720-891-1663
CMMC
Why and How the DoD is Implementing the CMMC
The DoD has been working to improve cybersecurity over the last several years as news of nation-state sponsored theft of defense secrets makes the news on a regular basis. The biggest source of leaks of sensitive intellectual property is the hundreds of thousands of contractors that have access to sensitive but unclassified information called CONTROLLED UNCLASSIFIED INFORMATION or CUI.
In 2013 the DoD created a security requirement in the Federal Acquistion Regulations called DFARS 252.204-7012 and then a few years later, NIST released a security requirement named SP 800-171. While both of these were a start to improving security for the defense industrial base, they didn't solve the problem.
In early 2019 DoD upped the ante by releasing the Cybersecurity Maturity Model Certification (CMMC). This is the first time DoD has required contractors, sub-contractors and suppliers to be certified to participate in the DoD supply chain.
What is new with the CMMC regulaltion is that there will be a requirement for all 350,000 DoD supply chain members to be certified by an independent third party and that third party has to be certified in order to certify DoD supply chain members. Additionally, DoD has determined that CMMC certification costs can be treated as "allowable costs" by contractors.
In addition, certifications will expire. At the lowest level, certifications will last three years. While it is still in flux, itis likely that higher level certifications may expire more frequently.
It is also possible or even likely that the Pentagon may require that classifed network owners be certified as well, although they have not said this publicly. Yet.
NOTE: We will update this web page as more information is released by the Department of Defense.
The CMMC will encompass multiple maturity levels that range from "Basic Cybersecurity Hygiene" to "Advanced". The intent is to identify the required CMMC level in RFP sections L and M and use it as a "go / no go decision."
In its final form, the CMMC intends to combine various cybersecurity control standards such as NIST SP 800-171 (Rev. 1 & Rev. B), NIST SP 800-53, and AIA NAS9933s into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.
The DoD has built upon existing DFARS 252.204-7012 regulation and developed the CMMC as a “verification component” with respect to cybersecurity requirements. The DoD has entrusted DoD contractors to achieve compliance and with continued pressure to ensure 100% adoption of cybersecurity controls, the DoD is updating its policies.
NOTE: DoD Contractors will need to become CMMC Certified by passing an independent third party CMMC Audit to verify they have met the appropriate level of cybersecurity for their business. DoD supply chain members at all levels will have to be certified at one of the five maturity levels described below.
To verify that DoD Contractors have met the appropriate level of cybersecurity controls, the DoD will deploy certified independent 3rd party organizations to conduct audits on DoD Contractor information systems and inform risk. It is from this audit that a DoD contractor will be awarded a certification or not. The details of how this certification process will work is a work in progress. CyberCecurity, LLC is following the process closely as we will be an accredited certification provider.
DoD Contractors will need to coordinate directly with an accredited, independent, commercial certification organization to request and schedule a CMMC assessment. DoD Contractors will specify the level of the certification requested based on the DoD Contractor's specific business requirements including what the contract specifies. Contractors will be awarded a certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.
Third party certification organizations will be available in mid 2020. We will update this guide as soon as this list becomes available.
The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced.
Here is a chart of the CMMC levels and their respective requirements, including where those requirements came from:
In January 2020, the official CMMC Levels and requirements were be released to the public. The government will determine the appropriate tier (i.e. not all contracts require the highest level of security) for the contracts they administer.
For more information, a full list of frequently asked questions can be found HERE.
DoD contractors or suppliers who have the resources and IT staff available, can meet the appropriate CMMC level of cybersecurity in-house. Internal IT departments can use the "Self Assessment Handbook - NIST Handbook 16" provided by the National Institute of Standards and Technology (NIST). This handbook was created by NIST with the intention of assisting U.S. DoD contractors who provide products and services for the Department of Defense. Unfortunately, this handbook only covers NIST SP 800-171 Rev. 1 (A good starting point for certifications up to CMMC Level 3) and there is currently not a Self Assessment Handbook for NIST SP 800-171 Rev. B. However, a draft of the Rev. B can be found HERE. Note that this will not get you certified. If that process is successful, you will be awarded a certification at the appropriate level.
For many DoD contractors, the most effective way to meet the CMMC cybersecurity requirements is to outsource the task to a consulting partner that has the appropriate expertise and can work with you to become compliant. Remember that DoD contractors remain ultimately responsible for ensuring that their company meets the appropriate cybersecurity requirements, so it is essential to choose a provider that is reputable. Again, you will have to engage a third party for the actual certification process.
CyberCecurity, LLC is one such cybersecurity cconsulting company.
The first step towards compliance is to determine how close the contractor is to full compliance. This process is called the risk assessment or gap analysis. Gap analyses are designed to discover areas where the company is not fully compliant with the regulations.
The results of the gap analysis may reveal issues related to:
Without a gap analysis, it's impossible to know what changes an organization needs to make before it meets the required CMMC Level. The gap analysis provides a roadmap to becoming compliant. Remember that the CMMC requirements will require compliance with different subsets of the NIST SP 800-171 requirements plus additional requirements out of documents such as NIST SP 800-53 Rev 5, depending on the CMMC certification level required.
Certification is a point-in-time event. Even if it covers some historical period like an AICPA SOC Type 2 audits do, it doesn't mean that you will be compliant in the future.
The DFARS also require almost instant notification (within 72 hours) of a security event to your prime contractor or to the government. Part of being compliant is being able to respond to these incidents in a time frame and with the required data to the appropriate party.
For many companies, DoD contracts make up a substantial percentage of their revenue and because CMMC certification will now be a requirement in many cases for bidding on contracts (check with your contracting officer), it's extremely important that contractors become certified. If a contractor fails a CMMC audit, they may be unable to offer products and services to the DoD until they do become certified.
CyberCecurity, LLC is a full-service cybersecurity company that offers a wide range of cybersecurity and privacy services, including various certification services. More information about our certification services can be found at: https://www.cybercecurity.com/business-cybersecurity-certification- program/.
While no company has yet been authorized by the DoD to provide full CMMC certification services, CyberCecurity, LLC intends to be amongst the first authorized CMMC certification certifiers. In the interim, we are now able to offer you the following services:
Accomplishing the above items will facilitate the rapid passing of a CMMC audit and allow your organization to bid on and be awarded new DoD contracts. It will also make your company more competitive for DoD contracts.
Have more questions?
Here is a link to the Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification FAQ page.
Please call us for more information or if you have questions:
Mitch Tanenbaum, CISO, CyberCecurity, LLC
