framework and certification process instituted by the government to document and verify federal contracting companies’ security postures. Much like the Risk Management Framework (RMF), it is a way to unify the cybersecurity standards across these companies.
The RMF is based on NIST 800-53, which is specific to federal information systems. But what about the defense contractors who do work for the government? That is where DFARS comes in. DFARS stands for Defense Federal Acquisition Regulation Supplement. Any federal contracting with a current contract with the federal government is expected to be DFARS compliant.
But what exactly is DFARS compliance?
DFARS 252.204-7012 is the Defense Industrial Base Compliance Information for protecting Controlled Unclassified Information (CUI).
This DFARS mandate was expected to be implemented by any company in possession of technical data from the US government. However, it was somewhat vague, and it was not easy to gauge if companies were implementing the desired cyber hygiene.
To ensure proper implementation and compliance of this clause, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 standards were released in January 2018. During that time, the government expected these defense contractors to implement these controls, perform a self-assessment and report their standing. There was still a low rate of compliance.
The government decided to build on the DFARS and 800-171 efforts and created a CMMC accreditation body. This is the organization that established the CMMC requirements. Instead of self-assessing, companies are required to have a third-party assessment done. The CMMC is an independent, non-profit, industry-funded board consisting of 13 experts from industry, academia and the cybersecurity community. They deemed that it would be necessary to enforce the 800-171 by having third-party assessors audit the contracting companies. The body will oversee the training and credentialing of the third-party assessors.
The certification process applies to all companies in the federal government supply chain. So, this is not just applicable to the big DoD contracting companies you’re imagining. DoD contracts can also include things like the vendor who sells sandwiches on a military base or the landscaping company that provides lawn services to the federal government.
Any company that has a direct or subcontract with the federal government is expected to go through this process to make them DoD contractors. Of course, what the company does will help to determine which level they will need to achieve.
How do I get certified?
You first want to assess what your company does for the government and how they do it. Organizations that provide services for or work with the government usually have contract requirements that dictate where and how the work takes place.
The contracting company may be issued government computers that can be used off-site or receive authorization to use systems located on government facilities. If you are using government-furnished equipment, you are not responsible for certifying their equipment.
Most often, the work, or at least some portion of it, is often expected to be performed on the company’s equipment. This includes their computers, external hard drives, network equipment, routers or any other equipment that plays a role in data storage and transmission. The culmination of these items is referred to as “organizational systems.”
Once contracted, these organizational systems will be used to process Controlled Unclassified Information (CUI). Even though it is unclassified, the movement and storage of this information must be controlled. It is similar to the needs associated with managing company proprietary information. CUI is still considered sensitive information, and the government wants to avoid the potential of a data spill or exfiltration.
First, you will need a System Security Plan (SSP). The NIST 800-171 original standards have been superseded by revision 2, which was released in February 2020. The standard provides an SSP template to assist in documenting the status of requirements.
The SSP includes all of the appropriate security controls, so you will need to assess whether you are compliant. All of the organizational processes and security status of technology equipment are documented in this template. It is important to document things properly, as it will be reviewed during the audit. This publication is strongly focused on policy, processes and configuration; there is the potential that additional security-related software or hardware may need to be purchased and implemented. If you are a prime contractor, you will need to ensure any subcontractor you bring onboard is also compliant.
What level of compliance will I need?
There are five levels of compliance. Level 1 is the bare minimum, and Level 5 is the maximum level.
Level One: Similarly to RMF, the CMMC framework identifies 17 cybersecurity domains. Level One compliance only requires instituting one essential control measure in each area. This level may apply to a sub-company that does not need to maintain CUI. (Think back to the landscaper or sandwich maker.)
Level Two: Level Two is considered a transitional phase. In this phase, the Pentagon helps companies institute new processes, planning and budgeting. It still only requires implementing one control measure in each domain and assessing what will be needed to move up.
Level Three: This is the minimum level required to handle CUI. The company is potentially responsible for 110 security controls. They are derived from the NIST 800-171 (Revision 2).
Level Four & Level Five: These are for critical companies working on the most sensitive contracts. This level includes additional controls, and those standards will derive from ones published or under development by NIST, the International Standards Organization (ISO), the Aerospace Industries Association (AIA) and others.
What’s the timeline?
Acquisition undersecretary Ellen Lord has stressed that the goal is not to burden small businesses. Companies that already have a signed contract, or are actively working on one, are not expected to become compliant immediately. However, as new RFI, RFP, and future contracts are released and staffed, the mandate will become more enforced. Around the government’s fiscal year in the fall, the published solicitations will begin to set the new standard. The first ten solicitations will be the pathfinders and help the government assess the success of the CMMC.
The CMMC assessment board launches an online “marketplace” where companies seeking CMMC certification can find and hire a third-party accreditation firm.
The Defense Acquisition University (DAU) will begin offering online courses on CMMC, and the Pentagon will issue the Requests for Information (RFIs) for the first 10 “pathfinder” contracts, each expected to affect some 150 contractors and subcontractors. Some of these contracts will only require CMMC Level One, others Level Three and “one or two” may require Level Four or Five.
By October 2020 and beyond, companies will have to be certified by an accredited assessor to bid on new work. The success or failures of the pathfinder contracts will determine if adjustments to the CMMC process are necessary before issuing new RFIs and RFPs for further contracts.
CMMC may not be fully implemented until 2026. Many government contracts are five years long and that is also the amount of time it takes for the Pentagon to perform budget planning. So, if you are a company that needs to go through this process, don’t panic; you have time.
However, if you are really behind the curve on implementing cybersecurity standards, you don’t want to put this off. Utilize this time to ensure you get it right. That way, you won’t miss out on contracts.