The Cybersecurity Maturity Model Certification, or CMMC, is the next stage in the Department of Defense's (DoD) efforts to properly secure the Defense Industrial Base (DIB). In the simplest of terms, the DoD announced in mid 2019 that it is creating a cybersecurity assessment model and certification program. Since that time, several draft versions of CMMC were publicly released: 0.4. 0.6, 0.7 , and most recently, CMMC 1.0.
In prior years, contracting authorities and prime contractors would request a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) in response to DFARS 252.204-7012. This request from contracting authorities was often post award, and several companies received severe penalties through False Claims Act (FCA) settlements for misrepresenting their cybersecurity efforts.
CMMC contrasts DFARS 7012 by forcing the requirement before award, or 'award-time'. Contractors will be evaluated based upon the implementation of actual technical controls in addition to their documentation and policies. These evaluations will lead to a level certification of 1 to 5, 5 being the most secure. The higher your company certifies, the more contracts you will be eligible to bid on.
FAQ: How far down the supply chain are the 3rd party audits required? Is this only for prime contractors or does it filter to lower level suppliers such as subcontracted machine shop work?
According to the Office of the Under Secretary of Defense (OUSD), the CMMC level requirement will flow down to all subcontractors regardless of size or function. It is likely that CMMC requirements will be broken apart by tier - i.e for RFP A1B2C3D44 Prime Contractors are required to be CMMC Level 4 upon proposal and all listed Subcontractors must meet CMMC Level 2. They also state all future RFPs will require a CMMC level regardless of handling Controlled Unclassified Information (CUI).
Katie Arrington (Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, Office of the Under Secretary of Acquisition and Sustainment) gave a presentation at the 2019 Federal Acquisition Conference on June 13, 2019. Her presentation was entitled: "Securing the Supply Chain".
The presentation started by tying the DoD's understanding of the DIB's current cyber security state to MITRE's report from late 2018, entitled "Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War". The Deliver Uncompromised report found the vast majority of government contractors were not meeting the requirements of DFARS 7012, and many more did not have the understanding or means to meet the regulations.
Fast forward to June, 2019 - not much had changed according to Arrington. The presentation explained the vast majority of contractors have not implemented NIST 800-171 within their information systems. Similar to the Deliver Uncompromised report, Arrington championed the need for a fourth element in the acquisition process: security. Moreover, she stated the DoD's intent to make security the foundation of the preexisting acquisition criteria (cost, performance, and schedule).
The Model for Assessments
Level 1: 17 NIST 800-171 Requirements
Level 2: 72 Practices (65 NIST 800-171 Requirements PLUS 7 Other Practices)
Level 3: 130 Practices (110 NIST 800-171 Requirements PLUS 20 Other Practices)
Level 4: 156 Practices (110 NIST 800-171 Requirements PLUS 46 Additional Practices)
Level 5: 171 Practices (110 NIST 800-171 Requirements PLUS 61 Additional Practices)
CMMC primarily leans on NIST 800-171; however, many frameworks are being considered and integrated for the new Cybersecurity Maturity Model (CMM). NIST 800-53, FedRAMP, CMMI, SANS, FIPS 140-2, RMF, ISO 9000, and others are influencing the new model. Other federal agencies, industries (the financial sector for example), and industry experts will be consulted for lessons learned.
Just as contractors have dedicated staff and resources to prepare for ISO, CMMI, and Defense Contract Management Agency (DCMA) audits - contractors within the Aerospace and Defense community will need to provide adequate IT and Information Security support to this critical business practice area. This can be accomplished by building an internal team or partnering with an external firm to manage the environment and security process for you.
Arrington's presentation suggested businesses will need to dedicate significant staffing resources (greater than or equal to four information security specialists) to cybersecurity compliance and continuous improvement. Unfortunately, the overwhelming majority of government contractors under 1,000 employees do not have the teams in place to support this need or capability.
Who is Excluded?
As of the Spring of 2020, CMMC will not apply to Department of Defense suppliers that only provide commercial-off-the-shelf products, a recent change to the DOD’s website shows. The previous version of the website’s FAQ page stated that all DoD contractors needed certification, including ones that did not handle CUI. The new text on the FAQ section states: “Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.”
CMMC Accreditation Body (CMMC AB)
The CMMC AB will oversee the training, quality, and administration of the third party assessment organizations. The CMMC AB consists of 15 individuals from industry, the cybersecurity community, and academia. Strict conflict of interest clauses will be integrated throughout a future memorandum or MOU that will dictate the activities and influence these 15 individuals have over certifications and audits. The list of board members is as follows:
- Chairman, Ty Schieber, University of Virginia, Darden School Foundation
- Director, Akin Akinbosoye, Manufacturing x Digital (MxD)
- Director, Mark Berman, FutureFeed
- Director, Wayne Boline, Raytheon
- Director, Jeff Dalton, Broadsword Solutions
- Director, Nichole Dean, Accenture Federal Services
- Director, Regan Edens, DTC Global
- Director, James Goepel, Fathom Cyber, LLC
- Director, Chris Golden, Third-Party Risk Management
- Director, Karlton Johnson, Delaine Strategy Group, LLC
- Director, Richard H. 'Doc' Klodnicki, Aereti, Inc.
