The Department of Defense is implementing the Cybersecurity Maturity Model Certification (CMMC) to standardize cybersecurity practices across the federal government’s defense industrial base. These efforts are part of an ongoing initiative to protect national security in today's digital world and improve readiness for cyberthreats.
According to the DoD, CMMC compliance will affect more than 300,000 organizations that engage with the Department of Defense, including contractors and subcontractors working with primes to execute and/or fulfill DoD contracts. However, many companies are still unsure who needs CMMC certification or what CMMC level they may be required to achieve.
In this article, we discuss who needs Cybersecurity Maturity Model Certification and provide an overview of the five levels and steps you can take now to prepare for the upcoming CMMC audits.
If you’d like more information about CMMC compliance or want to learn why so many small to medium size defense contractors choose cuick trac™ as their DFARS 252.204-7012 & NIST SP 800-171 compliance solution, call 763-546-8354, contact us online, or request a cuick trac™ demo today. The security experts at Beryllium InfoSec Collaborative are standing by.
The CMMC framework is a single standard for verifying the implementation of cybersecurity requirements across the DIB. It’s the DoD's response to a significant number of data breaches involving sensitive DoD information stored on contractors’ systems. The primary goal of CMMC on a tactical level is to improve the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that’s stored, processed and transmitted by federal contractors.
According to the most recent Bloomberg Government data, in fiscal 2020 the U.S. Department of Defense (DoD) awarded $445.5 billion in DoD contracts, with 54 percent of this budget allocated to small businesses. With over 300,000 companies in the U.S. defense industrial base (DIB), many of which handle sensitive data for the DoD, securing the nation’s supply chain is a growing risk. The DoD’s reliance on such a large network of contractors significantly increases the DIB’s risk profile, especially for small businesses that lack the resources of major defense contractors.
The risk of information theft is also a growing concern for the DoD, as it currently drains the global gross domestic product (GDP) of about $600 billion each year. As a result of these risks to data security, the DoD has released the Cybersecurity Maturity Model Certification (CMMC) to promote the adoption of best practices in cybersecurity across its entire contractor base.
The DoD released the first version of the CMMC on January 31, 2020, with much anticipation by the defense community. Organizations such as the Federal Funded Research and Development Centers (FFRDC), University Affiliated Research Centers (UARC) and various industry groups also provided significant input to the CMMC. The DoD began issuing a few requests for information (RFIs) with CMMC specifications in September 2020, and expects all DoD requests for proposals (RFPs) to include CMMC requirements by 2026.
Prior to CMMC, contractors were responsible for ensuring their cybersecurity measures met the standards required to protect the DOD data stored, processed and transmitted by their information systems. Contractors are still responsible for implementing these measures, but CMMC now requires Third-Party Assessment Organizations (C3PAOs) to verify them. This assessment process includes mandatory capabilities, practices and procedures that can adequately protect DOD information from both existing threats and threats from future adversaries.
CMMC consists of five maturity levels, providing a comprehensive, scalable framework to describe the maturity and reliability of the IT infrastructure for government contractors. These levels are hierarchical such that the requirements of each level include the requirements of the level below it. The process of obtaining a specific CMMC maturity level generally consists of an organization demonstrating that it meets the requirements of that level. The level that a contractor needs to work on a DoD contract depends on the sensitivity of the information that the contractor will handle.
CMMC maturity levels demonstrate a set of best processes and practices in cybersecurity that illustrate an organization's commitment to data security. Level 1 is the lowest level of maturity, and each level after that adds progressively more demanding processes and practices. (Learn more: Ultimate Guide to CMMC Levels)
Level 1 is classified as Basic Cyber Hygiene and is the minimum CMMC certification level. It focuses on the protection of FCI, which is government information not intended for public release. The government may provide FCI to contractors, but contractors can also generate it on the government’s behalf while working under contract. FCI doesn’t include any information that the government has provided to the public. The primary requirement of this level is that the organization must use antivirus software and sanitize storage media containing FCI before disposal.
Level 1 requires the organization to follow specific practices that meet the basic requirements for safeguarding data specified in 48 CFR 52.204-21. However, it may do so in an ad hoc manner that doesn't require it to rely on documentation. As a result, C3PAOs don't assess process maturity for level 1.
Level 2 is classified as Intermediate Cyber Hygiene, which requires the organizations to establish and document best practices and policies in cybersecurity. They must also demonstrate that their approach encompasses all activities needed to protect CUI.
The organization's documentation of processes must allow them to be performed repeatedly. They must also perform those processes as documented. Level 2 practices serve as a progression between Level 1 and Level 3, so they consist of a subset of the requirements specified in NIST SP 800-171. The practices for this level also include those from other standards and references. In addition, a subset of Level 2 practices reference the protection of CUI.
CMMC Level 3 qualifies as Good Cyber Hygiene, which indicates the organization is capable of protecting CUI and effectively implementing the security requirements of NIST SP 800-171. This level requires the organization to develop and maintain a management plan for implementing activities to protect CUI. The organization must also review its policies and procedures on a periodic basis to ensure it's adequately maintaining these activities.
This documentation may include goals, missions, resourcing, training and other processes that demonstrate the involvement of the organization's stakeholders. In addition to the 110 cybersecurity practices specified in NIST 800-171, Level 3 requires organizations to comply with another 20 practices specific to CMMC. DFARS clause 252.204-7012 also applies, which specifies additional requirements like incident reporting that go beyond NIST 800-171 policies.
