CMMC: What we know and why it matters
- By David Berteau
- Feb 12, 2020
On Friday, Jan. 31, the Defense Department released Version 1.0 of its standard for the Cybersecurity Maturity Model Certification program, known as CMMC.
Publishing the standard culminates a year-long process. It is a good beginning, for two reasons.
First, it’s a recognition of broad agreement on the problem: cyber threats to national security are real, and they are growing. Data and intellectual property theft diminishes U.S competitive advantage and puts America at greater risk. More importantly, there is agreement that current responses to those threats are not working well enough. Much more needs to be done, by industry and by the government.
Second, the standard and the processes by which it will be assessed and applied to contracts benefitted from substantial interaction between DoD and industry, including individual companies and the trade associations such as the Professional Services Council that engage on their behalf.
Over four months, the Pentagon released three different draft versions of the standards. Input from industry was incorporated in part by DoD in subsequent drafts of the standards. That pace and level of collaboration is noteworthy.
There are a host of next steps, including the promulgation of a new DoD acquisition regulation covering the application of CMMC certifications in contracts. DoD’s schedule calls for that regulation to be prospectively applicable and to be in place by September of this year.
What does CMMC mean for industry?
Let’s look at what we know. The DoD standard is now set. It goes beyond current acquisition regulations, which require compliance with standards from the National Institute of Standards and Technology.
We know that companies have yet to assess their systems and processes against the new CMMC standard. PSC is advising our member companies to begin their own internal assessment of how well they meet the CMMC Version 1.0 standard. Firms should start now; there is no need to wait.
We also know that the goal of CMMC is to make sure that, at the time of contract award, DoD prime and subcontractors are certified for cybersecurity at specified levels. Current plans state that DoD will require such certificates on selected contracts awarded in calendar year 2021.
Over time, DoD cybersecurity requirements will apply to all contracts. CMMC coverage will include the range of data that falls under the broad category known as Controlled Unclassified Information, or CUI, for which there remains some ambiguity and inconsistencies today, both in definitions and in contracts.
How will a company become CMMC certified?
CMMC certificates will be issued for all or part of a company at one of five different levels, on a pass-fail basis. Assessments will certify for the CMMC level against which they were assessed.
DoD owns the standards against which firms will be assessed, but it does not own the assessment or certification process. How will this process work?
We know that a newly-formed, independent accreditation body has been established. We expect that it will sign a Memorandum of Understanding with DoD. Once that MOU is in place, the accreditation body can accredit assessing organizations, open the process for training assessors and certifiers, and take applications from companies to schedule certifying assessments.
We anticipate that the assessing organizations themselves will need to be certified, to the level against which they will be assessing others. This could add to the start-up time for certifications to be issued.
DoD officials have stated they will provide the training guidelines for assessors and assessments, along with the initial data repository for all levels of certificates. Once regulations are in place and certificates required, contracting officers can at the time of contract award use the repository to verify CMMC certification levels for contractors and their subcontractors.
How soon will this start?
We know that DoD plans 10 pilots, or “pathfinder” programs, over the next few months to test processes. This phased implementation plan is likely to produce some improvements that DoD can incorporate as the process expands.
In parallel with those pilots, DoD may begin including this spring or summer the anticipated requirements for CMMC certification levels in RFIs (requests for information from DoD programs to potential contract bidders). This should let companies have an idea of a timeline for when they need to be certified and at what level in time to respond to RFPs (requests for proposals).
What happens next?
There are many additional questions to which we do not yet know the answers, and others of which we have not yet even thought, including:
- What is the capacity and capability for assessing companies and issuing certificates, including who goes first? How fast can that capacity expand?
- How will companies know which assessors are accredited and eligible to assess and certify them? Advertisements are already popping up from firms that claim to be able to help get and keep certificates.
- What training is needed for DoD program and contracting personnel? When will the training begin? How long will it take?
- What is the timing and coverage of the new DoD acquisition regulation?
- How will DoD incorporate CMMC requirements into RFIs, RFPs, and contracts?
For now, what we know is that CMMC is real, it is here, and both DoD and its contractors and subcontractors have a lot of work to do. PSC will continue to stay on top of this and work to help keep you informed.
Mr. Berteau became the President and Chief Executive Officer of the Professional Services Council (PSC) on March 28, 2016. With more than 400 members, PSC is the premier advocate of and resource for the federal services industry. As CEO, Mr. Berteau focuses on legislative and regulatory issues related to government acquisition, budgets, and requirements by helping to shape public policy, leading strategic coalitions, and working to improve communications between government and industry.
Prior to PSC, Mr. Berteau was confirmed in December 2014 as the Assistant Secretary of Defense for Logistics and Materiel Readiness. He oversaw the management of the $170 billion in Department of Defense logistics.
Previously, Mr. Berteau served as Senior Vice President and Director of the National Security Program on Industry and Resources at the Center for Strategic and International Studies (CSIS). His research and analysis covered national security, management, contracting, logistics, acquisition, and industrial base issues.
Mr. Berteau is a Fellow of the National Academy of Public Administration and has also served as an adjunct professor at Georgetown University and at the Lyndon B. Johnson School of Public Affairs, a Director of the Procurement Round Table, and an Associate at the Robert S. Strauss Center at the University of Texas.
Prior to CSIS, Mr. Berteau was director of national defense and homeland security for Clark & Weinstock, director of Syracuse University's National Security Studies Program and a professor of practice at the Maxwell School of Citizenship and Public Affairs, and senior vice president at Science Applications International Corporation. Before SAIC, he held a variety of positions in the Department of Defense. Throughout his career, he served a total of 14 years at senior levels in the U.S. Defense Department under six defense secretaries.
Mr. Berteau graduated with a B.A. from Tulane University in 1971 and received his master's degree in 1981 from the LBJ School of Public Affairs at the University of Texas.