The Department of Defense (DoD) has been making efforts over the past five (5) years to strengthen cybersecurity throughout the Defense Industrial Base (DIB) and prioritize enforcement efforts. The current Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, has been in full effect since 2017 and requires all defense contractors and subcontractors to implement the security controls defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a new framework that utilizes a maturity model to codify the cybersecurity processes, capabilities, and practices that apply to defense contractors and subcontractors. While the CMMC is largely based on the security safeguards defined in NIST SP 800-171, it introduces several additional domains that are derived from multiple cybersecurity standards, frameworks, and other references. The model includes 17 domains that are comprised of corresponding cybersecurity capabilities, processes, and practices. The required processes and practices for each maturity level are identified in the CMMC framework and are categorized using five (5) levels. The higher levels build on the lower levels and introduce additional practices and processes that are intended to provide more robust protections for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Contractors and subcontractors must ensure cybersecurity processes and practices for the specific CMMC level that applies to their organization are implemented. CMMC will be rolled out in 2020 and included in DoD contracts, with the goal of improving CUI security by introducing a formal audit program for compliance.
CMMC Maturity Levels
The CMMC framework consists of five (5) maturity levels. Each level consists of a set of processes and practices, as shown in the chart below. A vast majority of companies will be required to comply with CMMC Level 1, which involves the performance of “Basic Cyber Hygiene” practices. The cybersecurity requirements become more advanced at higher levels with Level 5 requiring the most rigorous and sophisticated security safeguards.
Accreditation Body & Independent Assessments
In January 2020, the CMMC Accreditation Body (CMMC-AB) was registered as a Maryland 501(c)(3) nonprofit organization and consists of board members and multiple working groups. The CMMC-AB is seeking input from industry as it relates to the purpose of each Working Group. For more information on the CMMC Working Groups, click here. Organizations that are interested in learning more about the CMMC as it evolves are encouraged to watch the National Conversation webinar series found here.
The CMMC-AB manages the operational aspects of the CMMC auditing program including the selection of Certified Third-Party Assessment Organizations (C3PAOs), training of assessors, and conducting quality control reviews of CMMC assessments. The CMMC-AB intends to support the program by establishing, training, and overseeing the community of C3PAOs and individual assessors that will evaluate covered contractor systems and defense contractor information security programs. Self-assessment and self-attestation processes, which were previously accepted, are being replaced by CMMC audits that are conducted by C3PAOs.
CMMC Phased Rollout
The DoD plans to utilize a phased approach to roll out the CMMC requirements for defense contractors and subcontractors over the next five (5) years. Requests for Information (RFIs) will begin to include the requirement to meet applicable CMMC levels in the fall of 2020. Approximately fifteen contracts are expected to contain CMMC requirements in Fiscal Year (FY) 2021, which will impact approximately 1,500 defense contractors. It is important to note that the CMMC framework is expected to be updated and adapted based on feedback obtained during the Pathfinder stages of implementation. While there are several aspects of this new framework that are being refined and are subject to change as implementation efforts progress, COACT will continue to monitor new releases and advisories and modify this page to reflect the updated information.
Start Preparing for CMMC Now
After the CMMC is rolled out, ALL DoD contractors and subcontractors who wish to conduct business with the DoD must be certified prior to the award of a contract. It is imperative that your company starts preparing by updating information systems and your security program to meet the requirements associated with the CMMC level that applies to you. The CMMC is designed to ensure defense contractors and subcontractors implement appropriate cybersecurity practices to protect sensitive data.
CMMC seeks to unify the way in which the DIB implements cyber security best practices and improves information security program maturity. CMMC requires the implementation of specific security safeguards and certification that contractor or subcontractor meets requirements based on the sensitivity of data that resides within their systems. DIB contractors understand that securing sensitive data, such as Controlled Unclassified Information (CUI), is critical during contract performance and a breach or unauthorized disclosure could adversely impact the status of that relationship with a government client. CMMC highlights this need and enforces the implementation of security safeguards by contractors via the inclusion of the certification as a prerequisite for contract award. Implementing and documenting security safeguards to meet NIST 800-171 requirements is currently the best starting point for organizations seeking to achieve a CMMC certification in the future.
For more information on how our subject matter experts can help you with your readiness and compliance/assessment needs, contact us at firstname.lastname@example.org