CMMC: What we know and why it matters

On Friday, Jan. 31, the Defense Department released Version 1.0 of its standard for the Cybersecurity Maturity Model Certification program, known as CMMC.

Publishing the standard culminates a year-long process. It is a good beginning, for two reasons.

First, it’s a recognition of broad agreement on the problem: cyber threats to national security are real, and they are growing. Data and intellectual property theft diminishes U.S competitive advantage and puts America at greater risk. More importantly, there is agreement that current responses to those threats are not working well enough. Much more needs to be done, by industry and by the government.

Second, the standard and the processes by which it will be assessed and applied to contracts benefitted from substantial interaction between DoD and industry, including individual companies and the trade associations such as the Professional Services Council that engage on their behalf.

Over four months, the Pentagon released three different draft versions of the standards. Input from industry was incorporated in part by DoD in subsequent drafts of the standards. That pace and level of collaboration is noteworthy.

There are a host of next steps, including the promulgation of a new DoD acquisition regulation covering the application of CMMC certifications in contracts. DoD’s schedule calls for that regulation to be prospectively applicable and to be in place by September of this year.

What does CMMC mean for industry?

Let’s look at what we know. The DoD standard is now set. It goes beyond current acquisition regulations, which require compliance with standards from the National Institute of Standards and Technology.

We know that companies have yet to assess their systems and processes against the new CMMC standard. PSC is advising our member companies to begin their own internal assessment of how well they meet the CMMC Version 1.0 standard. Firms should start now; there is no need to wait.

We also know that the goal of CMMC is to make sure that, at the time of contract award, DoD prime and subcontractors are certified for cybersecurity at specified levels. Current plans state that DoD will require such certificates on selected contracts awarded in calendar year 2021. 

Over time, DoD cybersecurity requirements will apply to all contracts. CMMC coverage will include the range of data that falls under the broad category known as Controlled Unclassified Information, or CUI, for which there remains some ambiguity and inconsistencies today, both in definitions and in contracts. 

How will a company become CMMC certified?

CMMC certificates will be issued for all or part of a company at one of five different levels, on a pass-fail basis. Assessments will certify for the CMMC level against which they were assessed.

DoD owns the standards against which firms will be assessed, but it does not own the assessment or certification process. How will this process work? 

We know that a newly-formed, independent accreditation body has been established. We expect that it will sign a Memorandum of Understanding with DoD. Once that MOU is in place, the accreditation body can accredit assessing organizations, open the process for training assessors and certifiers, and take applications from companies to schedule certifying assessments. 

We anticipate that the assessing organizations themselves will need to be certified, to the level against which they will be assessing others. This could add to the start-up time for certifications to be issued.

DoD officials have stated they will provide the training guidelines for assessors and assessments, along with the initial data repository for all levels of certificates. Once regulations are in place and certificates required, contracting officers can at the time of contract award use the repository to verify CMMC certification levels for contractors and their subcontractors. 

How soon will this start?

We know that DoD plans 10 pilots, or “pathfinder” programs, over the next few months to test processes. This phased implementation plan is likely to produce some improvements that DoD can incorporate as the process expands.

In parallel with those pilots, DoD may begin including this spring or summer the anticipated requirements for CMMC certification levels in RFIs (requests for information from DoD programs to potential contract bidders). This should let companies have an idea of a timeline for when they need to be certified and at what level in time to respond to RFPs (requests for proposals).

What happens next?

There are many additional questions to which we do not yet know the answers, and others of which we have not yet even thought, including:

• What is the capacity and capability for assessing companies and issuing certificates, including who goes first? How fast can that capacity expand?
• How will companies know which assessors are accredited and eligible to assess and certify them? Advertisements are already popping up from firms that claim to be able to help get and keep certificates.
• What training is needed for DoD program and contracting personnel? When will the training begin? How long will it take?
• What is the timing and coverage of the new DoD acquisition regulation?
• How will DoD incorporate CMMC requirements into RFIs, RFPs, and contracts?

For now, what we know is that CMMC is real, it is here, and both DoD and its contractors and subcontractors have a lot of work to do. PSC will continue to stay on top of this and work to help keep you informed.