What is the CMMC?
The U.S. Department of Defense (DoD) has gone through several phases of attempting to mandate cybersecurity best practices in the organizations with which they do business. These attempts have ultimately failed, resulting in the DoD taking a step back and starting things from scratch. They gathered experts from Johns Hopkin’s and Carnegie Mellon universities to pull from existing standards (NIST SP 800-171 primarily) and developed this new certification framework with which ALL DoD contractors, suppliers, and service providers will need to comply.
This new framework is called the Cybersecurity Maturity Model Certification (CMMC) and the final (initial) version (v1.0) was released on January 31, 2020. This new framework not only measures pass/fail compliance against specific requirements, it also measures the WAY you have implemented the outlined requirements to ensure there is enough rigor, or maturity to make it acceptably effective.
One major difference between the CMMC and prior DoD requirements of this nature is the certification component. All certifications will be issued by third-party assessors and contracts will only be awarded to certified companies. Previously, contract language said companies “shall meet requirements” but there was no strict verification. Given the number of contracts is estimated at 350,000, it’s a strong stance to mandate third party certification and one that will require a great deal of effort to spool up. There’s the problem of getting enough assessors to do the certification work and many companies do not have the cybersecurity practices and disciplines in place. According to Under Secretary of Defense for Acquisition and Sustainment, Ellen Lord, at the briefing to introduce the CMMC on January 31, 2020
“There are three key takeaways I want everyone to leave here with today. First, cybersecurity risks threaten the defense industry and the national security of both the U.S. government and our allies and partners. Second, it was extremely important to me that we communicate extensively with industry, academia, military services, the Hill and the public, to hear their concerns and suggestions on the CMMC model. Last, today represents an important milestone, but we still have a lot of work to do. We will continue to work very closely with industry associations and the Hill so everyone has a clear understanding of the process, feedback loops and the way ahead.”
The standard can be found at: https://www.acq.osd.mil/cmmc/
How is the CMMC structured?
The CMMC revolves around this concept of “levels”. More detail will follow, but essentially the DoD will mandate that a company needs to comply with a specific “level” of cybersecurity capability and maturity before it can be rewarded a contract (many will be required to be “Level 3”).
Essentially the CMMC is organized into 17 large topic categories called Domains, each domain is broken into sub-groups called Capabilities. From there, each capability has one or more “cybersecurity-related things you should do” called Practices. Another layer of the onion is back at the domain level – similar to the list of Practices you must have in place, the CMMC also outlines a requirement for Processes, or policies and/or standard operating procedures illustrating the institutionalization of an effective cybersecurity program within the organization.
Similar to the overall level requirements for the certification, practices are also broken up into “levels” 1-5. Level 1 includes 17 practices (these are foundational things you should be doing and represent the lowest level of capability), level 2 includes the level 1 practices plus an additional 55 practices (for a total of 72 practices at level 2). Level 3 includes all level 1 and 2 practices and adds another 58 – and so on until level 5 which includes the full list of practices.
This graph was taken from the official CMMC 1.0 framework document.
The CMMC then introduces something called “Maturity Levels”. These have 5 levels with 1 being low maturity and 5 being the highest (this is not the same as the “level” required to get the DoD contracts). These maturity levels are a measure of how well you are doing something and involve how sustainable and disciplined your organization is at doing something. Below is a chart and Maturity Process Progression Figure from the CMMC that details the different maturity levels:
Image from the official CMMC framework documents
Image from the official CMMC framework documents
The “Level” required required to qualify for the DoD contracts is a blend of these two concepts – “Practices” and “Maturity Level”. If you want to get a DoD contract and DoD mandates that you be “Level 1 Certified” that means that you must have the list of “Level 1” practices (17 in total) in place and be performing them at Maturity Level 1 or higher. A “Level 2 Certified” organization has all 72 procedures in operation and has an established policy in place (or better operational maturity) for each procedure, and so on.
||Required Maturity Level
||Level 1: 17 total
||Level 1 (“Performed”) or higher
||Level1+2: 72 total
||Level 2 (“Documented”) or higher
||Level 1+2+3: 130 total
||Level 3 (“Managed”) or higher
||Level 1+2+3+4: 156 total
||Level 4 (“Reviewed”) or higher
||All practices: 171 total
||Level 5 (“Optimizing”)
Who needs to be concerned about CMMC?
