Update on CMMC

/0 Comments/in /by

 

Cybersecurity Maturity Model Certification (CMMC)

The CMMC space is still evolving. All definitive guidance is solely from Office of the Under Secretary of Defense for Acquisition and Sustainment. The CMMC Accreditation Body has not fully established the C3PAO or certification processes. LP3 nor others can claim to provide CMMC certifications nor do we or others can promise certifications.

LEVERAGE YOUR NIST 800-171 COMPLIANCE FOR CMMC CERTIFICATION ROADMAP

Since CMMC version 1 has been released and is based on NIST 800-171, LP3 will do a fixed cost 800-171 assessment to include a System Security Plan (SSP) and a Plan of Actions & Milestones (POA&M) with a roadmap based on CMMC version 1 on the estimated level of effort to achieve compliance.

Be assured without the CMMC certification as part of your acquisition record (similar to DUNS and CAGE#) you will NOT be qualified to bid or receive Government Contracts as a Prime or a Sub. Let LP3 make the unknown known!

 

Why CMMC – Under Secretary of Defense Ellen Lord

Statement from Under Secretary of Defense Ellen Lord:

“Since I introduced the Cybersecurity Maturity Model Certification model last year, I have consistently stressed the importance of communicating and engaging extensively with industry, academia, military services, the Hill and the public to hear their concerns and suggestions. The purpose of this communication was, and still is, to ensure everyone fully understands the intent, process and requirements of CMMC to fight the very real threats that drive us to require rigorous cybersecurity.

Unfortunately, the Department has learned that some third-party entities have made public representations of being able to provide CMMC certifications to enable contracting with DoD.  The requirements for becoming a CMMC third-party assessment organization (C3PAO) have not yet been finalized, so it is disappointing that some are trying to mislead our valued business partners. To be clear, there are no third-party entities at this time who are capable of providing a CMMC certification that will be accepted by the Department.  At this time, only training materials or presentations provided by the Department will reflect our official position with respect to the CMMC program. I have also reached out to the presidents of the PSC, AIA and NDIA industry associations to make them aware as well, and they remain connected with my CMMC team.

Moving forward I am confident we will soon sign a Memorandum of Understanding (MOU) with the Cybersecurity Maturity Model Certification Accreditation Body on the accreditation, certification and approval processes relating to the Defense Supply Chain. When that happens we will make an announcement.”

 

“The theft of intellectual property and sensitive information undermines our nation’s defense posture and economy.  Global costs last year are estimated at $600 billion, with an average cost per American of $4,000.” Katie Arrington Chief of Information Security for Acquisition, Department of Defense

DoD Contractors

(Organizations Seeking Certification – OSC)

There are more than 300,000 vendors in the supply chain to the DoD, each of which will require assessment.

Organizations Seeking Certification include:

  • Prime Contractors
  • Subcontractors
  • In short, every organization that sells or services the Department of Defense

Facts.

  • Prime contractors and subcontractors must be certified under CMMC standards to any one of five levels.  The highest levels are reserved for organizations exposed to the most sensitive information.
  • The implementation rollout will begin 1 September 2020, and take up to 5 years.
  • If a contract requires CMMC certification it will be listed in the Request For Proposal (RFP) Sections C and L.
  • The CMMC-AB will provide the standard for applying the model and certify trainers who will train assessors.
  • The CMMC-AB will provide an online marketplace where organizations can find an available, qualified C3PAO.
  • A certification will last 3 years, provided there are no incidents or other triggers inducing a second look at an organization.

But wait. We are just getting started.

Come back here often for detail and sign up below for alerts and emails.

There is much to come, we will provide information as we build it.

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) (LINK)

https://www.acq.osd.mil/cmmc/index.html

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.

OUSD(A&S) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the Cybersecurity Maturity Model Certification (CMMC).

 

  • The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
  • The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
  • The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
  • The intent is for certified independent 3rd party organizations to conduct audits and inform risk.

See The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S))   site for more details.

The CMMC contains five levels ranging from basic hygiene controls to state-of-the-art controls, but unlike NIST 800-171, the CMMC will not contain a self-assessment component.

Every organization that plans to conduct business with the Department of Defense will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime.

 

 

 

Glossary

Accreditation – The process of issuing Licenses and Certificates.

