The Cybersecurity Maturity Model Certification, or CMMC, is the next stage in the Department of Defense's (DoD) efforts to properly secure the Defense Industrial Base (DIB). In the simplest of terms, the DoD announced in mid 2019 that it is creating a cybersecurity assessment model and certification program. Since that time, several draft versions of CMMC were publicly released: 0.4. 0.6, and 0.7
In prior years, contracting authorities and prime contractors would request a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) in response to DFARS 252.204-7012. This request from contracting authorities was often post award, and several companies received severe penalties through False Claims Act (FCA) settlements for misrepresenting their cybersecurity efforts.
CMMC contrasts DFARS 7012 by forcing the requirement before award, or 'pre-award'. Contractors will be evaluated based upon the implementation of actual technical controls in addition to their documentation and policies. These evaluations will lead to a level certification of 1 to 5, 5 being the most secure. The higher your company certifies, the more contracts you will be eligible to bid on.
FAQ: How far down the supply chain are the 3rd party audits required? Is this only for prime contractors or does it filter to lower level suppliers such as subcontracted machine shop work?
According to the Office of the Under Secretary of Defense (OUSD), the CMMC level requirement will flow down to all subcontractors regardless of size or function. It is likely that CMMC requirements will be broken apart by tier - i.e for RFP A1B2C3D44 Prime Contractors are required to be CMMC Level 4 upon proposal and all listed Subcontractors must meet CMMC Level 2. They also state all future RFPs will require a CMMC level regardless of handling Controlled Unclassified Information (CUI).
Katie Arrington (Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, Office of the Under Secretary of Acquisition and Sustainment) gave a presentation at the 2019 Federal Acquisition Conference on June 13, 2019. Her presentation was entitled: "Securing the Supply Chain".
The presentation started by tying the DoD's understanding of the DIB's current cyber security state to MITRE's report from late 2018, entitled "Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War". The Deliver Uncompromised report found the vast majority of government contractors were not meeting the requirements of DFARS 7012, and many more did not have the understanding or means to meet the regulations.
Fast forward to June, 2019 - not much had changed according to Arrington. The presentation explained the vast majority of contractors have not implemented NIST 800-171 within their information systems. Similar to the Deliver Uncompromised report, Arrington championed the need for a fourth element in the acquisition process: security. Moreover, she stated the DoD's intent to make security the foundation of the preexisting acquisition criteria (cost, performance, and schedule).
The Model for Assessments
- Level 1: 17 NIST 800-171 Requirements
- Level 2: 65 NIST 800-171 Requirements PLUS 7 Other Practices
- Level 3: 110 NIST 800-171 Requirements PLUS 21 Other Practices
- Level 4: 110 NIST 800-171 Requirements PLUS 47 Additional Practices
- Level 5: 110 NIST 800-171 Requirements PLUS 63 Additional Practices
CMMC primarily leans on NIST 800-171; however, many frameworks are being considered and integrated for the new Cybersecurity Maturity Model (CMM). NIST 800-53, FedRAMP, CMMI, SANS, FIPS 140-2, RMF, ISO 9000, and others are influencing the new model. Other federal agencies, industries (the financial sector for example), and industry experts will be consulted for lessons learned.
Just as contractors have dedicated staff and resources to prepare for ISO, CMMI, and Defense Contract Management Agency (DCMA) audits - contractors within the Aerospace and Defense community will need to provide adequate IT and Information Security support to this critical business practice area. This can be accomplished by building an internal team or partnering with an external firm to manage the environment and security process for you.
Arrington's presentation suggested businesses will need to dedicate significant staffing resources (greater than or equal to four information security specialists) to cybersecurity compliance and continuous improvement. Unfortunately, the overwhelming majority of government contractors under 1,000 employees do not have the teams in place to support this need or capability.
The DoD plans to conduct "Industry Days" otherwise known as "Listening Sessions" throughout the 2019-2020 across multiple cities. Below is the initial proposed map and some of the previous/upcoming dates and events.
|San Diego, CA||July 25-26|
|Washington D.C. (ITI)||July 29|
|Washington, D.C. (NIST)||August 8|
|Novi, Michigan (NDIA)||August 15|
|Colorado Springs, CO||
|Tampa, FL||November 13|
|Indianapolis, IN||February 11, 2020|
|San Francisco, CA||February 24-28|
DoD will begin development of the certifier accreditation program by January 2020 and start the accreditation process by June 2020. Therefore, it is likely to see the first accreditations in the latter half of 2020 and contractor evaluations starting shortly after that.
How Will CMMC Impact My Business?
The first obvious impact will be on recompetes. Every contractor's existing work will be up for grabs depending upon which CMMC level is required by the contracting authority. It will be advantageous to begin asking about the intended CMMC requirement during the RFI and question submittal periods of the acquisition lifecycle.
This will fall in line with other elements of the capture strategy (i.e. which NAICS code or small business set-aside will the agency use in the acquisition strategy). Furthermore, there are advantages of winning new business if your company receives a higher CMMC level than your competition.
Teaming and subcontracting will also be impacted, but it is unclear on the specifics at this point. Will the CMMC level flow down like other requirements, or will the CMMC level primarily apply to the prime contractor? There will be likely be more strict vendor approval processes with larger firms if the level requirement flows down to subcontractors.
A great positive to the new certification will be the elimination of ambiguity. The industry has struggled largely to grasp compliance and understand how the DoD would enforce compliance.
Compounding this issue, Aerojet Rocketdyne (AR) was recently issued a Civil False Claims Act (FCA) action for misleading the US Government of their compliance with DFARS 7012 and NIST 800-171. A previous employee and cybersecurity watchdog submitted the claim against them, and AR was not able to adequately defend themselves on the basis of their own self assessment. Now companies will be able to lean on the third party assessment of CMMC and eliminate the risk of potential FCA actions.
One last thing - IT Security costs are going to be an allowable charge on contracts moving forward, and will be an element of your best value proposals. Thus, new rates and bidding strategies will come into play within your pricing volumes.
How Do I Prepare for CMMC?
- If you haven't already done so, get an SSP and POA&M in place. This was and will continue to be the starting place.
- Configure your existing environment or build a new environment to NIST 800-171 compliance. Many contractors are moving to Office 365 GCC High or other cloud providers to ease this process.
- Begin building budgets for the enhanced support requirements and modifying rates to include the enhanced security requirements. Weigh the costs and consider outsourcing security, compliance, and information system management with a Managed Service Provider.
- Attend the CMMC industry days mentioned above. We will update this blog and post on our various social accounts once dates are set. Follow us on LinkedIn, Twitter, Facebook, Instagram, or Youtube for the latest news impacting contractors and Microsoft's Government Cloud offerings.
The ongoing Cloud Security and Compliance Series (CS2) will also cover some of what you need to know for CMMC preparation. Stacy Bostjanick of the CMMC gave a presentation near the end of 2019 at CS2 HSV.