The wait is over: Cybersecurity Maturity Model Certification (CMMC) Model v1.0 released
On Jan. 31, the Department of Defense (DOD) released the much-awaited Cybersecurity Maturity Model Certification (CMMC) Model v1.0, its new “unified cybersecurity standard for future DOD acquisitions.”
Under the CMMC Model, all DOD contractors and subcontractors are required to be audited and receive independent certification on their level of cybersecurity maturity. Currently there is no guidance on which defense contractors need to be certified at what level; that will be stipulated in Requests for Information (RFIs) and Requests for Proposals (RFPs). The DOD is expecting a handful of RFIs and RFPs to be issued later in 2020 to have CMMC requirements, and defense contractors interested in pursuing those RFIs/RFPs will need to be audited and certified before the contract award. The DOD expects that all RFPs will contain CMMC requirements by 2025, at which point all DOD contractors and subcontractors will need to demonstrate compliance in order to bid on any DOD work.
To be certified, contractors and subcontractors will need to get audited by a Certified Third-Party Assessment Organization (C3PAO). C3PAOs must be accredited by the CMMC Accreditation Body, a privately run non-profit organization. Accreditation of C3PAOs and the associated training are expected to start in spring 2020. Defense contractors will be able to identify accredited C3PAOs through a marketplace portal that will be maintained by the CMMC Accreditation Body. The C3PAOs’ audits will be based on CMMC Model v1.0.
Version 1.0 includes 17 capability domains with 43 capabilities; five processes across five levels to measure process maturity; and 171 practices across five levels to measure technical capabilities. Contractors and subcontractors will be assessed, across the five levels of maturity, on their implementation of required cybersecurity controls, processes, and practices. In particular, the initiative aims to protect sensitive Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) while reducing risks of Advanced Persistent Threats (APTs). The diagram below shows the 17 capability domains and the five levels of maturity for practices and processes:
The maturity levels are progressive and cumulative. To be certified at Level 1, a defense contractor must demonstrate compliance with 17 specific security practices; Level 2 requires compliance with 72 practices, including Level 1 practices; Level 3 maturity requires compliance with 130 security practices, including Level 1 and Level 2 controls; organizations seeking Level 4 maturity should comply with 156 security practices, including controls from Levels 1,2, and 3; and Level 5 maturity requires compliance with all 171 practices outlined in the CMMC v1.0 model.
In summary, all defense contractors should review CMMC Model v1.0 and start assessing their environment and determining the gaps between their existing security processes, practices, and controls and what is expected for a certain maturity level.
InsightAvoiding common incurred cost proposal (ICP) submission inadequaciesGovernment contractors operating on a December 31, 2020 fiscal year end (FYE) need to complete and submit FY 2020 ICPs in accordance with the six month post-FYE deadline in FAR Clause 52.216-7, Allowable Cost and Payment.
InsightBusiness of Construction – March 2021CohnReznick will be featuring several topics important to the construction industry in a series of listen-in-style conversations, webinars, best-practice insights, and other helpful tools.
InsightEmerging risk area for government contractors: Labor category job qualifications in time and materials contractsJeffrey WittGovCons may face false claims assertions if an audit finds inadequate support for labor category qualifications in T&M billings. Learn more.
InsightContribute to the 2021 GAUGE surveyCohnReznick and Unanet invite you to take part in our fifth annual benchmarking survey for government contractors and other organizations that do business with the federal government.