The Cybersecurity Maturity Model Certification, or CMMC, is the next stage in the Department of Defense's (DoD) efforts to properly secure the Defense Industrial Base (DIB). In the simplest of terms, the DoD announced that it is creating a cybersecurity assessment model and certification program. This announcement signals to industry an end to the honeymoon period.
Unlike prior years, contracting authorities will not accept only a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) as compliance for DFARS 252.204-7012. Contractors will be evaluated based upon the implementation of actual technical controls in addition to their documentation and policies. These evaluations will lead to a level certification of 1 to 5, 5 being the most secure. The higher your company certifies, the more contracts you will be eligible to bid on.
According to the Office of the Under Secretary of Defense, the CMMC level requirement will flow down to all subcontractors. They also state all future RFPs will require a CMMC level regardless of handling Controlled Unclassified Information (CUI).
Katie Arrington (Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, Office of the Under Secretary of Acquisition and Sustainment) gave a presentation at the 2019 Federal Acquisition Conference on June 13, 2019. Her presentation was entitled: "Securing the Supply Chain".
The presentation started by tying the DoD's understanding of the DIB's current cyber security state to MITRE's report from late 2018, entitled "Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War". The Deliver Uncompromised report found the vast majority of government contractors were not meeting the requirements of DFARS 7012, and many more did not have the understanding or means to meet the regulations.
Fast forward to June, 2019 - not much has changed according to Arrington. The presentation explained the vast majority of contractors have not implemented NIST 800-171 within their information systems. Similar to the Deliver Uncompromised report, Arrington championed the need for a fourth element in the acquisition process: security. Moreover, she stated the DoD's intent to make security the foundation of the preexisting acquisition criteria (cost, performance, and schedule).
The Model for Assessments
Level 1 Example
Arrington's presentation leaned primarily on NIST 800-171; however, many frameworks are being considered and integrated for the new Cybersecurity Maturity Model (CMM). NIST 800-53, FedRAMP, CMMI, SANS, FIPS 140-2, RMF, ISO 9000, and others are influencing the new model. Other federal agencies, industries (the financial sector for example), and industry experts will be consulted for lessons learned.
Just as contractors have dedicated staff and resources to prepare for ISO, CMMI, and Defense Contract Management Agency (DCMA) audits - contractors within the Aerospace and Defense community will need to provide adequate IT and Information Security support to this critical business practice area. This can be accomplished by building an internal team or partnering with an external firm to manage the environment and security process for you.
Arrington's presentation suggested businesses will need to dedicate significant staffing resources (greater than or equal to four information security specialists) to cybersecurity compliance and continuous improvement. Unfortunately, the overwhelming majority of government contractors under 1,000 employees do not have the teams in place to support this need or capability.
The DoD plans to conduct "Industry Days" otherwise known as "Listening Sessions" otherwise known as "Pathfinder Sessions" throughout the July to August time frame across 12 cities. Below are some solidified dates and events.
|San Diego, CA||July 25-26|
|Washington D.C. (ITI)||July 29|
|Washington, D.C. (NIST)||August 8|
|Novi, Michigan (NDIA)||August 15|
|Colorado Springs, CO||
|Tampa, FL||November 13|
DoD will begin development of the certifier accreditation program by January 2020 and start the accreditation process by June 2020. Therefore, it is likely to see the first accreditations in the latter half of 2020 and contractor evaluations starting shortly after that.
How Will CMMC Impact My Business?
The first obvious impact will be on recompetes. Every contractor's existing work will be up for grabs depending upon which CMMC level is required by the contracting authority. It will be advantageous to begin asking about the intended CMMC requirement during the RFI and question submittal periods of the acquisition lifecycle.
This will fall in line with other elements of the capture strategy (i.e. which NAICS code or small business set-aside will the agency use in the acquisition strategy). Furthermore, there are advantages of winning new business if your company receives a higher CMMC level than your competition.
Teaming and subcontracting will also be impacted, but it is unclear on the specifics at this point. Will the CMMC level flow down like other requirements, or will the CMMC level primarily apply to the prime contractor? There will be likely be more strict vendor approval processes with larger firms if the level requirement flows down to subcontractors.
A great positive to the new certification will be the elimination of ambiguity. The industry has struggled largely to grasp compliance and understand how the DoD would enforce compliance.
Compounding this issue, Aerojet Rocketdyne (AR) was recently issued a Civil False Claims Act (FCA) action for misleading the US Government of their compliance with DFARS 7012 and NIST 800-171. A previous employee and cybersecurity watchdog submitted the claim against them, and AR was not able to adequately defend themselves on the basis of their own self assessment. Now companies will be able to lean on the third party assessment of CMMC and eliminate the risk of potential FCA actions.
One last thing - IT Security costs are going to be an allowable charge on contracts moving forward, and will be an element of your best value proposals. Thus, new rates and bidding strategies will come into play within your pricing volumes.
How Do I Prepare for CMMC?
- If you haven't already done so, get an SSP and POA&M in place. This was and will continue to be the starting place.
- Configure your existing environment or build a new environment to NIST 800-171 compliance. Many contractors are moving to Office 365 GCC High or other cloud providers to ease this process.
- Begin building budgets for the enhanced support requirements and modifying rates to include the enhanced security requirements. Weigh the costs and consider outsourcing security, compliance, and information system management with a Managed Service Provider.
- Attend the CMMC industry days mentioned above. We will update this blog and post on our various social accounts once dates are set. Follow us on LinkedIn, Twitter, Facebook, Instagram, or Youtube for the latest news impacting contractors and Microsoft's Government Cloud offerings.
The ongoing Cloud Security and Compliance Series (CS2) will also cover some of what you need to know for CMMC preparation.