What is the Cybersecurity Maturity Model Certification (CMMC)?
Level 1: 17 NIST 800-171 Requirements
Level 2: 72 Practices (65 NIST 800-171 Requirements PLUS 7 Other Practices)
Level 3: 130 Practices (110 NIST 800-171 Requirements PLUS 20 Other Practices)
Level 4: 156 Practices (110 NIST 800-171 Requirements PLUS 46 Additional Practices)
Level 5: 171 Practices (110 NIST 800-171 Requirements PLUS 61 Additional Practices)
Introduction to CMMC
Update: The Office of the Under Secretary of Defense (OUSD) A&S and the CMMC-Accreditation Body solidified their partnership, November 25, 2020, in signing a No-Cost contract to support this very important mission for our cybersecurity, information security, and thus national security.
The Cybersecurity Maturity Model Certification, or CMMC, is the next stage in the Department of Defense's (DoD) efforts to properly secure the Defense Industrial Base (DIB). In the simplest of terms, the DoD announced in mid 2019 that it would be creating a cybersecurity assessment model and certification program. Since that time, several draft versions of CMMC were publicly released: 0.4. 0.6, 0.7 , and most recently, CMMC 1.0.
In prior years, contracting authorities and prime contractors would request a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) in response to DFARS 252.204-7012. This request from contracting authorities was often post award, and several companies received severe penalties through False Claims Act (FCA) settlements for misrepresenting their cybersecurity efforts.
CMMC contrasts DFARS 7012 by forcing the requirement before award, or 'award-time'. Contractors will be evaluated based upon the implementation of actual technical controls in addition to their documentation and policies. These evaluations will lead to a level certification of 1 to 5, 5 being the most secure. The higher your company certifies, the more contracts you will be eligible to bid on.
FAQ: How far down the supply chain are the 3rd party audits required? Is this only for prime contractors or does it filter to lower level suppliers such as subcontracted machine shop work?
According to the Office of the Under Secretary of Defense (OUSD), the CMMC level requirement will flow down to all subcontractors regardless of size or function. It is likely that CMMC requirements will be broken apart by tier - i.e for RFP A1B2C3D44 Prime Contractors are required to be CMMC Level 4 upon proposal and all listed Subcontractors must meet CMMC Level 2. Future RFPs will require a CMMC level if your organization is handling sensitive data, defined by the U.S. DoD.
Katie Arrington (CISO A&S at the U.S. DoD) gave a presentation at the 2019 Federal Acquisition Conference on June 13, 2019. Her presentation was entitled: "Securing the Supply Chain".
The presentation started by tying the DoD's understanding of the DIB's current cyber security state to MITRE's report from late 2018, entitled "Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War". The Deliver Uncompromised report found the vast majority of government contractors were not meeting the requirements of DFARS 7012, and many more did not have the understanding or means to meet the regulations.
Fast forward to June, 2019 - not much had changed according to Arrington. The presentation explained the vast majority of contractors have not implemented NIST 800-171 within their information systems. Similar to the Deliver Uncompromised report, Arrington championed the need for a fourth element in the acquisition process: security. Moreover, she stated the DoD's intent to make security the foundation of the preexisting acquisition criteria (cost, performance, and schedule).
The Model for Assessments
CMMC primarily leans on NIST 800-171; however, many frameworks have been considered and integrated. NIST 800-53, FedRAMP, CMMI, SANS, FIPS 140-2, RMF, ISO 9000, and others have influenced the new model. Other federal agencies, industries (the financial sector for example), and industry experts will be consulted for lessons learned.
Just as contractors have dedicated staff and resources to prepare for ISO, CMMI, and Defense Contract Management Agency (DCMA) audits - contractors within the Aerospace and Defense community will need to provide adequate IT and Information Security support to this critical business practice area. This can be accomplished by building an internal team or partnering with an external firm to manage the environment and security process for you.
For an updated look into CMMC Certifications in the Defense Industrial Base, check out this video for a Cloud Security and Compliance (CS2) event where the former Director of CMMC, Stacy Bostjanick, speaks on status updates of CMMC adoption in the supply chain.
CMMC For Higher Education
Despite some early debate from the DoD and the supply chain, university-based research labs, Federally Funded Research and Development Centers (FFRDC), and University Affiliated Research Centers will be required to meet CMMC compliance.
However, the entire university will not need to meet the specified level of CMMC; only those conducting research on behalf of the Department of Defense. The level of compliance will depend on the type(s) of data (FCI, CUI, CTI, ITAR) that the institution is handling, storing, and/or processing.
Access a FAQ guide for CMMC in Higher Education here.
Who is Excluded From CMMC?
As of right now, CMMC will not apply to Department of Defense suppliers that only provide commercial-off-the-shelf products, a change to the DOD’s website shows. In light of the 2021 SolarWinds attack, this could possibly change for COTS suppliers.
CMMC Accreditation Body (CMMC-AB)
The CMMC-AB oversees the training, quality, and administration of the third party assessment organizations. The Board currently consists of 11 individuals from industry, the cybersecurity community, and academia. The CMMC-AB appointed its first CEO in March of 2021.
Chief Executive Officer: Matthew Travis
- Chairman, Karlton D. Johson
- Vice-Chairman, Jeff Dalton
- Secretary, Sheryl Hanchar
- Treasurer, Yong-Gon Chon
The list of the rest of the current board members can be found here.
