CMMC 1.0 is officially here! Roughly seven months after the Cybersecurity Maturity Model Certification was first announced, CMMC was announced and reviewed by Department of Defense (DOD) officials and members of the Office of the Under Secretary of Defense, Acquisition and Sustainment (OUSD(A&S)).
What does this mean for DOD contractors and suppliers?
Understanding Why CMMC Exists
In the video below, Ellen Lord, Katie Arrington and Kevin Fahey spend over forty minutes introducing, discussing, and answering questions on CMMC during the official release.
Here are some highlights and quotes from the briefing on January 31, 2020. You can find the full video here as well.
Ellen Lord (Under Secretary of Defense for Acquisition and Sustainment (A&S))
“There are three key takeaways I want everyone to leave here with today. First, cybersecurity risks threaten the defense industry and the national security of both the U.S. government and our allies and partners. Second, it was extremely important to me that we communicate extensively with industry, academia, military services, the Hill and the public, to hear their concerns and suggestions on the CMMC model. Last, today represents an important milestone, but we still have a lot of work to do. We will continue to work very closely with industry associations and the Hill so everyone has a clear understanding of the process, feedback loops and the way ahead.”
“Both our National Security Strategy and National Defense Strategy rightly underscore the importance of defending against cyber attacks, which offer adversaries low-cost and deniable opportunities to seriously damage or disrupt critical infrastructure and capability. $600 billion dollars, or about 1% of global gross domestic product, or GDP, each year is lost through cyber theft…”
“…my number one priority throughout the CMMC process has been to over-communicate, get feedback, and then communicate some more. It was critically important to me that members and staffers on the Hill, academia and the defense industry were all involved throughout CMMC development.”
“…since the first draft publication in September 2019, our office has received over 2,000 comments from individuals, defense industrial base partners and industry associations.”
“We need small and medium businesses in our defense industrial base, and we need to retain them. We know that the adversary looks at our most vulnerable link, which is usually six, seven, eight levels down in the supply chain.”
“…we are looking at late spring/early summer time frame to complete a new defense acquisition regulation, a new Defense Federal Acquisition Regulation, or DFAR.”
“Next in the timeline will be the CMMC requirement in selected RFIs [request for information] in the June 2020 time frame, followed by corresponding RFPs [request for proposals] in September 2020 time frame, where CMMC standards will be required at the time of contract award.”
“We continue to work to select third-party certification vendors. There are multiple companies that are interested right now, but we have not officially designated who is qualified. We will keep you updated.”
Earlier this month, the CMMC accreditation body was created. It is made up of unbiased parties that will oversee the training, quality and “administration of the CMMC third-party assessment organizations…They will be called C-3PAO, who will certify the industrial base.”
“Conflicts of interest will be a point of emphasis in the MOU, helping ensure auditors cannot review one’s own company, for example.”
Katie Arrington (Chief Information Security Officer- OUSD A&S):
“The CMMC framework will serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are implemented to protect controlled unclassified information residing on defense supply chain contractor networks, and reduce the risk of advanced persistent threat by invoking critical thinking skills around cybersecurity.”
“Given the diversity of the DOD supply chain, the fact that cybersecurity is not one-size-fits-all, CMMC consists of five levels that enable the progression of cybersecurity maturity for defense contractors, as you can see by this, from basic cybersecurity hygiene to advanced.”
“CMMC Level 1 is the basic cyber hygiene skills that we should be doing every day, regardless. They’re there to protect yourself, your company and your own information.”
“Level 2 on the CMMC is when we start implementing and helping small businesses, mainly, implement process into their — their maturity of cyber-secure certification. So we’ve added levels to that, and it’s a big move from Level 1 to Level 3. There are a lot of controls. You’re moving from 17 to over 110 controls.”
“With Level 3 is actually policy. It’s managed. It’s when CUI [controlled unclassified information] touches a — a customer’s net. So companies today that are using DFAR Clause 252.204.7012 are self-attesting that they are implementing all NIST 171 R1 110 controls. That’s all that we’re asking in the CMMC Level 3.”
“Level 4 is where it’s reviewed. That’s — you’ll see the — certain requirements that were in the NIST-Bravo [NIST 800-171B] version. You’ll see those appear in Level 4 and Level 5. Those will be very critical technology companies that will be working on those programs.”
