By Traci Spencer, TechSolve, Inc.
The sky is not falling; Napoleon was not short, and the Cybersecurity Maturity Model Certification (CMMC) will not make it impossible to be a contractor for the Department of Defense (DoD). There is misinformation on the Internet and around the water cooler regarding the CMMC that was just released on January 30, 2020. However, the good news is manufacturers can rely on their local Manufacturing Extension Partnerships (found in all 50 states and Puerto Rico) to be familiar with all of the latest CMMC briefings and to be prepared to help their organization become more cyber secure and resilient.
The DoD is still developing the full framework for CMMC. This blog was created for defense contractors to provide insights on what we currently know about the CMMC, so manufacturers can prepare for a CMMC audit and maintain compliance to continue doing business with the DoD.
Why the DoD Created CMMC for Defense Contractors
CMMC was created to replace the “pinky swears” of the current cybersecurity frameworks with a “Trust, But Verify” certification approach. DoD contractors will no longer be able to submit a Plan of Action & Milestones (POA&M) and “promise” they will reach cybersecurity compliance at some later date. Under CMMC, organizations will find their required CMMC level in RFP sections L and M and their audit results will be used as a “go / no go decision” at the time of the award and/or renewal.
Debunking the Myths of the DoD’s Cybersecurity Certification Process
CMMC Version 1.0 was released on January 30, 2020, and by June 2020, the industry should see CMMC requirements as part of Requests for Information (RFIs) and Requests for Proposals (RFPs). This list outlines some of the most recent misrepresentations about CMMC Version 1.0.
My organization does not handle Covered Defense Information (CDI), Controlled Unclassified Information (CUI), or Controlled Technical Information (CTI), so I do not need to be CMMC certified.
- FALSE – Moving forward, all companies conducting business with the DoD must be CMMC certified. In order to win a contract or rebid on a contract, you will need to pass the CMMC audit. The CMMC certification level (Levels 1 – 5) will depend on the amount of CUI a company handles or processes.
CMMC is only aimed at the largest suppliers.
- FALSE – Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, has specifically stated that one of her biggest concerns is “…implementing CMMC for small and medium businesses … 6 to 8 levels down in the supply chain”. Supply chains are only as secure as their weakest link and small to mid-size manufacturers are specifically being targeted to gain access to trillions of dollars of intellectual property.
DFARS 252.204-7012, revised as recently as December 31, 2019, contains CMMC language.
- FALSE – The current DoD DFARS 252.204-7012, focused on safeguarding of Covered Defense Information (CDI) and Cyber Incident Reporting, does not contain language regarding CMMC. Lord stated that they are looking at the late Spring/early Summer timeframe to complete a new Defense Federal Acquisition Regulation (DFAR).
- TRUE – NIST SP 800-171 is mentioned in DFARS 252.204-7012 eleven times.
- TRUE – NIST SP 800-171R1 is included in the CMMC briefing slide from 1/30/2020 specifically in the graphic “CMMC Practice Progression” whereas CMMC Level 3 – Good Cyber Hygiene – is noted “Encompasses all practices from NIST SP 800-171R1”.
- FALSE – The current DoD DFARS 252.204-7012, focused on safeguarding of Covered Defense Information (CDI) and Cyber Incident Reporting, does not contain language regarding CMMC. Lord stated that they are looking at the late Spring/early Summer timeframe to complete a new Defense Federal Acquisition Regulation (DFAR).
POA&Ms will no longer be necessary since CMMC audit requirements will be in place with all new contracts by 2026.
- FALSE – You will need to pass the CMMC audit when it occurs; so POA&M promises will not be honored in place of an audit. However, using a POA&M to track your organization’s goals and work toward the achievement of higher levels of CMMC certification is a useful endeavor and still part of NIST SP 800-171 controls.
CMMC audits have already started.
- FALSE – The third-party, independent party assessment organizations have not been chosen. It has been stated that some of the higher-level assessments could be performed by DoD assessors within the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).
CMMC flowdown of certification levels will have similar requirements.
