On Jan. 31, the Department of Defense (DoD) released version 1.0 of its Cybersecurity Maturity Model Certification (CMMC) framework, which will require third-party cyber audits for the 300,000+ companies that provide products and services to the department. If you are a defense contractor or subcontractor, the CMMC will apply to you.
Furthermore, despite the recent tumult precipitated by the spread of COVID-19, the Pentagon has made clear that the CMMC rollout is a critical priority.
What does this mean for your business? Let’s take a look:
First, some background. Following a series of high-profile breaches and security leaks, cybersecurity has emerged as a top priority for our nation’s supply chain. The CMMC was created to combat advanced persistent threats (APTs) perpetrated by increasingly sophisticated actors. The stakes could not be higher than for members of the defense industrial base (DIB – aka DoD contractors), where security vulnerabilities aren’t just organizational threats; they may compromise our national security. In response, the DoD has issued the CMMC.
So, what is the CMMC? The CMMC is a certification process that measures a DoD contractor’s ability to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Unlike previous models, contractors cannot self-certify their compliance with the CMMC. Instead, contractors and their subcontractors will need to pass a CMMC audit conducted by an independent third party before bidding on new contracts.
What does the CMMC require and is it retroactive? Version 1.0 of the CMMC requires DoD contractors to obtain a rating, from Level 1 through Level 5, measuring cybersecurity maturity across 17 domain areas. Level 1 certification involves 17 basic cyber hygiene practices, such as implementing antivirus software and regularly updating passwords. At the other end, Level 5 covers 171 practices as well as accompanying capabilities and processes. Each level builds on the previous one, adding more cybersecurity capabilities, practices and processes for contractors to follow. Level 3 is roughly equivalent to the National Institute of Standards and Technology (NIST)’s existing SP 800-171, while Levels 4 and 5 add further proactive and advanced cybersecurity practices.
Contractors will be able to identify the CMMC level required for a contract in RFP sections L and M and use that as “qualification-to-bid” criteria in the proposal process. This assures the DoD that a contractor and its subcontractors can adequately protect FCI and CUI at a level commensurate with a given project.
The requirements will not be retroactive to current contracts.
How will this apply to subcontractors? The CMMC applies to DoD subcontractors. However, the level required of a contractor won't necessarily apply to a subcontractor on the same contract. Instead, it will depend on that subcontractor's role and the information it needs from the prime contractor. Defense contractors and subcontractors at all levels will need a certification, as adversaries often target lower-tier suppliers rather than more sophisticated primes – making compliance at all links in the supply chain necessary.
Explain the third-party certification requirement. Third-party CMMC verification is required and, according to the DoD, will last for three years. Third-party assessors haven’t been selected yet, but the accreditation body formed to oversee the training and administration of the assessors and is moving quickly.
Critical dates. CMMC requirements are slated for inclusion in some requests for information beginning June 2020, with corresponding contract solicitations following in September. The number of DoD contracts with accompanying CMMC requirements will only increase over time, and all new contracts will include a minimum cybersecurity requirement by fiscal year 2026.
Preparing for an audit and getting certified. DoD contractors are strongly advised to learn as much as possible about the CMMC to proactively prepare and ensure readiness. One resource to tap is the CMMC Accreditation Body, which is conducting a series of webinars designed to help contractors and prospective auditors familiarize themselves with the new requirements.
It is also highly recommended that contractors conduct a CMMC self-assessment using the published requirements or, for a more user-friendly version, using an online assessment tool. This allows contractors to easily identify gaps and implement remedial measures.
As you embark upon this journey, it’s worth ensuring that you maintain a strong repository of clear and easily accessible documentation, as your next step will be to engage a third-party assessor and seek certification. This will streamline the audit process and help keep your costs down.
You know the old idiom, “the early bird catches the worm?” Well, it rings true in this scenario. Don’t get left behind – start taking steps now to ready your business for these new requirements, and you won’t find yourself scrambling this summer. Early preparation not only helps you stay ahead of the competition; it can help limit the risk our nation’s supply chain and better protect our national security.
Melissa Koch is cofounder and chief executive of InFront Compliance, which provides online compliance assessment and reporting tools built to reduce risk in our nation’s supply chain.