The first version of the Cybersecurity Maturity Model Certification (CMMC) was finalized by the Department of Defense (DoD) on January 31, 2020. Moving forward, organizations in the Defense Industrial Base (DIB) must be certified at the required level to be awarded contracts by the DoD.
While the auditing and reporting infrastructure is being established and developed to support validating organizations’ basic cybersecurity hygiene and maturity, an interim rule, DFARS Case 2019-D041, has been defined to require a more consistent self-assessment of compliance with the National Institute of Standards and Technology (NIST) Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
The CMMC is owned by the DoD, which adapted best practices from several different frameworks and added a requirement of third-party validation to receive certification.
Below is a list of frequently asked questions regarding the CMMC, anticipated timelines for implementation, and how your organization can prepare for its upcoming requirements.
What Is the CMMC?
The CMMC was established by the DoD to proactively defend against current and future cybersecurity risks inherent in organizations leveraged outside of the DoD to support and meet military needs.
Through the CMMC, the DoD intends to:
- Encourage improved security at a manageable cost to the federal government
- Provide assurance by requiring independent validation
- Establish tiers of compliance more closely aligned with risk
- Verify an organization has implemented controls to secure controlled unclassified information (CUI) in alignment with the risk level determined by the DoD
The DoD has partnered with organizations to form the not-for-profit CMMC Accreditation Body (CMMC-AB) that will train and certify assessors and organizations to audit against the CMMC. The CMMC-AB will maintain a catalogue of:
- Certified third-party assessment organizations (C3PAOs) that will perform CMMC audits
- Employees of C3PAOs that are certified audit assessors
- CMMC-certified organizations
Who Is Affected By the CMMC?
The entire defense supply chain is affected by the guidelines laid out in the CMMC. That includes vendors, contractors, all third-parties included in contracts, and any tangentially related organization that provides business support to the DoD—even if it’s an indirect relationship such as janitorial staff.
An organization must be certified at the required level for their request for proposal (RFP) to be considered by the DoD.
In addition, the General Services Administration (GSA) has issued RFPs that include CMMC requirements, including an RFP for streamlined governmentwide services contracts. Although CMMC maturity levels (MLs) three, four, and five are designed to align with protection of CUI, CMMC ML 1 is designed to align with the same Federal Acquisition Regulation (FAR) requirements established across the federal government.
Why Was the CMMC Created?
While the DoD had established baseline expectations for cybersecurity prior to the CMMC, organizations were allowed to self-certify as opposed to seeking third-party validation.
Through this model, organizations in the DIB weren’t required to provide evidence supporting claims that best information security practices were applied; this resulted in several breaches and subsequent disruption in the supply chain.
It’s easier for attackers, primarily nation states, to target organizations downstream from the DoD as opposed to attacking the DoD directly. There are over 350,000 vendors in the DoD supply chain, which creates a vast amount of untracked vulnerabilities and opportunities for attackers.
Although the DoD formed the Cyber Crime Center (DC3) in 1998, and several agencies have established cybersecurity initiatives, approximately 6% of contractors reported breaches between January 2016 and February 2018.
For example, China stole CUI related to undersea warfare—including 614 gigabytes of material concerning Project Sea Dragon, a supersonic antiship missile—through a contractor breach in early 2018.
In a more recent attack, an aggressive cyberespionage unit exploited four key vulnerabilities in Microsoft Exchange Server, resulting in potentially 30,000–80,000 organizations falling victim to hackers—and the number could keep growing.
To learn more about this attack, and whether your organization was compromised, please read our article.
Cost of Cyberattacks
Frequent breaches have continued to occur, and they’re associated with high costs. Miracle Systems—a company providing support to over 20 federal agencies—reported that their internal server was breached in August 2019.
Cybercriminals subsequently marketed access to CUI on cybercriminal forums, profiting from the security incident at the expense of not only Miracle Systems and the DoD, but entire infrastructure of contractors, subcontractors, and supporting organizations under the contract.
Miracle Systems estimated the breach cost them somewhere between $500,000 and $1 million. However, the long-term impact on Miracle Systems’ reputation, and the impact on all other affected organizations, is more complex and difficult to calculate.
Fulfillment of Contract
Availability of service is also a critical factor for the DoD. Their contracts need to be fulfilled.
If your organization is subject to a ransomware attack, you may not be able to meet the contract’s needs or deliver the parts or services required to fulfill the project.
Securing the supply chain isn’t solely about protecting CUI; it’s about securing the supply chain itself so it can continue to function.
What’s the Timeline for Implementing CMMC Changes?
Although the COVID-19 pandemic significantly impacted these timelines, the DoD has continued to follow the defined schedule.
The DoD intends to implement the program on a rolling basis until 2025 as current multiyear contracts expire and CMMC requirements are integrated into contract renewals and new RFPs.
For new contracts, or contracts being renewed, the DoD will provide specifications about the auditing requirements. Current contracts with multiyear options aren’t expected to be backdated.
The DoD has indicated several milestones over the next several years.
The increased sophistication, volume, and aggressiveness of cybercriminal activity has expanded risks for all industries, and the DoD recognizes the importance of improving the baseline of cybersecurity across the DIB.
Training has been conducted for a limited number of provisional assessors and the CMMC-AB marketplace lists C3PAOs that have been approved to perform preliminary audits; however, all CMMC audits are being coordinated by the CMMC-AB during this interim period. Audits are limited to DIB organizations proposing contracts that require CMMC certification.
For organizations undergoing CMMC audits during this interim period, a delta assessment will be required to address the organization’s compliance with any changes made to the CMMC requirements once the final rule is adopted.