Level 4 is classified as Proactive, so it requires the organization to establish practices for detecting and responding to evolving tactics, techniques and procedures (TTPs) from advanced persistent threats (APTs). These practices allow the organization to protect CUI from long-term attacks intended to access sensitive information.
Level 4 requires the organization to review and assess the effectiveness of its processes, taking action to correct identified deficiencies. This level also requires the organization to keep its upper management informed of security issues on a recurring basis. New practices for this level include a subset of the requirements specified in the draft of NIST SP 800-172 in addition to other best practices in cybersecurity.
Level 5 is classified as Advanced or Progressive and is the highest CMMC maturity level. This level uses improved capabilities and techniques to protect CUI from APTs, especially with respect to the detection and response to threats. Contractors must implement optimized standard processes throughout the organization to qualify for this level.
Any organization that performs work for the DoD will eventually be required to have CMMC in most cases, including prime and subcontractors. This requirement also applies to all suppliers in all tiers of the Defense Industrial Base (DIB), whether they're enterprise-level contractors, small businesses or foreign suppliers. However, the specific application of CMMC can vary, depending on whether the contracting organization is a prime contractor, subcontractor or supplier.
One exemption to the CMMC requirements is organizations that only develop Commercial-Off-The-Shelf (COTS) products aren’t currently required to obtain CMMC certification, but this is a narrow case. It’s best to verify this exemption with your contracting officer as this information can change over the upcoming months.
The CMMC Accreditation Body (CMMC-AB) will develop procedures for certifying independent CP3AOs in coordination with the DoD. These assessors will evaluate the CMMC level of affected organizations. All DoD contracts will require some CMMC maturity level by 2026, according to the DoD's current schedule. The DoD currently plans to issue contracts at all maturity levels, so some will only require Level 1 while others will need Level 5.
The specific CMMC level depends on the contractor's access to CUI and FCI. For example, a contractor that doesn't need to handle CUI but does need access to FCI will need at least CMMC Level 1. Furthermore, the contractor in this example would also need to meet the requirements specified in FAR Clause 52.204-21.
Prime contractors have a direct contract with DoD entities and are usually larger organizations. They typically require a higher CMMC level than subcontractors because primes have access to all the information involved in that contract.
Smaller businesses often subcontract to prime contractors to provide specific services as part of a larger project. These products are still part of the contract, so they need to comply with CMMC at the maturity level appropriate for the data they handle. However, other parts of the project may require higher CMMC levels.
Prime contractors may rely on other organizations to supply certain products in support of their contract with the DoD, but these suppliers are still part of the DIB. As a result, these sub-tier suppliers still need to comply with the requirements for the CMMC maturity level appropriate for those products. This maturity level is independent of the one that the prime contractor must achieve.
The DoD estimates that the DIB currently includes over 300,000 contractors, all of which will eventually require CMMC to continue competing for DoD contracts. With such a large number of suppliers needing a 3rd party audit, by authorized C3PAOs, could lead to longer timeline for CMMC to be fully implemented across the DIB. Nevertheless, it's vital for DoD contractors to complete their compliance obligations today (DFARS 252.204-7012 & NIST SP 800-171), while also preparing for a successful CMMC audit. (Learn more: Guide to CMMC Audits)
In general, this process will consist of an organization documenting its current practices and implementing additional practices if needed. Documentation of practices that already comply with CMMC is vital for obtaining an overall picture of the organization's current security posture. This phase lays the foundation for implementing the additional procedures needed to obtain the highest possible CMMC maturity level possible.
Prime contractors should begin working with their subcontractors now if they aren't already doing so. The primary purpose of this coordinated effort should be to review the compliance programs that are already in place and develop new ones if needed. Contractors should also review RFIs and RFPs for their minimum CMMC requirements to ensure they won't be overly burdensome. It's important for prime contractors to understand the certification level required throughout their supply chain before bidding on a contract.
Contractors should closely engage with contracting agencies during this period, as the procedures for obtaining CMMC are still evolving. These agencies should provide the DoD with contractor feedback during this stage to clarify any ambiguity in an RFP, especially with regard to CMMC requirements. Contractors have the option of filing a pre-award protest if these issues aren’t resolved to their satisfaction. However, the US Court of Federal Claims and Government Accountability Office (GAO) will likely defer to the DoD on contract issues related to technical requirements or national security.
Contractors need to follow the challenges in obtaining CMMC as they develop. They should be particularly concerned about the due process that will be available in the event that a CMMC audit result is in error. These assessments can have a great impact on an organization's ability to continue competing for DoD contracts in any meaningful way. The CMMC doesn't currently establish any right of appeal for the contractor, although the DoD has indicated that it will do so. In the meantime, contractors should continue providing the DoD with detailed feedback on proposed due process procedures.
Contractors should also be prepared to be agile with respect to CMMC. While CMMC is a minimum requirement for eligibility on DoD contracts, a contract may have additional cybersecurity requirements. The DoD has repeatedly emphasized that CMMC is only a starting point that may not be adequate to address evolving threats. Contractors must therefore continue to foster a culture of flexibility when it comes to cybersecurity.
The requirement for CMMC is expected to being appearing in DoD contracts in 2021 and will apply to all contracts by 2026. Cuick trac™ by Beryllium InfoSec can help your organization satisfy the 110 NIST SP 800-171 controls in addition to the emerging CMMC requirements.
Learn why so many small to medium size defense contractors choose cuick trac™ as their DFARS 252.204-7012 & NIST SP 800-171 compliance solution.
Call 763-546-8354 or schedule a cuick trac™ demo today.