Impact of Cybersecurity Maturity Model Certification (CMMC) on DoD Contractors

Overview

The Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the Cybersecurity Maturity Model Certification (CMMC).

• The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
• The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
• The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
• The intent is for certified independent 3rd party organizations to conduct audits and inform risk.

Basic Facts about CMMC and how it will affect your Business

Taken from FAQ posted at: https://www.acq.osd.mil/cmmc/faq.html

CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision.”

New Framework and Assessment process based on Controlled Unclassified Information (CUI). CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at: https://www.archives.gov/cui and includes the following organizational index groupings:

• Critical Infrastructure
• Defense
• Export Control
• Financial
• Immigration
• Intelligence
• International Agreements
• Law Enforcement
• Legal

• Natural and Cultural Resources
• NATO
• Nuclear
• Privacy
• Procurement and Acquisition
• Proprietary Business Information
• Provisional
• Statistical
• Tax

Resources, including online training to better understand CUI can be found on National Archives’ website at https://www.archives.gov/cui/training.html

The DoD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

Version 1.0 of the CMMC framework will be available in January 2020 to support training requirements. In June 2020, industry should begin to see the CMMC requirements as part of Requests for Information.

The initial implementation of the CMMC will only be within the DoD.

The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.

Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity. In addition to assessing the maturity of a company’s implementation of cybersecurity controls, the CMMC will also assess the company’s maturity/institutionalization of cybersecurity practices and processes.

Your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.

The certification cost has not yet been determined. The cost, and associated assessment will likely scale with the level requested.

There is no Self-certification

We expect that there will be a number of companies providing 3rd party CMMC assessment and certification. An independent 3rd party assessment organization will normally perform the assessment. Some of the higher level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).

Your certification level will be made public, however details regarding specific findings will not be publicly accessible. The DoD will see your certification level.

The duration of a certification is still under consideration.

If my organization is certified CMMC and your company is compromised, you will not lose your certification. However, depending on the circumstances of the compromise and the direction of the government program manager, you may be required to be recertified.

If your organization cannot afford to be certified, it does that mean your organization can no longer work on DOD contracts. The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.

**Even if your organization does not handle Controlled Unclassified Information (CUI), all companies conducting business with the DoD must be certified. The level of certification required will depend upon the amount of CUI a company handles or processes.

All Subcontractors currently on a DoD Contract, will need to obtain CMMC.

The government will determine the appropriate tier (i.e. not everything requires the highest level) for the contracts they administer. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts

The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ unclassified networks. CMMC audits by third party assessment organizations will not be applied to classified systems or environments. The Defense Counterintelligence and Security Agency (DCSA) will include CMMC assessments as part of their holistic security rating score.

If you would like more information, contact LP3. We will be glad to help you make an informed decision about the impact that DFARS has on your business or organization.  For more information about our DFARS / CMMC  compliance services,  please visit our website.

Jeff Grim is CTO/CISO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.