The Cybersecurity Maturity Model Certification, or CMMC, is the next stage in the Department of Defense's (DoD) efforts to properly secure the Defense Industrial Base (DIB). In the simplest of terms, the DoD announced in mid 2019 that it is creating a cybersecurity assessment model and certification program. Since that time, several draft versions of CMMC were publicly released: 0.4. 0.6, and 0.7 , CMMC 1.0 (available now).
In prior years, contracting authorities and prime contractors would request a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) in response to DFARS 252.204-7012. This request from contracting authorities was often post award, and several companies received severe penalties through False Claims Act (FCA) settlements for misrepresenting their cybersecurity efforts.
CMMC contrasts DFARS 7012 by forcing the requirement before award, or 'award-time'. Contractors will be evaluated based upon the implementation of actual technical controls in addition to their documentation and policies. These evaluations will lead to a level certification of 1 to 5, 5 being the most secure. The higher your company certifies, the more contracts you will be eligible to bid on.
FAQ: How far down the supply chain are the 3rd party audits required? Is this only for prime contractors or does it filter to lower level suppliers such as subcontracted machine shop work?
According to the Office of the Under Secretary of Defense (OUSD), the CMMC level requirement will flow down to all subcontractors regardless of size or function. It is likely that CMMC requirements will be broken apart by tier - i.e for RFP A1B2C3D44 Prime Contractors are required to be CMMC Level 4 upon proposal and all listed Subcontractors must meet CMMC Level 2. They also state all future RFPs will require a CMMC level regardless of handling Controlled Unclassified Information (CUI).
Katie Arrington (Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, Office of the Under Secretary of Acquisition and Sustainment) gave a presentation at the 2019 Federal Acquisition Conference on June 13, 2019. Her presentation was entitled: "Securing the Supply Chain".
The presentation started by tying the DoD's understanding of the DIB's current cyber security state to MITRE's report from late 2018, entitled "Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War". The Deliver Uncompromised report found the vast majority of government contractors were not meeting the requirements of DFARS 7012, and many more did not have the understanding or means to meet the regulations.
Fast forward to June, 2019 - not much had changed according to Arrington. The presentation explained the vast majority of contractors have not implemented NIST 800-171 within their information systems. Similar to the Deliver Uncompromised report, Arrington championed the need for a fourth element in the acquisition process: security. Moreover, she stated the DoD's intent to make security the foundation of the preexisting acquisition criteria (cost, performance, and schedule).
The Model for Assessments
Level 1: 17 NIST 800-171 Requirements
Level 2: 72 Practices (65 NIST 800-171 Requirements PLUS 7 Other Practices)
Level 3: 130 Practices (110 NIST 800-171 Requirements PLUS 20 Other Practices)
Level 4: 156 Practices (110 NIST 800-171 Requirements PLUS 46 Additional Practices)
Level 5: 171 Practices (110 NIST 800-171 Requirements PLUS 61 Additional Practices)
CMMC primarily leans on NIST 800-171; however, many frameworks are being considered and integrated for the new Cybersecurity Maturity Model (CMM). NIST 800-53, FedRAMP, CMMI, SANS, FIPS 140-2, RMF, ISO 9000, and others are influencing the new model. Other federal agencies, industries (the financial sector for example), and industry experts will be consulted for lessons learned.
Just as contractors have dedicated staff and resources to prepare for ISO, CMMI, and Defense Contract Management Agency (DCMA) audits - contractors within the Aerospace and Defense community will need to provide adequate IT and Information Security support to this critical business practice area. This can be accomplished by building an internal team or partnering with an external firm to manage the environment and security process for you.
Arrington's presentation suggested businesses will need to dedicate significant staffing resources (greater than or equal to four information security specialists) to cybersecurity compliance and continuous improvement. Unfortunately, the overwhelming majority of government contractors under 1,000 employees do not have the teams in place to support this need or capability.
Lastly, the vendor accreditation for CMMC was briefly discussed during the presentation. The updated accreditation board is below.
