This whitepaper provides strategic insight on the Department of Defense’s Cybersecurity Maturity Model Certification and how it could impact your business.
The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) and the compliance challenges it presents are perhaps the hottest topics in government contracting right now. In this overview, River Run, a leader in IT and Cybersecurity services and consulting for manufacturers and government contractors, looks at the rationale behind CMMC, where it stands today, and the potentially far-reaching implications for entities that do business with the Department of Defense (DoD).
Why CMMC and Why Now?
The Department of Defense is deeply concerned about cybersecurity and has made protecting the DoD supply chain from cyberattack a top priority. The agency believes the traditional measures of contractor performance — cost, schedule, and quality — are only effective and applicable in a secure environment. Through the CMMC framework, DoD is telling defense contractors that security is paramount, and they must meet certain cybersecurity standards in order to work for DoD in the future.
The CMMC is the next step in an iterative process that began several years ago. To address the need for improved cybersecurity amid increasingly insidious threats, the DoD directed the Defense Industrial Base of government contractors to adopt stronger cybersecurity practices in the form of the NIST 800-171 standard, giving them a target date of Dec. 31, 2017, to come into full compliance with the standard. Compliance was to be based on a self-assessment by each contractor itself. The standard lacked any mechanism for third-party validation of the contractor’s self-assessment, as well as any way to track how a contractor was responding to areas of concern identified in its System Security Plan. The December 2017 deadline passed with only partial adoption among the Defense Industrial Base and a very uncertain compliance status.
The limited success of the NIST 800-171 cyber initiative prompted the DoD to seek another way to ensure an appropriate level of cybersecurity and document contractor status in a manner readily visible to contracting officers. The resulting Cybersecurity Maturity Model Certification unveiled by DoD in 2019 provided a new compliance framework for cybersecurity for DoD acquisitions. The model is similar to management maturity models used by other entities inside and outside the government, with five levels that describe the maturity of a government contractor’s cybersecurity practices and processes. Version 1.02 of CMMC was released on December 20, 2020.
In sharing her thoughts on the genesis of CMMC, Katie Arrington, Chief Information Security Officer (CISO) for the Assistant Secretary for Defense Acquisition, said, “The U.S. is losing $600 billion a year to our adversaries in exfiltration, data theft, and R&D loss. If we were able to institute good cyber hygiene and we were able to reduce, let’s just say email phishing schemes by 10%, think of the amount of money that we could save to truly reinvest back into our partners in the industrial base that we need to stay on the competitive edge. And the only way that we saw fit to do this was to create this CMMC so we can ensure that we are doing everything we can do to buy down the risk of our adversaries stealing our hard work.”
A close reading of the CMMC standard, public comments by the Office of the Under Secretary of Defense for Acquisition & Sustainment, and the CMMC website provide valuable insight into the intent and implementation of the CMMC, including the specific maturity levels by which government contractors will be categorized. The five maturity levels (shown below) range from Basic Cyber Hygiene at Level 1 to Advanced/Progressive Cyber Hygiene at Level 5. Any company handling Controlled Unclassified Information (CUI) will be required at a minimum to meet the requirements of Level 3, Good Cyber Hygiene. It is anticipated that 30% of government contractors will be required to meet the Level 3 requirements, with less than 1% of contractors expected to be held to the requirements of either Level 4 or Level 5.
A Cybersecurity Model for Manufacturers & DoD Contractors in Five Levels
To be deemed compliant with Level 3, a government contractor must implement and maintain all 110 of the controls specified in the NIST 800-171 standard, along with 20 additional controls. Those 130 controls for Level 3, along with requirements for other levels, are listed in the CMMC model. While NIST 800-171 provides a foundation for Level 3 of CMMC, CMMC introduces multiple additional levels of cybersecurity into the DoD’s evaluation of contractors. In addition to assessing the maturity of a company’s implementation of cybersecurity controls, CMMC also will assess the company’s institutionalization of cybersecurity practices and processes, as shown in the diagram.
Implications for Manufacturers and DoD Contractors
Implementation of CMMC is expected to impact a broad range of entities that do business with the DoD. Here’s a look at seven areas in which those entities are likely to be affected by the new policy:
- All government contractors working with the DoD will need to become CMMC-certified by passing an independent CMMC audit to verify they have met the appropriate level of cybersecurity for their business. The CMMC level required will be specified for each procurement in its solicitation.
- The government contractor will be required to meet the appropriate certification level at the time of contract award.
- Prime contractors must flow down the appropriate CMMC requirement to the subcontractors they intend to use for a specific contract. Verification of the status of the subcontractors’ certifications will also be the responsibility of the Prime contractor.
- The DoD contracting officer will determine the appropriate CMMC level for the contracts they award and administer. Not all contracts require the highest level of security, and the level required for a particular contract will be specified in Sections L and M of the solicitation and the resulting contract.
- During the CMMC Pilot Program, the inclusion of a CMMC requirement in any solicitation will require the approval of the OUSD for Acquisition and Sustainment.
- The cost of preparing for a CMMC audit and becoming certified will be an “allowable cost” to government contracts. While DCAA has not issued specific guidance yet, it is the opinion of most experts in accounting and compliance that the cost will almost certainly be an indirect cost, probably G&A. Audits will be performed by an independent CMMC Third-Party Assessment Organization (C3PAO) that has been accredited by the CMMC Accreditation Body.
- The CMMC Accreditation Body is an independent not-for-profit organization that is responsible for training and certifying independent C3PAO auditors.
Timeline of CMMC Milestones
Here’s a look at notable dates and expected timing for implementing and complying with CMMC:
Fourth quarter 2020:
Version 1.02 of the Cybersecurity Maturity Model Certification description was published on December 20, 2020.
First quarter 2021:
- By the end of Q1 of Calendar 2021, the CMMC AB is expected to issue training materials for CMMC Levels 1, 2 and 3.
Second quarter 2021:
- DoD has stated that only 15 solicitations in 2021 will contain the CMMC requirement. To date, only seven have been identified and it is possible they will be the only ones:
- Integrated Common Processor
- F/A-18E/F Mod of the Secondary Bleed Air Regulator/Shut-Off Valve
- Yard Services for the Arleigh Burke Class Destroyer
- Air Force
- Mobility Air Force Tactical Data Links
- Consolidated Broadband Global Area Network Follow-On
- Azure Cloud Solution
- Missile Defense Agency
- Technical Advisory and Assistance Contract
2022 and beyond:
- DoD has stated they plan to include the CMMC requirement in 75 solicitations in 2022, 250 in 2023, 325 in 2024, and 475 in 2025.
- Pentagon Acquisition Chief Ellen Lord has said that ALL new DoD contracts beginning in FY 2026 will have the requirement. In preparation for the phased rollout, DoD expects third-party assessors to certify about 1,500 vendors in 2021; 7,500 more in 2022; and 25,000 more by 2023.
Assisting You with Your Organization’s Compliance Needs
With manufacturers and government contractors facing a new regulatory reality in which they will be evaluated for CMMC compliance by an independent, sanctioned third-party auditor, River Run stands ready to support your efforts to comply with CMMC. River Run’s R-Security portfolio and CIO services support relevant technical requirements within the new model related to multi-factor authentication, identification and access controls, data encryption, and more. Our CIO and Technical Services teams have been diligent about keeping abreast of new DoD policies. We have taken the necessary steps to ensure that our processes and procedures are properly aligned with CMMC and NIST 800-171 standards.
For information on how River Run can support and simplify your company’s compliance with Federal government requirements, visit us at www.river-run.com or call Michael Barrett, River Run’s CTO, at (414) 228-7474.
Share this article