If you are a Department of Defense (DoD) contractor, sub-contractor or supplier, then you need to be aware of the Cybersecurity Maturity Model Certification (CMMC) requirement as it is something that is coming down the pike – quickly!
The CMMC requirement will go into effect in 2020 and if you’re not certified then your company will not be allowed to bid on any DoD issued RFI/RFP’s. This is the first time the DoD has required an independent certification to be performed. Unfortunately, I’m finding that many organizations that are in scope for CMMC are not aware of its existence or requirements – at least not until they are barred from responding to an RFI/RFP.
First, a little backstory. The DoD has been working to improve cybersecurity over the last several years as news of nation-state sponsored theft of defense secrets makes the news on a regular basis. After its review, it was determined that the biggest source of leaks of sensitive intellectual property is the hundreds of thousands of contractors that have access to sensitive but unclassified information called Controlled Unclassified Information (CUI).
In order to help protect systems against nation-state attacks and other kinds of hacking, DoD has created this new model to replace NIST standards that ensured a given level of cybersecurity readiness for DoD contractors.
But what if your company contracts with DoD or even just supplies a contractor, and you don’t know much about CMMC?
This can be a real liability – because even though the program isn’t fully formed yet, DoD is indicating that any parties not specifically compliant by this fall will stop being able to complete DoD-related contracts.
The CMMC is currently being developed by the Pentagon with a few target dates announced including:
- The standard was formally released 4th quarter of 2019
- The CMMC certification requirement will be included in RFPs mid-2020
- CMMC will be included in contract requirements DoD FY 2021
What is new here is that there will be a requirement for DoD supply chain members to be certified by an independent third party and that third party has to be certified in order to certify DoD supply chain members.
So what do I need to do about CMMC? First, is to determine whether your organization is in-scope. If no then stop reading. If yes, then you need to perform the pre-CMMC assessment as soon as possible.
1. CMMC applies to everybody!
This is one of the hardest things for the agency to get stakeholders to understand.
The broad nature of the CMMC means that its requirements apply to those large DoD contractors, as well as any subcontractors or third-party businesses with any involvement in DoD contracts at all. Your firm could be providing services to the agency in amounts that an IRS agent would laugh at, but those are still triggering the CMMC requirement. Some experts trying to define CMMC coverage for audiences note that it will “apply to subcontractors as well as primes” and affect “any firm contributing products or services to the DoD supply chain.”
All of the businesses involved in the sector in any way, including the big ones as well as the smaller subcontractors and the third-party vendors with definite links to DoD contracts, need to have the CMMC standards in place at one of several identified levels (which we’ll get into later).
2. No more Self-Assessments
If you relied on self-attestation in the past, that’s all going away. Here’s how Sysarc describes the previous process of self-attestation under NIST 800-171:
“The DoD interprets ‘self-attestation’ as an admission of compliance and ‘implementation’ of NIST SP 800-171 as having a completed Systems Security Plan (SSP) and a Plan-of-Action and Milestones (POA&M) in accordance with NIST SP 800-171.”
Specifically, the self-assessment questionnaire that was previously used is not going to work any longer and companies will have to undergo an audit (via an approved 3rd party vendor) in order to attain CMMC compliance. Although the POA&M might have been a tedious task in the past – it was actually a shortcut! Getting an entire audit will require more work. But that’s how DoD is refining the process, to make sure that parties are prepared for cyberwar or other black hat activity.
3. Fines are so 2016
The consequences of failure to secure CMMC compliance are not like what firms may be used to in dealing with other government standards.
In so many cases, from privacy law to consumer law, companies are used to paying fines as a result of failure to adequately comply with industry standards. In some cases, executives make the trade-off deliberately, taking the punitive fine instead of the hard work, effort, and money required to become compliant in this or that standard.
CMMC compliance is different because agencies will not be fining violators. Instead, the company will not be able to bid or participate in DoD contracts for a given time period.
This consequence is, in some ways, much more draconian than a fine. It threatens the actual business model of many companies that have been used to participating in DoD contracts. So this item is a very important one to know about when you’re talking about CMMC.
4. CMMC Cost Recovery may be available
Seriously, although there have been rumors of financial assistance for companies that need it, including SMBs and subcontractors, according to the CMMC FAQ list “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.”
5. CMMC covers five levels of cybersecurity hygiene
This is also good news for some firms that may only have a toe in the DoD market.
The CMMC actually provides for five different levels of compliance. There are multiple progressive standards for each level. DoD has specified that any party failing to include anyone standard or control for a given level will be certified at the level below it.
This means that some firms may be able to get by with a level 1 or a level 2, where larger and more capable firms will achieve the “advanced” standards of level 5.
The idea, expounded on by DoD staff, is that levels cover the relative amount of CUI that a firm possesses, or has access to. So if your company is only a subcontractor with passing access to DoD data, the lower level may be a better fit. By offering the scale, DoD is offering a lower bar to less equipped businesses. The required CMMC level is RFI/RFP specific so this means that each issuance will include the minimal acceptable CMMC level in order to bid.
6. CMMC provides a purposeful reaction to specific threats
DoD officials have described CMMC as “a framework aimed at… assessing and enhancing the cybersecurity posture of the defense industrial base … as it relates to CUI within the supply chain.”
The concept of a CMMC framework, insiders explain, happened after a series of high-profile breaches of DoD information rocked the agency. DoD had to reconsider its reliance on the security controls in NIST 800-171, particularly as concerns keep heightening about international cyberwar. That’s the rationale behind this enhanced process – they didn’t do it just to stress out their suppliers!
7. CMMC may spread to other agencies
Experts point out that certain language inherent in the CMMC proposal suggests that it could be rolled out to non-defense agencies in the future. For now, it’s just DoD, but again, this covers any business that deals in DoD-related CUI even just a little bit!
Integration Partners can help clients to get started with CMMC certification and compliance. Fill out the form below to learn how we can help.