CMMC-AB Individual Credentials
Registered Practicioner (RP)
A Registred Practioner delivers a non-certified advisory service informed by basic training on the CMMC standard. By contrast, a Certified CMMC Profession (CCP) or Certified CMMC ASsessor (CCA) delivers advice that is based on their rigorous training on what is and is not acceptable during an actual CMMC-AB Certified Assessment.
This program is specifically designed for those who have the ability and desire to serve the DIB as an advisor, or as a Managed Services Provider (MSP).
*Summit 7 is a current MSP.
Certified CMMC-AB - Professional (CCP)
This certification is identified as a pre-requisite for becoming a Certified Assessor (CA) or instructor. This first professional step towards formal assessing will likely allow the individual to participate in a CMMC assessment team led by a CMMC-AB Certified Assessor (CCA).
Certified CMMC-AB - Assessor (CCA)
These individuals are authorized to conduct CMMC assessments for Levels 1 through 5 and also have the ability to award maturity levels that are CMMC Quality Auditor (QA) approved, See below for details on QA.
Certified CMMC-AB - Instructor (CI)
Those who are authorized to serve as an instructor and deliver CMMC model training and CMMC Assessor training at/for a Licensed Training Provider (LPP).
Certified CMMC-AB - Master Instructor (CMI)
A member of the CMMC AB team who is authorized to train the instructors that work for Licensed Training Providers (LPP) teaching the CCP and CCA classes.
Certified CMMC-AB - Quality Auditor (QA)
A CMMC Accreditation Board team member who has been authorized to review and approve the assessments submitted by individuals who are CMMC-AB Certified Assessors (CCA), using a baseline and criteria. This individual serves as a backstop and additional set of eyes to ensure assessments are completed in an unbiased and consistent manner.
CMMC-AB Organization Accreditations
Certified 3rd Party Assessment Organizations (C3PAO)
A Certified Third Party Assessment Organization, or C3PAO, is an organization authorized by the CMMC Accreditation Body (CMMC-AB) to conduct, and deliver CMMC assessments after entering into contract with Organizations Seeking Compliance (OSC). The CMMC-AB has defined two key roles for organizations that both advise and assess contractors as they work to align to the unique requirements of the CMMC.
Registered Provider Organization (RPO)
RPOs provide pre-assessment consulting services to government contractors and other Organizations Seeking Certification (OSC) and/or assist during assessments in the event a finding is uncovered. They differ from C3PAOs in that they are not authorized to conduct assessments. The RPO role exists exclusively to provide CMMC guidance and support to OSCs in the DIB. Unless they are also certified as an RPO, the C3PAO cannot offer these services and cannot extend both services (assessment and advisement) to the same company. You can read more about RPOs here.
Licensed Training Provider (LTP)
The LTP is designed for providers of training and education services such as universities, colleges, online schools, training departments, or any direct-to-consumer learning providers. These are academic and commercial organizations licensed by the CMMC-AB to use materials produced by Licensed Partner Publishers (LPP) to equip auditing professionals for individual credentials: CP, CA, and CI.
Licensed Partner Publishers (LPP)
The LPP program is designed for the publishers of educational courses and content who intend to sell the content to organizations. LPPs consist of commercial or academic organizations that are licensed by the CMMC-AB to develop and author training curriculum materials based on the Accreditation Board's learning objectives. These materials will be tested and subsequently used by a Licensed Training Providers (LTP).
How Will CMMC Impact My Business?
The first obvious impact will be on recompetes. Every contractor's existing work will be up for grabs depending upon which CMMC level is required by the contracting authority. It will be advantageous to begin asking about the intended CMMC requirement during the RFI and question submittal periods of the acquisition lifecycle.
This will fall in line with other elements of the capture strategy (i.e. which NAICS code or small business set-aside will the agency use in the acquisition strategy). Furthermore, there are advantages of winning new business if your company receives a higher CMMC level than your competition.
A great positive to the new certification will be the elimination of ambiguity. The industry has struggled largely to grasp compliance and understand how the DoD would enforce compliance.
Compounding this issue, Aerojet Rocketdyne (AR) was recently issued a Civil False Claims Act (FCA) action for misleading the US Government of their compliance with DFARS 7012 and NIST 800-171. A previous employee and cybersecurity watchdog submitted the claim against them, and AR was not able to adequately defend themselves on the basis of their own self assessment. Now companies will be able to lean on the third party assessment of CMMC and eliminate the risk of potential FCA actions.
One last thing - IT Security costs are going to be an allowable charge on contracts moving forward, and will be an element of your best value proposals. Thus, new rates and bidding strategies will come into play within your pricing volumes.
How Do I Prepare for CMMC?
- If you haven't already done so, get an SSP and POA&M in place. This was and will continue to be the starting place.
- Configure your existing environment or build a new environment to NIST 800-171 compliance. Many contractors are moving to Microsoft 365 GCC High, Microsoft 365 GCC, or other cloud providers to ease this process.
Note: If you are handling, process, or storing Controlled Unclassified Information (CUI), then you'll need to meet DFARS 7012 / CMMC Level 3.
- Begin building budgets for the enhanced support requirements and modifying rates to include the enhanced security requirements. Weigh the costs and consider outsourcing security, compliance, and information system management with a Managed Service Provider.
- Attend the CS2 CMMC industry days. Follow us on LinkedIn, Twitter, Facebook, Instagram, or Youtube for the latest news impacting contractors and Microsoft's Government Cloud offerings.
The ongoing Cloud Security and Compliance Series (CS2) will also cover what you need to know for CMMC preparation. The video below highlights Katie Arrington's presentation on the background for CMMC at CS2 Indianapolis in February 2020.