Accreditation Body Board of Directors – The board of directors is the governing body of a nonprofit. Individuals who sit on the board are responsible for overseeing the organization’s activities. Directors meet periodically to discuss and vote on the affairs of the organization. The board of directors, as a governing body, should focus on the organization’s mission, strategy, and goals as defined in the bylaws.

Advisory Councils – Advisory Councils operate at the discretion of, but independently from the board, to inform and advise the board from the perspective of the Advisory Council’s membership. The advisory council’s leaders participate in the board as a non-voting member.

Affiliates – Business concerns, organizations, or individuals that control each other or that are controlled by a common third party. Control may consist of shared management or ownership; common use of facilities, equipment, and employees; or family interest.

Assessment – Formal process of assessing the implementation and reliable use of issuer controls using various methods of assessment (e.g., interviews, document reviews, observations) that support the assertion that an issuer is reliably meeting the requirements of a standard.  In the context of CMMC, Assessments are performed against the requirements set forth in the CMMC for the OSC’s desired CMMC Level.  Source: NIST SP 800-79-2 (adapted)

Assessor – A person who has successfully completed the background, training, and examination requirements as outlined by the CMMC-AB and to whom a License has been issued.  Assessors are not CMMC-AB employees.

Asset Owner – A person or organizational unit (internal or external to the organization) with primary responsibility for the viability, productivity, security, and resilience of an organizational asset. For example, the accounts payable department is the owner of the vendor database.  Source: RMM

Association – The process of linking an Assessor’s License Number with the License Number of a C3PAO.

Audit – Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.  Source: NIST SP 800-32

Certified 3rd Party Assessment Organization (“C3PAO”) – An Entity with which at least two Assessors are Associated and to which a License has been issued.

Certificate – A Record issued to an OSC upon successful completion of an Assessment which evidences the CMMC Level against which the OSC has been successfully assessed.

Certification – The process of receiving a Certificate.

CMMC – The set of standards initially defined by the DoD against which an OSC is to be Assessed.

CMMC Certified Organization – An Organization whose cybersecurity program has received a CMMC Certificate from the CMMC-AB.

Compliance – Verification that the planned cybersecurity of the system is being properly and effectively implemented and operated, usually through the use of assessments / audits.  Source: CMMC

Control – The methods, policies, and procedures—manual or automated—used by an organization to safeguard and protect assets, promote efficiency, or adhere to standards. A measure that is modifying risk. (Note: controls include any process, policy, device, practice, or other actions which modify risk.) Source: NISTIR 8053 (adapted)

CUI (Controlled Unclassified Information) – Information that requires safeguarding or dissemination controls pursuant to and consistent with the law, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.   Source: E.O. 13556 (adapted)

Cybersecurity – Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.   Source: NSPD-54/HSPD-23

Defense Supply Chain (“DSC”) – The worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements. DSC was substituted for Defense Industrial Base to reflect more specifically the base subject to CMMC assessments.

Digital Signature – An electronic file which is used to authenticate other electronic files and to encrypt files at rest and/or in motion.

Dispute – A formal process managed by the CMMC-AB through which an Assessor and an OSC can seek resolution of a disagreement over the Assessment results.

Dispute Adjudicator – A CMMC-AB employee who is responsible for reviewing and resolving a Dispute.

Educator – CMMC-AB employees who are tasked with educating and testing prospective and current Trainers.

Entity – A legal non-person Organization duly created and maintained under the laws of one or more jurisdiction, including without limitation corporations, limited liability partnerships, limited liability companies, and governmental agencies but excluding unincorporated Organizations such as, without limitation, partnerships.

FCI (Federal Contract Information) – Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.  Source: 48 CFR § 52.204-21

License – A document issued to an Assessor, C3PAO, or Trainer, as appropriate, entitling them to perform their duties with respect to the CMMC-AB as further outlined below.

License Number – A unique identified linked to each Assessor, C3PAO, and Trainer.

Organization – An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency, or, as appropriate, any of its operational elements). Source: CMMC

Organization Seeking Certification (OSC) – The Organization that is going through the CMMC assessment process to receive a level of Certification for a given environment.  Source: CMMC

Record – A physical document, electronic file, entry in an electronic database, or the like.

Trainer – A person Licensed to provide Training to prospective and current Assessors.  The Trainers are not CMMC-AB employees.

 

Cybersecurity Maturity Model Certification Version 1 (LINK to PDF)