CMMC Accreditation Body (CMMC AB)
The CMMC AB will oversee the training, quality, and administration of the third party assessment organizations. The CMMC AB consists of 15 individuals from industry, the cybersecurity community, and academia. Strict conflict of interest clauses will be integrated throughout a future memorandum or MOU that will dictate the activities and influence these 15 individuals have over certifications and audits. The list of board members is as follows:
- Chairman, Ty Schieber, University of Virginia, Darden School Foundation
- Director, Akin Akinbosoye, Manufacturing x Digital (MxD)
- Director, Mark Berman, FutureFeed
- Director, Wayne Boline, Raytheon
- Director, Jeff Dalton, Broadsword Solutions
- Director, Nichole Dean, Accenture Federal Services
- Director, Regan Edens, DTC Global
- Director, James Goepel, Fathom Cyber, LLC
- Director, Chris Golden, Third-Party Risk Management
- Director, Karlton Johnson, Delaine Strategy Group, LLC
- Director, Richard H. 'Doc' Klodnicki, Aereti, Inc.
- Director, Valecia Maclin, Microsoft
- Director, Tim Rudolph, 3d Millennium Group
- Director, Ben Tchoubineh, Phoenix TS
- Director, John Weiler, IT Acquisition Advisory Council (IT-AAC)
There are a myriad of activities, but the most impactful in 2020 are shown in the following graphic.
How Will CMMC Impact My Business?
The first obvious impact will be on recompetes. Every contractor's existing work will be up for grabs depending upon which CMMC level is required by the contracting authority. It will be advantageous to begin asking about the intended CMMC requirement during the RFI and question submittal periods of the acquisition lifecycle.
This will fall in line with other elements of the capture strategy (i.e. which NAICS code or small business set-aside will the agency use in the acquisition strategy). Furthermore, there are advantages of winning new business if your company receives a higher CMMC level than your competition.
Teaming and subcontracting will also be impacted, but it is unclear on the specifics at this point. Will the CMMC level flow down like other requirements, or will the CMMC level primarily apply to the prime contractor? There will be likely be more strict vendor approval processes with larger firms if the level requirement flows down to subcontractors.
A great positive to the new certification will be the elimination of ambiguity. The industry has struggled largely to grasp compliance and understand how the DoD would enforce compliance.
Compounding this issue, Aerojet Rocketdyne (AR) was recently issued a Civil False Claims Act (FCA) action for misleading the US Government of their compliance with DFARS 7012 and NIST 800-171. A previous employee and cybersecurity watchdog submitted the claim against them, and AR was not able to adequately defend themselves on the basis of their own self assessment. Now companies will be able to lean on the third party assessment of CMMC and eliminate the risk of potential FCA actions.
One last thing - IT Security costs are going to be an allowable charge on contracts moving forward, and will be an element of your best value proposals. Thus, new rates and bidding strategies will come into play within your pricing volumes.
How Do I Prepare for CMMC?
- If you haven't already done so, get an SSP and POA&M in place. This was and will continue to be the starting place.
- Configure your existing environment or build a new environment to NIST 800-171 compliance. Many contractors are moving to Office 365 GCC High or other cloud providers to ease this process.
- Begin building budgets for the enhanced support requirements and modifying rates to include the enhanced security requirements. Weigh the costs and consider outsourcing security, compliance, and information system management with a Managed Service Provider.
- Attend the CMMC industry days mentioned above. We will update this blog and post on our various social accounts once dates are set. Follow us on LinkedIn, Twitter, Facebook, Instagram, or Youtube for the latest news impacting contractors and Microsoft's Government Cloud offerings.
The ongoing Cloud Security and Compliance Series (CS2) will also cover what you need to know for CMMC preparation. The video below highlights Katie Arrington's presentation on the background for CMMC at CS2 Indianapolis in February 2020.
If you found this blog helpful, you might be interested in following us on LinkedIn to keep up with changes regarding CMMC and all things security and compliance.