The Department of Defense (DOD) has become increasingly concerned about contractors’ ability to safeguard data within their supply chains. With good reason: Attacks on global supply chains soared 78% in 2018. Many of these cyberattacks resulted from inadequate security controls and practices among third-party vendors.
That’s why the DOD has implemented a new cybersecurity standard and maturity certification program designed to secure its acquisition ecosystem. The Cybersecurity Maturity Model Certification (CMMC) will verify that contractors and subcontractors have adequate cybersecurity safeguards to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). To do so, the CMMC will assess Defense contractors’ cybersecurity controls across 17 security domains, as well as rank the maturity of their security processes.
Any company that does business with the DOD – from contractors that design combat jets to those that launder flight-crew uniforms – will be required to comply with the standard. In all, the certification will affect an estimated 300,000 contractors and subcontractors, many of which are smalland medium-size businesses.
The CMMC is based on various cybersecurity standards and practices gleaned from multiple sources, including the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, the NIST Cybersecurity Framework (CSF), and ISO 27001. The certification also includes provisions of the UK National Cyber Security Centre (NCSC) Cyber Essentials and the Australian Cyber Security Centre’s Essential Eight Maturity Model.
The CMMC aggregates practices and processes from these standards and organizes them into 17 domains. Within each domain are specific capabilities, which are segmented into a set of practices.
Click to download the graphic below of the 17 CMMC cybersecurity capability domains and the common industry standards they are aligned with.
Implementation of these components is mapped across five levels to create a five-tier maturity ranking, which ranges from Level 1 (basic cyber hygiene) to Level 5 (highly advanced programs) for technical practices and Level 1 (performed) to Level 5 (optimized) for processes. Adherence to CMMC processes and practices is cumulative: Any practice/process stipulated in one level will be required in higher levels. In other words, to attain Level 4, all requirements of Levels 1, 2, and 3 must first be achieved.
ANTICIPATED CMMC ROLLOUT MILESTONEs
- January 2020: Completion of CMMC Model v1.0
- June – July 2020: Training of certified third-party assessment organizations (C3PAOs) for CMMC
- Late 2020: CMMC to start appearing in RFIs and RFPs
The timeframe for compliance
As of early June 2020, the DOD had not yet fully established all stakeholders, procedures, and documentation for the CMMC compliance process, despite a relatively condensed timeframe.
Initial guidelines for accreditation, training, and audit processes was published in spring 2020. The certified third-party assessment organizations (C3PAOs) that will conduct compliance audits of contractors have not yet been named.
The DOD is currently drafting a memorandum of understanding with the newly established CMMC Accreditation Body, a nonprofit organization that will train and certify C3PAOs on CMMC requirements and auditing processes. The DOD is also developing a tool that C3PAOs will use to conduct certification audits, collect metrics, and mitigate supply-chain risks.
The DOD plans to introduce CMMC requirements in solicitations on a gradual basis in late 2020, starting with 10 select requests for proposals (RFPs) and 10 requests for information (RFIs). Compliance audits are most likely to start in early 2021, after the C3PAOs are identified and accredited.
The five levels of maturity
For a contractor to be certified at a certain level, both their practices and processes must achieve that maturity level, across all areas of the model. As noted, cybersecurity controls and processes will be ranked on a scale of 1 to 5. In general, Levels 1 to 3 map to NIST 800-171 Rev. 1, while Levels 4 and 5 incorporate a subset of practices from NIST SP 800-171B andother frameworks.
Number of controls
72 (includes Level 1 controls)
130 (includes Level 2 controls)
156 (includes Level 3 controls)
171 (includes Level 4 controls)
Level 1: Basic cyber hygiene.
The lowest CMMC level comprises safeguards specified in 48 CFR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems.” Level 1 practices establish a foundation for higher rankings and must be completed by all certified organizations. Process maturity is not addressed at Level 1.
Level 2: Intermediate cyber hygiene.
Level 2 focuses on intermediate cyber hygiene practices, with a heavy emphasis on NIST 800-171 controls. This level also establishes process maturity requirements to establish and document standard operating procedures, policies, and strategic implementation of cybersecurity capabilities. Level 2 is viewed as a bridge for organizations to move from Level 1 to Level 3 maturity, and may not be widely used or listed in RFIs or RFPs.