“The intent is to specify the required CMMC level in request for proposals, and for the winning offer to achieve the CMMC level as condition of the contract award.”
“We’re in the process of getting the MOU over to them [CMMC AB]. They’ll have a marketplace on their website about the March, early April time frame, where companies can start coming in and getting information.”
“…the major milestones for the rest of the fiscal year include picking pathfinder programs, including the initial RFIs for the CMMC requirements in June, the CMMC requirements and RFPs in October and working with the accreditation body of the certification of the candidate C-3PAOs.”
“After the A.A.B. — the CMMC A.B. certifies C-3PAOs, companies will be able to schedule CMMC assessments for specific levels through a CMMC marketplace portal.”
“So let me get to some maths — myths vs. facts. This first one is, ‘current contracts will have CMMC put into them.’…That is not the case. We are doing this in a very deliberate, slow, rollout process. We are going to start with just a few contracts that will have the RFI in October.”
“‘The level of the prime needs to be the same for all of the subcontractors on a contract.’ … No. As I stated earlier, security is not one-size-fits-all. So what we are doing in the new 5000, the adaptive acquisition framework, and in the 5000.CS, we actually went through and broke down how you should look at cybersecurity on your — your acquisition.”
“…’does this program have any controlled unclassified information?’ If it does, you would immediately think the first level would have to be CMMC-3 for the prime, because, right now, that’s what the DFAR rule says….But, subsequent, the flow-down of that information is really important. And you shouldn’t — as a prime, we shouldn’t burden small business that aren’t prepared or expecting to get CUI. So they would only need to be a level one, if they’re not touching the controlled unclassified information.”
“Half of the CMMC A.B. board are individuals that have come from small business, because they believe that we can create the CMMC.”
As you can see, there is still a lot of work to do. That said, the CMMC team deserves a lot of credit for meeting their deadlines, while in a short period of time, providing everyone with a program as robust as the Cybersecurity Maturity Model Certification.
It becomes pretty clear from the announcement, that CMMC 1.0 exists in order to verify that DOD contractors are operating at the level of maturity required, in order to defend against attacks from our adversaries.
The self-assessment model within DFARS 252.204-7012, which was built on trust, has come to an end. It wasn’t working.
What Changed from CMMC Draft 0.7 to CMMC 1.0?
The good news for DOD contractors is that there were not any drastic changes from CMMC Draft 0.7 and CMMC 1.0.
First and foremost, if a DOD supplier handles Controlled Unclassified Information, they will need to be a CMMC level 3 at minimum.
There were a few processes and practices removed from levels 3 through 5, centered around business process when handling CUI.
For example, in level 3 under the domain “Asset Management (AM)”, the practice laid out in draft 0.7 “P1035 – Identify, categorize, and label all CUI data (ISO/IEC 27001 A.8.2.1, ISO/IEC 27001 A.8.2.2) was removed.
There are only level 3 practice in the AM domain in 1.0 is “AM.3.036 – Define procedures for the handling of CUI data.”
The handful of other removed practices/processes include proactive measures that require further buy-in from key stakeholders in the organization.
One could argue some of these were consolidated for the sake of simplification, which makes sense.
Perhaps in the future, practices and processes like this will be added in future versions/enhancements of the CMMC as the DOD supply chain matures.
The CMMC’s purpose, after all, is to drive maturity at all times as threats evolve, right?
We would love to see more accountability type practices and processes added in the future.
Putting focus on practices and processes that go beyond anything a technology or security professional can do, is always recommended.
CMMC Schedule Moving Forward
As mentioned above and reinforced during the CMMC 1.0 announcement video, there is still a lot of work to do and lots to learn as the roll-out continues.
The released schedule is subject to change, but given how the CMMC team has met most of their goals to this point, it is best to assume these deadlines are accurate.
Ms. Arrington talks about the roll-out as a “crawl, walk, run” approach in order to make the CMMC effective for everyone.
Key schedule dates to be aware of:
- March/April 2020 – CMMC Marketplace Created
- April 2020 – CMMC A.B. will provide updates on training classes, which are planned to begin in early Spring 2020
- June 2020 – CMMC Requirements in select number (10 was the mentioned target) of RFI’s
- June 2020 – Defense Acquisition University (DAU) Training Available
- October 2020 – CMMC Requirements in select number (10 was the mentioned target) of RFP’s
From a crawl, walk, run standpoint, these dates make sense. They allow for some room to make minor changes to the program.
