5 things defense contractors need to know about CMMC
- By Chor-Ching Fan, David Trout
- Nov 14, 2019
The Department of Defense recently announced that contractors who provide products and services for the defense supply chain will be required to comply with the Cybersecurity Maturity Model Certification (CMMC) process beginning in 2020. This new security standard is designed to ensure that contractors have appropriate security measures in place and begin to prioritizing security with equal weight compared to quality and safety. Because CMMC compliance will be critical to winning business with the Pentagon, DoD contractors need to understand what CMMC is all about.
CMMC Certification Levels and Controls
Representing a unified cybersecurity standard for DoD contractors, CMMC combines a selection of security controls from NIST SP 800-171A, SP 800-181B and potentially other frameworks such as NIST SP 800-53 and ISO 27001. CMMC compliance will be certified by third-party auditors, rather than through self-certification as was allowed for NIST SP 800-171. To address the range of DoD contractors, CMMC comprises five levels of cybersecurity ranging from basic cyber hygiene at Level One to advanced security operations at Level Five for highly sensitive defense assets.
CMMC’s risk-based framework allows a more nuanced application of DoD cyber defense requirements based on the amount of Controlled Unclassified Information (CUI) being handled or processed.
Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, has stated, “If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base doesn’t have robust cyber hygiene. Only 1 percent of [Defense Industrial Base (DIB)] companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”
Choosing the appropriate CMMC level is critical and all defense contractors must achieve at least Level One certification. Contractors failing to meet any item required for a level certification will be certified at the level below it. For example, failure to meet all required security controls for Level Three would result in a certification for Level Two, effectively barring a contractor from bidding on an RFP with Level Three or higher specified in Sections L and M.
CMMC Third-Party Audits
Under previous NIST SP 800-171 regulations, DoD contractors had the option to self-certify. Any security gaps that were identified were noted in a Plan of Actions and Milestones (POA&M), allowing a contractor to continue to provide products and services without achieving compliance with all 110 security controls. With CMMC, self-certification is no longer an option. In addition, POA&Ms are no longer allowed, which means contractors have to address weaknesses in order to achieve compliance and certification. The DoD plans to engage a non-profit organization to certify third-party auditors in late 2019. Once CMMC auditors are certified, they will be responsible for conducting third-party assessments of DoD contractors beginning in mid-2020.
DoD is moving quickly to roll out CMMC. The current timeline for CMMC indicates that contractors will need to be certified by late 2020 in order to bid on contracts. In order to prepare, contractors need to determine where they stand regarding NIST 800-171 controls and the CMMC level they want to achieve as soon as possible. CMMC requirements might encompass controls from other frameworks i.e. NIST 800-53, ISO, etc. but 800-171A and 800-171B controls make up the core and thus a good starting point. Even a relatively short delay may jeopardize achieving CMMC certification by the deadlines set by the DoD or those established by your internal business development team.
Important CMMC dates include:
Budget Concerns for CMMC
Recognizing that the cost of implementing security controls represents a barrier for small and even mid-sized defense contractors, DoD and other federal and state agencies are considering how to provide financial assistance for some CMMC compliance and certification costs. Targeting small and mid-sized DoD contractors, several financial support resources have been discussed or announced.
Kevin Fahey, the assistant secretary of Defense for Acquisition in the Office of the Under Secretary of Acquisition and Sustainment, gave permission to Katie Arrington to inform DoD vendors that security is an allowable cost.
The Small Business Cybersecurity Assistance Act, recently introduced in the Senate by Marco Rubio (R-FL) and Gary Peters (D-MI), would provide cybersecurity education to SMBs at Small Business Development Centers (SBDCs) that are funded by Small Business Administration (SBA) grants.
Some states offer cybersecurity assistance programs for small businesses. These programs are typically coordinated through the state’s Manufacturing Extension Partnership Program (MEP). For example, Maryland’s program covers 75 percent of remediation costs up to $10,000, based on the results of a gap analysis.
CMMC Expertise and Tools
Effective CMMC compliance efforts require access to security control expertise and easy-to-use compliance tools to organize and track progress. Failure to plan and coordinate compliance efforts can result in excessive costs, distractions to core business, and lost revenue opportunities. Coordinating with contract, business development, and solution teams early in the process results in a smoother path to CMMC compliance.
DoD contractors without access to in-house NIST compliance experts can engage the help of a virtual compliance officer (vCO). An experienced NIST vCO can help contractors determine which CMMC levels are appropriate, decipher the security control requirements, and understand specific control implementation for development and production environments, as necessary.
CMMC compliance efforts can be more effectively managed with cloud-based compliance software that provides CMMC controls, policy management, evidence management, and tracking. Since CMMC compliance includes external assessments and spot audits, DoD contractors can streamline CMMC efforts with a solution that supports secure role-based access for staff, external advisors and third-party assessors.
DoD’s CMMC cyber compliance program rolls out in January 2020 and all defense contractors need to prepare. DoD contractors can take proactive steps to minimize the time and effort required for CMMC compliance by staying up-to-date on the latest developments by visiting DoD’s site or subscribing to periodic alerts on NIST 800-171 and CMMC developments. By understanding CMMC requirements and levels, taking advantage of cyber assistance programs, engaging guidance from compliance experts, and leveraging a cloud-based compliance application, small and mid-sized contractors can become CMMC compliant with fewer disruptions and less cost.
Chor-Ching Fan is the president and CEO of Rizkly, a firm that helps companies achieve and demonstrate compliance with industry-mandated cybersecurity and privacy standards. He has over 20 years of experience helping companies manage global supply chain processes and harness disparate data to improve decision-making. His software product management experience spans global SaaS products for B2B data integration, governance and risk analytics, and self-service cloud analytics. https://www.rizkly.com/
David Trout is the chief strategy and business development officer for Rizkly, a firm that helps companies comply with industry-mandated cybersecurity and privacy standards. He has over 20 years of experience helping companies achieve enhanced security posture and compliance with industry standards such as NIST, SOC and FedRAMP. He is a Certified Information Systems Security Professional (CISSP) and a Certified Information Security Manager (CISM).