Requests for Information
The Under Secretary of Defense for Acquisition and Sustainment, Ellen Lord has conveyed that the DoD intends to issue approximately 10 requests for information (RFIs) that include CMMC requirements by the end of June 2020.
The first round of RFPs that include CMMC requirements should follow by the end of September 2020; they will help define required CMMC tiers for contract award.
Your organization will then be required to produce the CMMC when the contract is awarded, although there isn’t a clear timeline for when the DoD will announce those awards.
What CMMC Certification Level Does My Organization Need?
The required ML is based on:
- Whether CUI will be handled or generated under the contract
- Volume and sensitivity of CUI handled or generated under the contract
It can be confusing to understand which CMMC ML is required for your organization, but clarifying with your program office and acquisition officer is often an effective approach.
Categories of CUI
If your organization is unsure if it’s handling CUI, review the categories of CUI defined by the National Archives.
Generally, if it’s only handling federal contract information (FCI), then only ML 1 will be required. ML 1 aligns with FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.
If your organization is handling CUI, at least a ML 3 will be required.
To get a general sense of the direction your organization could take, consult the decision tree below:
Your organization’s CMMC certification will last for three years, at which time another audit will be required. To be awarded a contract wherein a higher CMMC level is required, an audit for compliance at that level will be required as well.
Neglecting or losing certification could disqualify your organization from competing for the DoD’s contracts. Although a breach or security incident wouldn’t necessarily invalidate an organization’s certification, the DoD has indicated their program manager could require a reassessment postincident.
How Can Your Organization Prepare to Meet CMMC Requirements?
Information can be accessed from the Office of the Undersecretary of Defense for Acquisition and Sustainment’s website. To meet all requirements, your organization should take steps to:
- Review the CMMC control matrix.
- Identify potential vulnerabilities within your organization.
- Complete a preassessment readiness check.
- Evaluate your level of exposure to CUI.
- Determine your tier and be conservative in your estimate.
- Conduct a security assessment.
Your organization will need to adapt to how its internal controls are audited and evaluated. When an organization is audited by the DoD, they’ll need to demonstrate how:
- Threats were evaluated
- Risks were measured
- Mitigating controls were assessed and monitored for effectiveness
When preparing for a CMMC audit, organizations should be familiar with some key terms used to describe auditable aspects of their information security program:
- Practice. An activity or set of activities that are performed to meet defined objectives.
- Activity. The set of actions that allow practices to succeed.
- Policy. An artifact or collection of artifacts that establishes governance over implementation of practices and activities.
- Procedure. A way of carrying out a process or activity.
- Process. A procedural activity performed to implement a defined objective.
At ML1, the audit will be focused on activities and practices. Good IT and cybersecurity hygiene emphasize performing the necessary activities over developing complex sets of documentation. Organizations expecting to handle CUI will need to comply with ML3, which emphasizes maturity of practices and processes. Auditors will require evidence demonstrating users and administrators adhered to documented processes over time. Documented risk assessments and threat intelligence are also required.
Additionally, CMMC certification may be focused on an entire enterprise network or particular segments or enclaves, depending on where protected information is processed, stored, or transmitted.
When considering the activities, practices, processes, procedures, and policies that enable CMMC compliance, most organizations can benefit from limiting the scope as much as possible.
Pivoting from internal audit and self-attestation compliance to third party validation can introduce significant pain points. Some impactful key steps have emerged to help organizations facilitate efforts during this transition:
- Educate key decision makers and stakeholders regardless of current security and compliance; preparing for CMMC audits will take resources that require their sign-off.
- Build relationships across organizational boundaries; effective compliance will require coordination across all departments of your organization.
- Document the lifecycle of CUI in your organization—how it’s acquired, processed, stored, and transmitted.
- Pay particular attention to mobile devices where CUI can be accessed.
- Don’t overlook areas that appear to be paper-based.
- Lean in and ask for help early on in the process.
- Account for investments in security and compliance.
Securing the defense supply chain against the increasing threat of cyber-attacks and supporting the innovation and competitiveness of the DIB are considered complementary strategies.
Cost of Certification
The DoD has acknowledged that the cost of certification has the potential to impede progress. To help remedy the expense, the DoD has stated that, “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.”
An article in the Federal Register describes estimated anticipated annual costs for implementing additional controls and conducting CMMC audits to range from $1,000 to over $482,000. The estimate depends on certification level, nonrecurring costs, and recurring costs. The wide range highlights the importance of identifying the correct maturity level and how critical it is to maintain effective records.
No final word has been passed on what components of CMMC certification will be considered reimbursable, but your organization won’t be able to include the cost of preparation and certification if the records don’t support your line items.
What Is Required Under the Interim Rule?
The interim rule defines requirements for self-assessments aligned to the NIST SP 800-171 framework and adds additional guidance for calculating an overall score and recording the results of the assessment in the Supplier Performance Risk System.
The methodology and scoring approach is defined in the NIST SP 800-171 DoD Assessment Methodology. The scoring table defines values for each of the controls in 800-171 and notes where some controls must be adopted.
For example, control 3.12.4 describes developing and documenting system security plans (SSPs) and is required because the absence of an SSP would prevent the assessment from being completed.
NIST has also provided the following resources to help organizations navigate these requirements:
800-171a provides guidance and adds clarification to help organizations perform assessments.
We’re Here to Help
Keep in mind, the CMMC requirements could be the best cybersecurity practices for your organization, but evaluating the CMMC to determine how closely aligned you are with its requirements already may require additional expertise.
If you have any questions about the CMMC or other inquiries related to cybersecurity, please contact your Moss Adams professional.