What DOD Suppliers Can Do Next
Given that no Third Party Assessment Organizations (C3PAO’s) currently exist, every DOD supplier and contractor should be laser-focused on completing their Plan of Actions and Milestones (POAM), if they currently have one.
If no POAM exists, contractors need to create a System Security Plan (SSP), which includes information for each system in their environment that processes, stores, and transmits Controlled Unclassified Information (CUI).
As for POAMs, the current format of milestones taking place two, three, or four years down the road…will no longer be allowed.
Any organization doing business with the DOD will need to have the CMMC maturity level requirements fully implemented by the time of contract award.
If your organization is looking for help creating an SSP and POAM, Beryllium can help.
CMMC 1.0 Does Not Mean “Breathing Room”
The announcement of the CMMC back in the Summer of 2019 caused a flurry of activity within the DOD supply chain.
Over the past seven months, much of the activity was caused by fear. Many small to medium-size businesses in the DOD supply chain are not ready.
And they know it.
Others were taking a proactive approach so they don’t lose their competitive advantage. They also want to avoid putting their business at risk. This is more than cybersecurity risk and supply chain risk.
Financial risk. Intellectual property risk. Innovation risk. Personal risk. And so on.
This is about overall risk management.
Just because certifications are not going to take place right away, that does not mean DOD suppliers get “breathing room.”
The DFARS 252.204-7012 clause is still the requirement. Primes have the right, today, to ask how their sub’s POAM completion progress is going.
Is your organization ready for that question? Is your organization ready for when your customer starts looking for potential suppliers to replace yours?
Keep in mind, there is a lot of risk on prime contractors as well. If primes have to replace a supplier because they are a cybersecurity risk, they will.
In fact, they have to in order to meet the CMMC requirements.
Many DOD suppliers and contractors have told their customer(s) they are “working on” their POAM. This used to be allowed because there was no way to verify if they were being true to their word.
What happens if an organization suffers a CUI data breach tomorrow? Next week? Next Month? What is the excuse going to be?
“We were waiting for more clarification about CMMC 1.0 before making a plan” will not work.
Take the Correct Path
In order to achieve compliance with DFARS 252.204-7012 by implementing all 110 controls of NIST 800-171, DOD suppliers and contractors handling CUI will need to provide proof via audit artifacts.
There is no technology that meets all 110 controls. There is a large portion of requirements within NIST 800-171 that are non-technical. Many of these require policy and procedure being created, implemented, and documented.
Technology cannot perform those requirements. Administration, understanding CUI data flows, and other non-technical requirements require the business to proactively implement and manage.
This is much easier to accomplish when working with subject-matter experts who understand NIST, CUI, cybersecurity and information security.
Beryllium can help your organization identify the best path for your business.
Is your organization looking for the answer to completing your POAM? With Beryllium, the CUICK TRAC Solution could be the answer.
CUICK TRAC combines both the technical and non-technical controls of NIST 800-171 into a single programmatic process.
Does your organization need to better understand if they handle CUI or not? And if so, where does CUI reside?
How can an organization develop and execute an effective plan if it doesn’t understand where sensitive data resides within the business?
These are just two examples of how Beryllium can help DOD suppliers and contractors achieve the adequate level of CMMC maturity that is now required by the DOD.
Regardless of where you are in the process, contact Beryllium and speak with one of our subject matter experts today.
Don’t drag your feet and get left behind. Our national defense depends on the lower tier suppliers in the DOD supply chain!
Additional CMMC 1.0 Resources
Beryllium InfoSec Collaborative (“Beryllium” for short), is an information security and cyber security company located in Minneapolis, Minnesota. As a small business owned by veterans, Beryllium has 80-plus years of industry experience across industry & government. We are National Institute of Standards and Technology (NIST) information security experts, who know the balance of security needs and operational requirements. NIST provides the definitive compilation of guidelines that all other standards are derived from, either partially or wholly.
Beryllium is unique, in that we use strategic collaboration, education, and a holistic approach to information security & cyber security. From small to medium size businesses (SMBs), to enterprise organizations, our expertise of the NIST information security & cyber security guidance allows us to build unique, compliant & cost-effective solutions for any organization.