The first version of the Cybersecurity Maturity Model Certification (CMMC) was finalized by the Department of Defense (DoD) on January 31, 2020. Moving forward, organizations in the Defense Industrial Base (DIB) must be certified at the required level to be awarded contracts by the DoD.
The CMMC is owned by the DoD, who adapted best practices from several different frameworks and added a requirement of third-party validation to receive certification.
Below is a list of frequently asked questions regarding the CMMC, anticipated timelines for implementation, and how your organization can prepare for its upcoming requirements.
What’s the CMMC?
The CMMC was established by the DoD to proactively defend against current and future cybersecurity risks inherent in organizations leveraged outside of the DoD to support and meet military needs.
Through the CMMC, the DoD intends to:
- Encourage improved security at a manageable cost to the federal government
- Provide assurance by requiring independent validation
- Establish tiers of compliance more closely aligned with risk
- Verify an organization has implemented controls to secure controlled unclassified information (CUI) in alignment with the risk level determined by the DoD
The DoD has partnered with organizations to form the not-for-profit CMMC Accreditation Body (CMMC-AB) that will train and certify assessors and organizations to audit against the CMMC. The CMMC-AB will maintain a catalogue of:
- Certified third-party assessment organizations (C3PAOs) that will perform CMMC audits
- Employees of C3PAOs that are certified audit assessors
- CMMC-certified organizations
Who’s affected by the CMMC?
The entire defense supply chain is affected by the guidelines laid out in the CMMC. That includes vendors, contractors, all third-parties included in contracts, and any tangentially related organization that provides business support to the DoD—even if it’s an indirect relationship such as janitorial staff.
An organization must be certified at the required level for their request for proposal (RFP) to be considered by the DoD.
Why was the CMMC created?
While the DoD had established baseline expectations for cybersecurity prior to the CMMC, organizations were allowed to self-certify as opposed to seeking third-party validation. Through this model, organizations in the DIB weren’t required to provide evidence supporting claims that best information security practices were applied; this resulted in several breaches and subsequent disruption in the supply chain.
It’s easier for attackers, primarily nation states, to target organizations downstream from the DoD as opposed to attacking the DoD directly. There are over 350,000 vendors in the DoD supply chain, which creates a vast amount of untracked vulnerabilities and opportunities for attackers.
Although the DoD formed the Cyber Crime Center (DC3) in 1998, and several agencies have established cybersecurity initiatives, approximately 6% of contractors reported breaches between January 2016 and February 2018.
For example, China stole CUI related to undersea warfare—including 614 gigabytes of material concerning Project Sea Dragon, a supersonic antiship missile—through a contractor breach in early 2018.
Cost of Cyberattacks
Frequent breaches have continued to occur, and they’re associated with high costs. Miracle Systems—a company providing support to over 20 federal agencies—reported that their internal server was breached in August 2019. Cybercriminals subsequently marketed access to CUI on cybercriminal forums, profiting from the security incident at the expense of not only Miracle Systems and the DoD, but entire infrastructure of contractors, subcontractors, and supporting organizations under the contract.
Miracle Systems estimated the breach cost them somewhere between $500,000 and $1 million. However, the long term impact on Miracle Systems’ reputation, and the impact on all other affected organizations, is more complex and difficult to calculate.
Fulfillment of Contract
Availability of service is also a critical factor for the DoD. Their contracts need to be fulfilled.
If your organization is subject to a ransomware attack, you may not be able to meet the contract’s needs or deliver the parts or services required to fulfill the project.
Securing the supply chain isn’t solely about protecting CUI; it’s about securing the supply chain itself so it can continue to function.
What’s the timeline for implementing changes?
The DoD has indicated several milestones over the next several years.
Although the DoD and the CMMC-AB have met their self-imposed deadlines to date, the impact of the COVID-19 pandemic and the resulting economic conditions is unclear. Until new timelines are announced, organizations should continue to operate under the assumption that the current timelines remain.
New Contracts and Renewals
The DoD intends to implement the program on a rolling basis until 2025 as current multiyear contracts expire and the CMMC requirements are integrated into contract renewals and new RFPs. For new contracts, or contracts being renewed, the DoD will provide specifications about the auditing requirements. Current contracts with multi-year options aren’t expected be backdated.
Auditor training hasn’t been conducted yet, and the DoD hasn’t released official training dates at the time of publication. The first training session is expected to begin by the end of April 2020.
Requests for Information
The Under Secretary of Defense for Acquisition and Sustainment Ellen Lord has conveyed that the DoD intends to issue approximately 10 requests for information (RFIs) that include CMMC requirements by the end of June 2020.
The first round of RFPs that include CMMC requirements should follow by the end of September 2020; they will help define required CMMC tiers for contract award.
Your organization will then be required to produce the CMMC when the contract is awarded, although there’s no clear timeline for when the DoD will announce those awards.
Your organization’s CMMC certification will last for three years, at which time another audit would be required. To be awarded a contract where a higher CMMC level is required, an audit for compliance at that level would be required as well.
The impact of neglecting or losing certification could disqualify your organization from competing for the DoD’s contracts. Although a breach or security incident wouldn’t necessarily invalidate an organization’s certification, the DoD has indicated their program manager could require a re-assessment post-incident.
How can your organization prepare to meet CMMC requirements?
Information can be accessed from the Office of the Undersecretary of Defense for Acquisition and Sustainment’s website. To meet all requirements, your organization should take steps to:
- Review the CMMC control matrix.
- Identify potential vulnerabilities within your organization.
- Complete a pre-assessment readiness check.
- Evaluate your level of exposure to CUI.
- Determine your tier and be conservative in your estimate.
- Conduct a security assessment.
Your organization will need to adapt to how its internal controls are audited and evaluated. When an organization is audited by the DoD, they’ll need to demonstrate how:
- Threats were evaluated
- Risks were measured
- Mitigating controls were assessed and monitored for effectiveness
Pivoting from internal audit and self-attest compliance to third party validation can introduce significant pain points. Some impactful key steps have emerged to help organizations facilitate efforts during this transition:
- Educate key decision makers and stakeholders regardless of current security and compliance; preparing for CMMC audits will take resources that require their sign-off.
- Build relationships across organizational boundaries; effective compliance will require coordination across all departments of your organization.
- Document the lifecycle of CUI in your organization—how it’s acquired, processed, stored, and transmitted.
- Pay particular attention to mobile devices where CUI can be accessed.
- Don’t overlook areas that appear to be paper-based.
- Lean in and ask for help early on in the process.
- Account for investments in security and compliance.
Securing the defense supply chain against the increasing threat of cyber-attacks and supporting the innovation and competitiveness of the DIB are considered complimentary strategies.
The DoD has acknowledged that the cost of certification has the potential to impede progress. To help remedy the expense, the DoD has stated that, “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.”
No final word has been passed on what components of CMMC certification will be considered reimbursable, but your organization won’t be able to include the cost of preparation and certification if the records don’t support your line items.
We’re Here to Help
Keep in mind, the CMMC requirements could be the best cybersecurity practices for your organization, but evaluating the CMMC to determine how closely aligned you are with its requirements already may require additional expertise.
If you have any questions about the CMMC or other inquiries related to cybersecurity, please contact your Moss Adams professional.