The Department of Defense (DoD) has announced a new five-tier standard for cybersecurity certification, which it calls the Cybersecurity Maturity Model Certification, or “CMMC”. Taking an unusual approach to informing the industry, the DoD has provided only limited information about the new standard through its website and a “road tour” led by the newly-appointed head of the DoD’s Chief Information Security Office (CISO), Ms. Katie Arrington.
During her recent presentation at the National Institute of Standards and Technology’s (NIST’s) Information Security and Privacy Advisory Board (ISPAB) meeting, on August 8, 2019, Ms. Arrington revealed several new details about the requirements. Outlined below are the most significant facts from that presentation and the DoD’s website:
- All companies doing business with DoD (and all tiers of subcontractors) will need to obtain CMMC certifications.
DoD will require the new certifications from all contractors (including suppliers and subcontractors) that are performing under a DoD contract. Even contractors that do not process or handle Controlled Unclassified Information (CUI) must obtain CMMCs.
DoD’s primary concern is the risk that DoD faces from having its lowest-tier suppliers and subcontractors breached. As a result, prime contractors must obtain proof of these certifications from their subcontractors and suppliers at every tier.
In short, if your company is currently involved on a DoD project or expects to be involved on one in the future, CMMCs will be a MUST both for your company and all of your subcontractors and suppliers.
- DoD will require CMMCs by Fall 2020.
DoD is not wasting any time in implementing this standard. The current schedule for implementation is aggressive and the affected contractors should prepare to make a lot of changes fast.
In January 2020, DoD will release Version 1.0 of the requirements for CMMC. DoD expects to begin certifying companies shortly thereafter.
In June 2020, DoD expects to begin including CMMC requirements in their Requests for Information (RFIs).
In September 2020, DoD plans to list CMMC as a requirement in Sections L and M of their Requests for Proposals (RFPs). Those RFP sections provide the “instructions, conditions, and notices to offerors or respondents” and “evaluation factors for award” respectively.
- DoD will disqualify companies without CMMC from obtaining awards.
DoD will not be trading off security for either cost or performance. DoD considers cybersecurity to be foundational and it will treat compliance with CMMC as a basic requirement for any award.
DoD does recognize that some projects do not require the highest level of cybersecurity. To address those differences, DoD plans for its staff to determine the appropriate CMMC tier for each DoD contract.
- Contractors will not be able to self-certify themselves as compliant with CMMC requirements. DoD will select a third-party consortium of non-profit organizations to assess and certify contractors.
DoD believes that self-certification of compliance with cybersecurity requirements has not been effective. While many companies certify that they comply with the current requirements, only a few actually meet the standards. For this reason, DoD will only be accepting third-party certifications for CMMC.
DoD expects that a third-party consortium of non-profit organizations will typically manage the CMMC process. However, DoD may continue to perform some of the higher level assessments internally.
Under the new approach, contractors will be able to select the level of CMMC they need and then request certification from a designated third-party organization. In order to obtain the certification, companies will need to coordinate directly with one of the designated third-party organizations to request and schedule a CMMC assessment.
- The expected cost of obtaining a CMMC certification is unclear.
Due to the fact that the DoD has not yet made its requirements for certification public, the expected cost of compliance is unclear. But DOD does not intend for CMMC to be cost-prohibitive. On the contrary, DoD is working to ensure that the standards are cost effective enough so that Small Businesses can achieve the minimum CMMC level of 1. DoD has also mentioned that the cost, and associated assessment, will likely scale with the certification level requested.
- DoD will treat the cost of certification as an allowable, reimbursable cost.
Although many practitioners believe that the costs of complying with the Government’s cybersecurity requirements were already allowable, DoD’s emphasis on acknowledging that fact will assist eligible contractors when they try to recover their CMMC-related costs.
- DoD expects that the third-party certifiers will maintain the CMMC standard for the Department, which will be semi-automated and agile enough to adapt to emerging and evolving cyber threats to the Defense Industrial Base (DIB).
DoD plans for its third-party certifiers to develop and use a semi-automated “tool” to conduct any audits, collect real-time metrics, and inform risk mitigation for the entire supply chain.
In light of the shift in DoD’s focus to real-time metrics and agile standards, contractors may need to prepare to make more frequent and rapid changes to ensure that they maintain their compliance with the standards.
- CMMC will incorporate various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity.
DoD expects the initial version of the CMMC standard to incorporate aspects of the recent NIST Publication 800-171B as well. Simply put, DoD is working to ensure that maintaining compliance with the CMMC standard will also satisfy existing cybersecurity standards. Ultimately, CMMC will be a five-tier standard with levels that range from “Basic Cybersecurity Hygiene” to “Advanced.”
- DoD will issue an updated version of its 5000 Series Instructions.
DoD is already rewriting its 5000 Series Instructions to incorporate details about the new standard. The 5000 Series Instructions serve as the DoD’s guide to the policies of the defense acquisition system. The agency expects that the revised version of these Instructions will contain separate cybersecurity and security enclosures.
The most interesting aspect of the CMMC standard lies in what the DoD has not said. In these road-tour presentations, DoD seems to suggest that it plans for CMMC to eventually become the new cybersecurity standard for the other federal agencies as well.
But while DoD has provided no specific details on its plans to implement these standards more broadly, it has also not hidden that goal. DoD’s website for CMMC addresses the possibility that the new standard will be applied elsewhere in its Frequently Asked Questions (FAQ’s) section:
Q: Will other Federal (non DoD) contracts use CMMC?
A: The initial implementation of the CMMC will only be within the DoD.
DoD’s pointed response is telling. The initial implementation is not the entire implementation. Moreover, given the lack of one common cybersecurity requirement in this space, DoD’s CMMC approach could well become the new standard for the federal government overall.
In short, while DoD is currently the only agency that expects to require compliance with CMMC, it may very well not be the last.
Where Does This Leave Contractors?
Because of the limited information that the DoD has released so far, specific guidance at this point is premature. That said, contractors should make sure to take any changes to the applicable cybersecurity requirements seriously. Failure to comply with these requirements can result in grave penalties, including everything from suspension and debarment to damages for the violations of the False Claims Act (FCA).
It is recommended that companies make certain that they are already compliant or become compliant with the current cybersecurity requirements fast. DoD contractors in particular should make sure to use NIST Publications 800-171 and 800-171B as their guides. Prime contractors should also make sure that their subcontract agreements offer them the flexibility to (1) obtain confirmation that any subcontractors obtained CMMC and (2) require compliance with these standards when they become a must. Of course, as is clear from the DoD’s plan, that moment could be here before we know it.