5 things defense contractors need to know about CMMC

By Chor-Ching Fan and David Trout

By Chor-Ching Fan and David Trout

|

Compliance with the Cybersecurity Maturity Model Certification is coming in 2020. Here is what you need to know to get ready.

The Department of Defense recently announced that contractors who provide products and services for the defense supply chain will be required to comply with the Cybersecurity Maturity Model Certification (CMMC) process beginning in 2020. This new security standard is designed to ensure that contractors have appropriate security measures in place and begin to prioritizing security with equal weight compared to quality and safety. Because CMMC compliance will be critical to winning business with the Pentagon, DoD contractors need to understand what CMMC is all about.

CMMC Certification Levels and Controls

Representing a unified cybersecurity standard for DoD contractors, CMMC combines a selection of security controls from NIST SP 800-171A, SP 800-181B and potentially other frameworks such as NIST SP 800-53 and ISO 27001. CMMC compliance will be certified by third-party auditors, rather than through self-certification as was allowed for NIST SP 800-171. To address the range of DoD contractors, CMMC comprises five levels of cybersecurity ranging from basic cyber hygiene at Level One to advanced security operations at Level Five for highly sensitive defense assets. 

CMMC pyramid

CMMC’s risk-based framework allows a more nuanced application of DoD cyber defense requirements based on the amount of Controlled Unclassified Information (CUI) being handled or processed.

Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, has stated, “If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base doesn’t have robust cyber hygiene. Only 1 percent of [Defense Industrial Base (DIB)] companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”

Choosing the appropriate CMMC level is critical and all defense contractors must achieve at least Level One certification. Contractors failing to meet any item required for a level certification will be certified at the level below it. For example, failure to meet all required security controls for Level Three would result in a certification for Level Two, effectively barring a contractor from bidding on an RFP with Level Three or higher specified in Sections L and M.

CMMC Third-Party Audits

Under previous NIST SP 800-171 regulations, DoD contractors had the option to self-certify. Any security gaps that were identified were noted in a Plan of Actions and Milestones (POA&M), allowing a contractor to continue to provide products and services without achieving compliance with all 110 security controls. With CMMC, self-certification is no longer an option. In addition, POA&Ms are no longer allowed, which means contractors have to address weaknesses in order to achieve compliance and certification. The DoD plans to engage a non-profit organization to certify third-party auditors in late 2019. Once CMMC auditors are certified, they will be responsible for conducting third-party assessments of DoD contractors beginning in mid-2020.

CMMC Timeline

DoD is moving quickly to roll out CMMC. The current timeline for CMMC indicates that contractors will need to be certified by late 2020 in order to bid on contracts. In order to prepare, contractors need to determine where they stand regarding NIST 800-171 controls and the CMMC level they want to achieve as soon as possible. CMMC requirements might encompass controls from other frameworks i.e. NIST 800-53, ISO, etc. but 800-171A and 800-171B controls make up the core and thus a good starting point. Even a relatively short delay may jeopardize achieving CMMC certification by the deadlines set by the DoD or those established by your internal business development team.

Important CMMC dates include:

CMMC pyramid

Budget Concerns for CMMC

Recognizing that the cost of implementing security controls represents a barrier for small and even mid-sized defense contractors, DoD and other federal and state agencies are considering how to provide financial assistance for some CMMC compliance and certification costs. Targeting small and mid-sized DoD contractors, several financial support resources have been discussed or announced.

Kevin Fahey, the assistant secretary of Defense for Acquisition in the Office of the Under Secretary of Acquisition and Sustainment, gave permission to Katie Arrington to inform DoD vendors that security is an allowable cost.

The Small Business Cybersecurity Assistance Act, recently introduced in the Senate by Marco Rubio (R-FL) and Gary Peters (D-MI), would provide cybersecurity education to SMBs at Small Business Development Centers (SBDCs) that are funded by Small Business Administration (SBA) grants.

Some states offer cybersecurity assistance programs for small businesses. These programs are typically coordinated through the state’s Manufacturing Extension Partnership Program (MEP). For example, Maryland’s program covers 75 percent of remediation costs up to $10,000, based on the results of a gap analysis.

CMMC Expertise and Tools

Effective CMMC compliance efforts require access to security control expertise and easy-to-use compliance tools to organize and track progress. Failure to plan and coordinate compliance efforts can result in excessive costs, distractions to core business, and lost revenue opportunities. Coordinating with contract, business development, and solution teams early in the process results in a smoother path to CMMC compliance.

DoD contractors without access to in-house NIST compliance experts can engage the help of a virtual compliance officer (vCO). An experienced NIST vCO can help contractors determine which CMMC levels are appropriate, decipher the security control requirements, and understand specific control implementation for development and production environments, as necessary.

CMMC compliance efforts can be more effectively managed with cloud-based compliance software that provides CMMC controls, policy management, evidence management, and tracking. Since CMMC compliance includes external assessments and spot audits, DoD contractors can streamline CMMC efforts with a solution that supports secure role-based access for staff, external advisors and third-party assessors.

Summary

DoD’s CMMC cyber compliance program rolls out in January 2020 and all defense contractors need to prepare. DoD contractors can take proactive steps to minimize the time and effort required for CMMC compliance by staying up-to-date on the latest developments by visiting DoD’s site or subscribing to periodic alerts on NIST 800-171 and CMMC developments. By understanding CMMC requirements and levels, taking advantage of cyber assistance programs, engaging guidance from compliance experts, and leveraging a cloud-based compliance application, small and mid-sized contractors can become CMMC compliant with fewer disruptions and less cost.

NEXT STORY: 5 considerations as you start 2020

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.