The Defense Department (DoD) is introducing a new security standard: the Cybersecurity Maturity Model Certification (CMMC). CMMC is DoD’s new verification mechanism, which is designed to ensure adequate cybersecurity processes and controls are in place to protect controlled unclassified information (CUI).
CMMC, taking effect later in 2020, will replace the National Institute of Standards and Technology’s (NIST) Special Publication 800-171, which outlined cybersecurity-related requirements for government contractors. The major differences are that NIST SP 800-171 can be fulfilled through self-attestation and is a one-size-fits-all model, whereas CMMC requires independent, annual validation and is more customizable.
If businesses want to work with the DoD, there can be many points to consider. With a new framework, the easiest way to approach the upcoming changes is to answer two questions for your organization: What do you need to know? What should you do to prepare?
What do you need to know?
As noted, NIST SP 800-171 could be fulfilled through self-attestation. Unfortunately, this proved insufficient. In a recent audit, eight out of 10 DoD contractors who self-attested to NIST SP 800-171 compliance were found to have deficient cybersecurity controls. CMMC will only be able to be validated by accredited third parties and will provide assurances for effective, sustainable cybersecurity practices through process institutionalization (policies, plans, processes and procedures to manage the environment where the CUI resides).
Some level of CMMC will be required for any organization bidding on a DoD contract, and the federal government will determine what level of certification each organization needs. This will depend on the type of data each organization handles. While organizations will not be able to determine this without an official evaluation, they can get a sense of what level they will need based on the sensitivity of the data.
The government is currently still deciding the process for selecting what levels vendors must have to bid on certain DoD contracts. However, once version 1.0 of the CMMC framework is released in January 2020, vendors will be able to obtain a gap assessment, which will allow them to get a sense of what else they will need to do to achieve their required CMMC level of certification.
The time that it takes to complete a certification will depend on the level the vendor must achieve. The type of data the vendor handles does not matter as much as how critical it is and how much it could impact the federal government. The more critical the data, the higher a level it will require.
Level 1, for example, focuses on basic cyber hygiene specified in federal acquisition regulation or 48 CFR 52.204-21. At CMMC Level 2, an organization is expected to establish and document standard operating procedures, policies and strategic plans to guide the implementation of their cybersecurity program, giving the organization greater ability to both protect and sustain its assets. By the time an organization reaches Level 5, it will have a substantial and proactive cybersecurity program.
Levels 1 or 2 could take approximately a week to complete, but a Level 5 would likely take much longer. These details will also become clearer as the government releases further details around the controls needed for each level. Currently, Level 5 has more than 300 required controls.
The first CMMC requirements will begin appearing in requests for information in June 2020 but will not appear in requests for proposals until September 2020. It will also not be immediately required for all DoD vendors but will be phased in starting in September 2020. The government has also stated that CMMC will not be required for current contracts, but will be implemented during re-competes. Only when the program is fully operational in September 2020 will CMMC be mandatory for all DoD vendors and for vendors rebidding on expired contracts.
What you should do to prepare?
Because there are so many details that still need to be finalized, the best way to start preparing is to simply get familiar with the CMMC framework. The most recent version, v0.6, was released on Nov. 8, 2019. By learning the requirements for each maturity level and identifying what certifications are already in place, organizations can better understand what they will need to do by the time CMMC becomes universally required in September 2020.
Organizations can also conduct internal reviews with their security team to ensure they are aware of details relevant to the CMMC process. DoD vendors should review when their contracts are up for renewal and plan to be CMMC compliant at least six months prior to expiration, allowing time to address any identified gaps in security.
Organizations can also review the CMMC checklist scheduled to be released in January 2020. They will then be able to determine how compliant they already are with the new framework and further define what work will be needed to achieve the level of certification they will most likely require. Vendors should also ensure any partners or subcontractors are preparing for CMMC, in order to avoid any issues with noncompliance in the supply chain.
If an organization doing business with the DoD is already compliant with NIST SP 800-171, it is commonly understood that it will be CMMC Level 3 compliant, pending a few possible additional requirements. For those organizations anticipating requiring a Level 4 or 5 certification, it may be best to hire an advisor to walk through the framework and explain how it compares to NIST, as well as how to best achieve the necessary requirements.
Ultimately, the best way to prepare for CMMC is to ensure there are no surprises waiting within an organization. By early identifying of contract dates, likely required levels of certification and becoming familiar with the framework, DoD vendors can ensure a smooth transition to new CMMC requirements well before they take effect.