The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 300,000 companies in the supply chain. The CMMC is the DoD’s response to significant compromises of sensitive defense information located on contractors’ information systems.
The US Department of Defense (DoD) released the much-anticipated Cybersecurity Maturity Model Certification (CMMC) version 1.0 on January 31, 2020. It was drafted with significant input from University Affiliated Research Centers, Federally Funded Research and Development Centers, and industry.
Previously, contractors were responsible for implementing, monitoring and certifying the security of their information technology systems and any sensitive DoD information stored on or transmitted by those systems. Contractors remain responsible for implementing critical cybersecurity requirements, but the CMMC changes this paradigm by requiring third-party assessments of contractors’ compliance with certain mandatory practices, procedures and capabilities that can adapt to new and evolving cyber threats from adversaries.
DoD contractors should immediately learn the CMMC’s technical requirements and prepare not only for certification, but long-term cybersecurity agility. Details on how the CMMC assessments will be conducted, and how to challenge those assessments, are anticipated soon. DoD contractors that have already started to evaluate their practices, procedures and gaps when the details are finalized will be well-positioned to navigate the process and meet the mandatory CMMC contract requirements for upcoming projects.
The Office of the Under Secretary of Defense for Acquisition & Sustainment maintains a CMMC FAQ where contractors can keep up to date on the certification process.
The CMMC establishes five certification levels that reflect the maturity and reliability of a company’s cybersecurity infrastructure to safeguard sensitive government information on contractors’ information systems. The five levels are tiered and build upon each other’s technical requirements. Each level requires compliance with the lower-level requirements and institutionalization of additional processes to implement specific cybersecurity-based practices.
Below is an overview of the relevant processes and practices of each level:
All DoD contractors will eventually be required to obtain a CMMC certification. This includes all suppliers at all tiers along the supply chain, small businesses, commercial item contractors and foreign suppliers. The CMMC Accreditation Body (CMMC-AB) will coordinate directly with DoD to develop procedures to certify independent Third-Party Assessment Organizations (CP3AOs) and assessors that will evaluate companies’ CMMC levels.
The DoD predicts that it will begin to include minimum certification requirements in requests for information (RFIs) as early as June 2020 and in select requests for proposals (RFPs) in September 2020. DoD has also indicated that a prime-level certification requirement will not necessarily be the same certification level required throughout its entire supply chain for a given contract. Differing certification levels on a single contract have the potential to raise complex implementation challenges for primes and subcontractors alike.
Certification preparation starts now. Accreditation procedures and accreditors have not yet been established, but we expect details soon. The DoD estimates that the DIB includes more than 300,000 contractors that will all need certification to continue to compete for DoD contracts.
Early preparation could result in a more efficient assessment with positive end results. Contractors should begin taking immediate steps to:
Prime contractors also should begin (or continue) working with subcontractors throughout the supply chain to assist in developing compliance programs where necessary or reviewing programs already in place.
Engage with agencies. Offerors should closely review RFIs and RFPs that include minimum certification requirements to ensure the assessed level is not unnecessarily burdensome and that it provides enough clarity for the certification level required throughout the supply chain. Offerors should consider providing feedback to DoD during the market research stage and during an RFP’s question and answer process.
If the issue is not resolved to the offeror’s satisfaction, the offeror could consider bringing a pre-award protest—although, as a general matter, the US Government Accountability Office and the Court of Federal Claims likely will be deferential to DoD on questions related to national security and technical requirements.
Follow the development of assessment challenges. One of the most significant concerns for contractors of all sizes is what type of due process will be available if a certification level or audit result is erroneous. The CMMC assessments could have a significant impact on contractors’ ability to meet minimum contract requirements, and a low rating could limit a contractor’s ability to meaningfully compete for work.
Currently, the CMMC does not establish a contractor’s right of appeal, although DoD indicates it is coming. This is an important development to follow. Where possible, contractors should provide DoD detailed feedback on any proposed due process procedures to ensure it is adequate.
Prepare to be agile. CMMC certification will soon be a minimum requirement to be eligible for DoD contract awards, but this does not mean that contractors should view their cyber-compliance as “complete” once certification is achieved. DoD has emphasized that the CMMC is a starting point for transforming contractors’ internal cybersecurity culture and that industry must focus on preparing for evolving threats, not simply achieving CMMC certification. Contractors that foster a culture of cyber resiliency and flexibility within their organizations, in addition to obtaining CMMC certification, will be best positioned to compete in a marketplace that is and will continue to be less tolerant of accepting cyber-related risks.
This story, “The Cybersecurity Maturity Model Certification explained: What defense contractors need to know” was originally published by
Copyright © 2020 IDG Communications, Inc.