Level 3: Good cyber hygiene.
Level 3 encompasses all security requirements specified in NIST 800-171 Rev. 1 as well as additional practices from other standards. At this level, contractors must demonstrate good cyber hygiene and effective implementation of NIST SP 800-171 Rev. 1 security controls. For process maturity, contractors will be required to prove the ability to resource activities and review adherence to policy and procedures. If an organization is in compliance with the DFARS 204.252.7012 clause, for example, and is exposed to CUI as part of current contracts, it would need to have a minimum of Level 3 maturity.
Level 4: Proactive.
A Level 4 ranking indicates that contractors have implemented a substantial and proactive cybersecurity program. At this ranking, companies will have proved that they can adapt their protection and sustainment activities to address the changing tactics, techniques, and procedures used in advanced persistent threat (APT) attacks. For process maturity, a CMMC Level 4 organization is expected to review and document activities for effectiveness and inform company executives of any potential issues.
Level 5: Advanced/progressive.
At Level 5, a business will have proved that it has an advanced cybersecurity program that can help repel APTs. For process maturity, a CMMC Level 5 organization must demonstrate that it has implemented standardized processes across the organization.
CMMC COMPLIANCE CONSIDERATIONS
Compliance with CMMC will be challenging for some contractors, particularly smaller and midsize firms that have not implemented the controls detailed in NIST SP 800-171. It’s likely that these contractors lack a formal cybersecurity program with the right technologies and processes needed to safeguard supply-chain systems and data. At a minimum, contractors should take steps to:
- Implement and establish processes and technologies that allow management of user identities and access to systems and data.
- Establish a data-governance program that provides policies to securely collect, store, use, or retain sensitive data.
- Ensure that physical security mechanisms are in place to limit access to information systems and respective operating environments to authorized individuals.
- Implement adequate network security controls to segregate publicly accessible systems from internal networks.
- Ensure that data transmitted or received by internal and external systems are monitored, controlled, and protected.
- Implement endpoint protection to identify and manage information-system flaws and malicious content.
- Implement formal procedures for responding to and managing security-related incidents.
- Establish a business continuity and disaster recovery plan to help ensure that systems and data containing federal contract information are resilient.
- Establish a security awareness and training program to educate users on common cybersecurity threats, data management practices, and cybersecurity hygiene.
- Ensure that operating controls can effectively manage changes to information systems, validate backups, and provide availability to critical systems.
A PRIORITY FOR FUTURE BUSINESS
CMMC accreditation isn’t discretionary for contractors; it will be mandatory for any company pursuing DOD contracts with the expectation of award. Businesses that have not implemented the required controls and practices should immediately launch a coordinated effort to achieve accreditation for specific maturity levels.
The first step will be to conduct a risk-based assessment that maps the gaps between existing security processes, practices, and controls and requirements for a specific CMMC maturity level. This gap analysis should start with an assessment of current capabilities against applicable controls established by CMMC Version 1.0 for a specific maturity level. Although some will need to be certified at a higher level, most organizations that are exposed to CUI will be required to demonstrate Level 3 maturity, making this level a reasonable maturity goal and benchmark.
Contractors that have deployed most or all of these practices will have a significant head start in meeting their minimum level of CMMC accreditation. Those that have not implemented the controls, however, will need to mount an accelerated effort to do so – or risk loss of future DOD contracts.
InsightWeathering the financial storm: 6 steps state and local governments should take now to prepare for hurricane seasonFrank Banda, Amanda CampenReviewing policies and contracts, maintaining key relationships, and other low-cost steps can help set communities up for faster response and recovery. Read more.
InsightAvoiding common incurred cost proposal (ICP) submission inadequaciesGovernment contractors operating on a December 31, 2020 fiscal year end (FYE) need to complete and submit FY 2020 ICPs in accordance with the six month post-FYE deadline in FAR Clause 52.216-7, Allowable Cost and Payment.
InsightBusiness of Construction – March 2021CohnReznick will be featuring several topics important to the construction industry in a series of listen-in-style conversations, webinars, best-practice insights, and other helpful tools.
InsightEmerging risk area for government contractors: Labor category job qualifications in time and materials contractsJeffrey WittGovCons may face false claims assertions if an audit finds inadequate support for labor category qualifications in T&M billings. Learn more.