The Cybersecurity Maturity Model Certification, or CMMC Certification, is the next step in the Department of Defense’s (DoD) efforts to properly secure the Defense Industrial Base (DIB).
The loss of controlled unclassified information (CUI) from the Defense Industrial Base, or DIB (America’s defense contractors), increases the risk to national security. To reduce this risk, the Department of Defense (DoD) has finally created both rules and an auditing mechanism that will ensure the DIB practices good cybersecurity hygiene.
In the past, defense contractors could merely attest to their cybersecurity practices such as those outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171 but that is all about to change.
Starting later this year, aerospace and defense manufacturers will have to prove their cybersecurity practices are strong to bid on future DoD contracts.
What is CMMC and why is it Being Created?
CMMC stands for Cybersecurity Maturity Model Certification. The CMMC will encompass five maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract awards.
DoD is planning to migrate to the new CMMC framework to assess and enhance the cybersecurity posture of the DIB. The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as to protect CUI that resides on the Department’s industry partners’ networks.
More about CUI
We refer frequently to controlled unclassified information but what is it, exactly?
CUI, established by Executive Order 13556, is an umbrella term for all unclassified information that requires safeguarding.
CUI is information the federal government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at https://www.archives.gov/cui and includes organizational index groupings ranging from defense to taxes to natural resources. Contractors who are interested in learning more can find online training to better understand CUI at the following page on the National Archives’ website: https://www.archives.gov/cui/training.html.
When Does CMMC Take Effect?
Members of the DIB who are still asking this question are frankly behind the curve.
The DoD released CMMC Model version 1.0 to the public on January 31, 2020, and has already issued a revision dated March 18th to correct administrative errors identified in the initial release. The itemized list of corrected errata, as well as a more accessible version of the model (i.e. tabular format in Excel), are provided with the release of CMMC Model v1.02.
The Department has made no substantive nor critical changes to the model relative to v1.0. Subsequent updates can be found on this defense department website: https://www.acq.osd.mil/cmmc/updates.html
Now, this does not mean that defense contractors today must already be CMMC certified but it does mean they should start preparing because CMMC certification will start appearing as a requirement in some DoD contracts later this year.
Currently, a new non-profit called the CMMC AB is training auditors, finalizing exams and creating processes for how contractors will become certified. Because CMMC levels 1-3 are composed of requirements under NIST 800-171, however, there is great clarity regarding what DIB members should prepare for.
Comparing CMMC and NIST
What is the relationship between NIST SP 800-171 rev.1 and CMMC?
CMMC Levels 1-3 encompass the 110 security requirements specified in NIST SP 800-171 rev1. CMMC incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense” and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2.
Unlike NIST SP 800-171, however, the CMMC model possesses five levels. Each level consists of practices and processes as well as those specified in lower levels, with levels 4 and 5 being reserved for the small percentage of DIB member companies that deal with the most sensitive systems, information and assets.
In addition to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess the company’s institutionalization of cybersecurity processes.
Questions Regarding the Certification Process
So how does an organization become certified?
As mentioned above, The CMMC Accreditation Body (AB), a non-profit, independent organization, is starting to train and accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors.
The CMMC AB plans to establish a CMMC Marketplace that will include a list of approved C3PAOs as well as other information. After the CMMC Marketplace is established, DIB companies will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level.
What will certification cost – and what if it is too expensive for my company?
The CMMC assessment costs will depend upon several factors to include the CMMC level, the complexity of the DIB company’s network, and other market forces. That said, The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. And keep in mind that for contracts that require CMMC, you will be disqualified from participating if your organization is not certified. Consult with your tax advisor regarding cost reimbursement.
Can my company self-assess?
No – that is the point of this new regime. No longer will defense contractors merely be able to claim their cybersecurity practices were sound – and from what we have seen, they generally were not. Going forward, CMMC certification will be granted only by auditors who have been trained and certified by the CMMC AB.
Only CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors that have been accredited by the CMMC AB will perform CMMC assessments.
However, contractors are strongly encouraged to complete a self-assessment before scheduling their CMMC assessment – that’s the audit preparation process we here at Cynexlink can help with.
Who sees the results of CMMC audits and how often do we need to be re-assessed?
The results of a CMMC assessment will not be made public. The only information that will be publically available is that your company has a CMMC certification. The specific certification level will NOT be made public. The DoD, however, will have access to all DIB companies’ certification levels.
In general, a CMMC certificate will be valid for 3 years.
CMMC Levels and Bidding
How will companies know what CMMC level is required for a contract?
The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs). A CMMC-certified contractor may bid on contracts that require their certification level or below.
For instance, a company certified to CMMC level 3 can bid on contracts that require certifications at levels 1, 2 or 3 but cannot bid on an RFP requiring level 4.
As a general guideline for preparing now, NIST 800-171 is substantially equivalent to CMMC level 3. Companies that already practice cybersecurity hygiene up to NIST 800-171 can, therefore, feel confident in being able to reach CMMC level 3 certification.
Does an organization that does not handle CUI have to be certified, anyway?
If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1.
Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.
It should be noted that all of these rules apply both to contractors AND subcontractors.
So long as your company does not solely produce COTS products, it will need to obtain a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information flowing down from your prime contractor.
How to get certified?
Okay, I understand my company needs to become CMMC certified. What does that process look like?
The reason defense contractors should begin preparing now is that becoming CMMC certified can take 3 or 4 months, depending on which level they need to meet and the current state of their current cybersecurity practices. In general, however, contractors can think of the process in three phases:
Phase 1 – Assessment and Gap Analysis
First, a company must determine which of the 5 CMMC levels it intends to meet, then conduct a gap analysis – where does our cybersecurity hygiene stand today versus where it needs to get to? From there, a roadmap can be created. Contact us if your company needs help in conducting this gap assessment and roadmap.
Phase 2 – Remediation
Once all gaps are identified, fix them before setting a date with an auditor. For all of those issues that are IT-related, Cynexlink can help. Perhaps your company needs to establish multi-factor authentication (MFA) for the first time or has to begin 24/7 security event monitoring. Whatever the network or cybersecurity-related need, Cynexlink has the solution.
Phase 3 – Certification
Now the appointment with the certified auditor can be scheduled. If you have worked with Cynexlink on phases 1 and 2, you can enter this final step in the process with the highest degree of confidence possible.
In the end, CMMC represents a long-overdue evolution in better protecting America’s vital interests as they pertain to national defense. Becoming certified may seem like a daunting task but with proper guidance, this necessary step can be a manageable and cost-effective one for defense contractors of all sizes.