In response to significant breaches and compromises of sensitive defense information located on contractors’ info systems, the Department of Defense (DoD) will soon begin a phased rollout of the Cybersecurity Maturity Model Certification (CMMC)—a unified standard designed to implement cybersecurity across the defense industrial base and certify that contractors have the necessary controls to protect sensitive data.
As any organization in the defense supply chain knows, securing sensitive data, such as Controlled Unclassified Information (CUI), is critical to winning contracts. That will not change. But now, organizations that work with the DoD will soon need to meet CMMC requirements to bid on contracts.
Security is still the contractor’s responsibility, but a third party is now involved.
Before the DoD’s January 2020 release of the highly-anticipated CMMC version 1.0, contractors were responsible for implementing, monitoring, and certifying the security of their information systems and any sensitive DoD data stored on or shared by those systems. Essentially they could self-attest that they met DoD security requirements.
Under CMMC requirements, contractors remain responsible for implementing specific security requirements, but a Certified 3rd Party Assessor Organization (CP3AO) will now be responsible for assessing contractors’ compliance with CMMC requirements. The CMMC Accreditation Body (CMMC-AB) will work directly with the DoD to certify assessors.
All DoD contractors within the defense supply chain—from lawn care services to satellite manufacturers—will eventually be required to meet CMMC requirements, at varying levels of security.
Not all contractors need to achieve the same level of security.
The CMMC model establishes five certification levels to measure a defense contractor’s cybersecurity maturity and reliability. As you can see in the diagram below, the levels build upon the technical requirements of each other. Across these five levels are five processes to measure process maturity and 171 practices to measure technical capabilities.
Level 1: Only addresses practices from FAR Clause 52.204-21. An organization must perform “basic cyber hygiene”—such as requiring employees to change passwords frequently and using antivirus software.
Level 2: A transition step to begin protecting CUI, designed to help small businesses. An organization must document “intermediate cyber hygiene” practices to begin protecting CUI through the implementation of some NIST 800-171 security requirements.
Level 3: A big jump from the lower levels, this includes all of the practices from NIST 800-171 as well as 20 others. An organization must have a managed plan—including ongoing compliance at all times—to implement “good cyber hygiene” practices to safeguard CUI, including access controls and FIPS validated cryptography.
Level 4: Reserved for critical technology companies handling the most sensitive types of data, this is the first step towards taking a proactive approach to detecting and responding to advanced persistent threats (APTs). An organization must have implemented processes for reviewing and measuring the effectiveness of practices as well as established additional practices to address APTs.
Level 5: Again reserved for highly-sensitive contracts, an organization must have standardized and optimized processes in place across the organization and additional enhanced practices that provide more sophisticated capabilities to detect and respond to APTs.
Contractors can expect to see CMMC requirements starting sometime in 2020.
DoD Requests for Proposals (RFPs) are not likely to include CMMC requirements until at least late Fall 2020, and with the phased rollout, it will take until 2026 for all RFPs to designate the required CMMC security level. It is important to note that the level of security required between prime contractors and subs will likely vary based on who actually needs access to sensitive data and CUI. Primes are expected to help subs meet CMMC requirements by continuing to helping to develop new or review existing compliance programs.
Unlike some other compliance programs—ITAR, for example—there won’t be fines for non-compliance, you simply won’t get the contract without the required level of certification by time of award.
CMMC preparation should start now.
An estimated 300,000 organizations make up the defense industrial base and at some point between now and 2026 (based on a 5-year average length for DoD contracts), all 300,000 will need to achieve certification in order to continue to be awarded contracts. Now is the time for all DoD contractors to learn the CMMC’s technical requirements and prepare for certification. However, it is important to note that an organization should not view their security and/or compliance programs as “complete” once they achieve the required certification level.
The DoD has emphasized that the CMMC is a starting point for cybersecurity and as you know, threats are constantly evolving. Therefore to remain competitive in the market, defense contractors should not only focus on meeting CMMC requirements but also instill a culture of cyber agility to continue moving forward..
To learn more about CMMC requirements—specifically Level 3 and above—please get in touch with me at firstname.lastname@example.org.