- IT DEPENDS – It has been speculated that the prime contractors and their subcontractors will have the same CMMC level certification requirements. This will depend on what CUI is shared amongst primes and subs. For instance, if a sub doesn’t receive or deal with CUI, their CMMC level will probably be a Level 1. Those organizations that are traced to CUI will probably be required to be a CMMC Level 3 certified or higher.
About the CMMC Levels
Under CMMC, organizations will find their required CMMC level in RFP sections L and M and their audit results will be used as a “go / no go decision” at the time of the award and/or renewal. The CMMC is comprised of multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced.”
The CMMC integrates various existing cybersecurity framework standards such as NIST SP 800-171 (Rev 1 & Rev B), NIST SP 800-53, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity.
CMMC Level 1 – Basic Cyber Hygiene 17 Practices | The DoD contractor will need to implement 17 controls of NIST SP 800-171 rev1. | Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”) [3]. |
CMMC Level 2 – Intermediate Cyber Hygiene Adds 55 Practices | The DoD contractor will need to implement another 48 controls of NIST SP 800-171 rev1 plus 14 new “other” controls. | Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 [4] as well as practices from other standards and references. Because this level represents a transitional stage, a subset of the practices references the protection of CUI. |
CMMC Level 3 – Good Cyber Hygiene Adds 58 Practices | The Dod contractor will need to implement the final 45 controls of NIST SP 800-171 rev1 plus 15 new “other” controls. | Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171[4] as well as additional practices from other standards and references to mitigate threats. It is noted that DFARS clause 252.204-7012 (“Safeguarding of Covered Defense Information and Cyber Incident Reporting”) [5] specifies additional requirements beyond the NIST SP 800-171 security requirements such as incident reporting. |
CMMC Level 4 – Proactive Adds 26 Practices | The DoD contractor will need to implement the 13 controls of NIST SP 800-171B plus 13 new “other” controls. | Level 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs. |
CMMC Level 5 – Advanced / Proactive Adds 15 Practices | The Dod contractor will need to implement the final 5 controls in NIST SP 800-171 B plus 10 new “other controls. | Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities. |
*This information is based on the CMMC Model Version 1.0 that was released January 30, 2020. As future revisions of the CMMC Model are release, the information is subject to change. TechSolve will update this document as official updates are released.
CMMC Timeline for Defense Contractors
The rollout of CMMC for defense contractors is swiftly underway. The current timeline that was released in the CMMC Model Version 1.0 indicates contractors wishing to bid on DoD contracts or renewing a contract will need to look closely at contract language to see what CMMC Level of certification they need. The first steps a contractor can take to prepare for certification is to determine their current standing in regards to NIST SP 800-171 controls and understand what CMMC Level they want to achieve without delay.
Important CMMC dates:
| January 2020 | February – May 2020 | June – September 2020 | October 2020 and beyond |
| DoD released the official CMMC Levels and requirements, and associated NIST controls | Initial round of assessors will be trained. | CMMC requirements appear in DoD Requests for Information (RFI) and Requests for Proposals (RFPs). Depending on the contract language, some suppliers will need to get certified as early as Summer 2020, but it may not affect everyone. | DoD contractors will need to get certified by an accredited assessor/CSPAO in order to bid on new work. |
*This information is based on the CMMC Model Version 1.0 that was on released January 30, 2020. As future revisions of the CMMC Model are released, the information is subject to change. TechSolve will update this document as official updates are released.
How to Budget for CMMC
The DoD recognizes the cost of implementing security controls presents a barrier for small to mid-size manufacturers who are critical contributors to the defense supply chain. Federal and state agencies are working towards offering financial assistance for some CMMC compliance and certification costs. Contact your state’s local Manufacturing Extension Partnership Program (MEP) like TechSolve to learn more.
Cybersecurity Requirements for Defense Manufacturers Webinar
During the webinar, our speakers provide a breakdown of the new interim rule and what it means for DoD contractors. The speakers will also review how manufacturers in the defense industrial base can prepare themselves for the new assessment, which becomes effective November 30, 2020.