Anyone who enters into a contract with DoD must meet CMMC requirements based on the level that is defined in the RFI or RFP. Some examples in each level:
- Level 1 – would include plumbing, flooring, sporting goods, marketing firms, and any company that does work for the DoD, and has a very low potential (intentional or accidental) to access CUI
- Level 2 – would include janitorial, printer / copier repair service, etc. any company that does work for the DoD, and has some potential (intentional or accidental) to access CUI, but will not be expected to handle CUI as part of the services that they are providing
- Levels 3 to 5 – would include organizations that are required to handle CUI. Current contracts that are entered into today, would mean that organizations have committed to a cybersecurity program based on NIST 800-171. Some criteria that will determine what level an organization would need meet:
- Size and complexity of the organization
- The types of CUI that is handled (highly sensitive information, such as military or critical infrastructure blueprints, personally identifiable information of personnel)
- The type of access that the contractors would have to the environments that they are providing services for
When does it all start happening?
Initially CMMC will impact a small selection of organizations in the early phases of the CMMC rollout in 2020. Most organizations will need to be prepared for CMMC compliance when their contract expires or when they are entering into new ones between 2020 and 2026. Some key timelines include:
- January 2020:
- V 1.0 of the CMMC requirements released
- Kick-off development of program to certify 3rd party auditors known as C3PAOs (CMMC 3rd Party Assessment Organizations)
- CMMC Accreditation Body (CMMC-AB) established
- April 2020 – December 2020: Certification process for C3PAOs
- June 2020:
- Initial requirements in Request for Information (RFI) for 10 contracts
- Defense Acquisition University (DAU) established and providing training
- Third-Party auditors are available to begin CMMC certification assessments
- October 2020: Initial requirements in Request for Proposals (RFPs) for 10 contracts
- 2020 – 2026: pre-CMMC contracts are retired and migrated to contract with CMMC requirements. All new contracts will contain the CMMC requirements
How is CMMC being enforced?
According to Under Secretary of Defense for Acquisition and Sustainment, Ellen Lord , “There’ll be no fines for non-compliance. You just won’t get the contract – or any other contract requiring that particular level of certification. And Pentagon officials will not be allowed to give any company a pass on cybersecurity because they really like the price or product that it’s offering. This is not a trade with cost and schedule and performance. There’s a minimum standard that needs to be met.”
How will companies be certified?
The government will determine the appropriate level that the bidding organization will be required to meet. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP). The RFP will specify which CMMC level a bidder must achieve by the time of the award. This means that you can bid without being compliant, but you will need complaint before the Pentagon chooses a winner, or you won’t be ineligible.
Your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.
Who can certify companies as compliant?
An independent third-party assessment organization (C3PAO) will typically perform the assessment. Some of the higher-level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA). There will not be any self-certifications. The CMMC-AB certifies C-3PAOs, companies will be able to schedule CMMC assessments for specific levels through a CMMC marketplace portal.
What should you do first?
The CMMC has two fundamental criteria that all levels share – 1.) A Third-Party validates your practices and 2.) You cannot have open Plans of Actions & Milestones (POAMs). This means that you must be prepared when your contract expires or when you submit RFP responses under the CMMC requirements. Here is a list of actions that you should take sooner than later:
- Determine at what CMMC Level your organization needs to be at based on today’s contracts, for example, if you are handling CUI and you committed to NIST 171 in your current contract, then it is most likely that you will be at Leve 3 or higher when new contracts are entered into under the CMMC requirements
- Conduct a CMMC Readiness Assessment that includes,
- Documentation (policy, standard, procedure ,etc., ) reviews
- Practice reviews to ensure that processes are in place and are demonstrated based on the documentation
- Technology mechanisms reviews to validate that technology is implemented and configured to meet CMMC requirements
- Remediate open POAMs and any gaps that are identified in the CMMC Readiness Assessment
If at any point you have any questions or would like to learn more about the intricacies of CMMC, contact our Cyber Risk Management team here.