- Director, Valecia Maclin, Microsoft
- Director, Tim Rudolph, 3d Millennium Group
- Director, Ben Tchoubineh, Phoenix TS
- Director, John Weiler, IT Acquisition Advisory Council (IT-AAC)
*Note: before moving on to the next section, please be aware that Credentials will be for individuals and Accreditations will be for organizations.
Proposed Individual Credentials
Certified CMMC AB - Professional (CP)
This certification is identified as a pre-requisite for becoming a Certified Assessor (CA) or instructor. This first professional step towards formal assessing will likely allow the individual to participate in a CMMC assessment team led by a Certified Assessor (CA).
Certified CMMC AB - Assessor (CA)
These individuals are authorized to conduct CMMC assessments for Levels 1 through 5 and also have the ability to award maturity levels that are CMMC Quality Auditor (QA) approved, See below for details on QA.
Certified CMMC AB - Instructor (CI)
Those who are authorized to serve as an instructor and deliver CMMC model training and CMMC Assessor training at/for a Licensed Training Provider (LPP).
Certified CMMC AB - Master Instructor (CMI)
A member of the CMMC AB team who is authorized to train the instructors that work for Licensed Training Providers (LPP) teaching the CP and CA classes.
Certified CMMC AB - Quality Auditor (CQA)
A CMMC Accreditation Board team member who has been authorized to review and approve the assessments submitted by individuals who are Certified Assessors (CA), using a baseline and criteria. This individual serves as a backstop and additional set of eyes to ensure assessments are completed in an unbiased and consistent manner.
Proposed Organization Accreditations
Certified 3rd Party Assessment Organizations (C3PAO)
A C3PAO or CPAO is a licensed organization (licensed by the CMMC-AB) that can deliver a certified CMMC assessment via contractual agreement. The assessment will be conducted by a Certified Assessor (CA) or an Authorized Provisional Assessor (APA) that is either a contractor or an employee under a written agreement.
Licensed Training Provider (LTP)
An LTP will likely be academic and commercial organizations licensed by the CMMC-AB to use materials produced by Licensed Partner Publishers (LPP) to equip auditing professionals for individual credentials: CP, CA, and CI.
Licensed Partner Publishers (LPP)
LPPs will also consist of commercial or academic organizations that are licensed by the CMMC-AB to develop and author training curriculum materials based on the Accreditation Board's learning objectives. These materials will be tested and subsequently used by a Licensed Training Providers (LTP).
There are a myriad of activities, but the most impactful in 2020 are shown in the following graphic.
How Will CMMC Impact My Business?
The first obvious impact will be on recompetes. Every contractor's existing work will be up for grabs depending upon which CMMC level is required by the contracting authority. It will be advantageous to begin asking about the intended CMMC requirement during the RFI and question submittal periods of the acquisition lifecycle.
This will fall in line with other elements of the capture strategy (i.e. which NAICS code or small business set-aside will the agency use in the acquisition strategy). Furthermore, there are advantages of winning new business if your company receives a higher CMMC level than your competition.
A great positive to the new certification will be the elimination of ambiguity. The industry has struggled largely to grasp compliance and understand how the DoD would enforce compliance.
Compounding this issue, Aerojet Rocketdyne (AR) was recently issued a Civil False Claims Act (FCA) action for misleading the US Government of their compliance with DFARS 7012 and NIST 800-171. A previous employee and cybersecurity watchdog submitted the claim against them, and AR was not able to adequately defend themselves on the basis of their own self assessment. Now companies will be able to lean on the third party assessment of CMMC and eliminate the risk of potential FCA actions.
One last thing - IT Security costs are going to be an allowable charge on contracts moving forward, and will be an element of your best value proposals. Thus, new rates and bidding strategies will come into play within your pricing volumes.
How Do I Prepare for CMMC?
- If you haven't already done so, get an SSP and POA&M in place. This was and will continue to be the starting place.
- Configure your existing environment or build a new environment to NIST 800-171 compliance. Many contractors are moving to Office 365 GCC High or other cloud providers to ease this process.
- Begin building budgets for the enhanced support requirements and modifying rates to include the enhanced security requirements. Weigh the costs and consider outsourcing security, compliance, and information system management with a Managed Service Provider.
- Attend the CMMC industry days mentioned above. We will update this blog and post on our various social accounts once dates are set. Follow us on LinkedIn, Twitter, Facebook, Instagram, or Youtube for the latest news impacting contractors and Microsoft's Government Cloud offerings.
The ongoing Cloud Security and Compliance Series (CS2) will also cover what you need to know for CMMC preparation. The video below highlights Katie Arrington's presentation on the background for CMMC at CS2 Indianapolis in February 2020.
If you found this blog helpful, you might be interested in following us on LinkedIn to keep up with changes regarding CMMC and all things security and compliance.