What Should Defense Contractors, Subcontractors, and Suppliers Consider as CMMC Implementation Begins?
Malicious cyber activities by state and non-state actors threaten the defense industrial base and have become an ever-increasing threat to our national security. As a result, the Department of Defense (DoD) has updated and augmented cyber compliance obligations throughout its supply chain. Most recently, on January 30, 2020, DoD released version 1 of the Cybersecurity Maturity Model Certification (CMMC v.1). When fully implemented, DoD’s CMMC framework will put in place a unified standard to audit and certify the ability of DoD contractors, subcontractors, and suppliers to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
The impact of CMMC will be extensive. Essentially, all DoD contractors, subcontractors, and suppliers will need to obtain CMMC. Self-certification will not be permitted, instead DoD contractors will be required to undergo review by a third-party assessing entity if they want to do business with the DoD. To meet this new compliance challenge, contractors must familiarize themselves with the CMMC framework and prepare for full implementation throughout 2020.
The following is a timeline of significant milestones in the rollout of CMMC and related compliance recommendations:
February and Spring 2020:
- Study the CMMC v.1, including Appendices, which presents the model in a matrix form that includes the applicable standards for each CMMC level, organized by domain.
- Determine in-house and external resources to achieve CMMC at appropriate level.
- Monitor the activities of the CMMC Accreditation Body, which was formed in January to develop training for the third-party assessment organizations that will evaluate companies for CMMC.
- Self-audit against the appropriate CMMC level in the CMMC v.1 Appendix A.
- Initiate discussions with subcontractors and suppliers regarding CMMC compliance.
- Analyze requirements of Requests for Information that include CMMC requirements.
- If available, review results of pathfinder beta testing, which will begin with a group of defense industry base companies going through a CMMC assessment.
- Review and comment on the proposed rule incorporating the CMMC into the DFARS.
What Information is Covered?
FCI is information, not intended for public release, which is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. CUI is unclassified (e.g. not Secret or Top Secret) information requiring protection as identified in a law, regulation, or government-wide policy. Examples of CUI include privacy (including health), tax, law enforcement, critical infrastructure, and controlled technical information, as well as unclassified nuclear and certain procurement-sensitive information. Ideally, this information is clearly marked with the appropriate legend such as a DoD Distribution Statement or an export control legend. However, companies should not merely rely on markings or the absence of markings when determining what information to protect.
How are CMMC Levels 1 to 5 Differentiated?
Drawing on established cybersecurity standards from a variety of nations and institutions, CMMC v.1 organizes cyber practices and processes into 17 different domains, representing security areas such as access control, identification and authentication, and incident response. Each domain has a set of associated capabilities, or task areas, with corresponding cyber practices organized into five levels ranging from basic cyber hygiene processes to advanced/progressive cyber hygiene processes. The standards at each level draw from Federal Acquisition Regulation (FAR) clause 52.204-21 (Level 1) and Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 requirements as well as other technical documents such as the U.K. National Cyber Security Centre (NCSC) Cyber Essentials document. The Government will determine the appropriate CMMC level that will be required for each contract, which will be specified in sections L & M of future Requests for Proposals (RFPs).
To achieve a specific CMMC level, an organization must meet the practices and processes within that level and below. The CMMC levels are as follows:
Level 1, “Basic Cyber Hygiene” Practices and “Performed” Processes
Level 1 is focused on the basic safeguarding of FCI, and corresponds to the requirements of FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. That clause lists 15 basic safeguarding requirements for contractor information systems to protect FCI such as controlling/limiting system access and connections, user and device identification and authentication prior to access, physical access controls to equipment, visitor access control, malicious code protections, and system scans. A company will be required to demonstrate that it performs the practices specified in FAR 52.204-21. Level 1 practices are foundational and required for all higher CMMC levels.
Level 2, “Intermediate Cyber Hygiene” Practices and “Documented” Processes
Level 2 certification is considered to be a transitional step between Level 1 and Level 3. This level requires that a company accurately document and implement its practices and policies for CMMC compliance. Level 2 draws from a subset of the requirements contained in revision 1 to NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, also incorporated by reference into defense contracts through DFARS 252.204-7012. As well as the select requirements from the DFARS rule, Level 2 includes seven additional requirements, for a total of 55 more cyber hygiene practices than required by Level 1.
Level 3, “Good Cyber Hygiene” Practices and “Managed” Processes
Level 3 certification is focused on the protection of CUI in contract performance. Level 3, described as “good cyber hygiene,” requires implementation of all of the security requirements specified in NIST SP 800-171 rev. 1 and full compliance with the requirements of DFARS 252.204-7012, including incident reporting. In addition to 20 other practices, Level 3 has 58 more requirements than Level 2. To achieve Level 3, a company must demonstrate a plan to manage specific activities to fulfill those requirements.
Level 4, “Proactive” Practices and “Reviewed” Processes
Level 4 introduces 26 “proactive” cyber practices to protect CUI from Advanced Persistent Threats (APTs). APTs are malicious actors that possess sophisticated levels of expertise, have significant resources, and employ multiple attack vectors (e.g., cyber, physical, and deception). To protect from APTs, Level 4 requires implementation of a subset of the enhanced security requirements from Draft NIST SP 800-171B and other cyber best practices. To achieve Level 4, a company must review and measure the effectiveness of its practices, take corrective action when needed, and inform upper management on a recurring basis.
Level 5, “Advanced/Progressive” Practices and “Optimizing” Processes Like the preceding level, Level 5 focuses on the protection of CUI from APTs, but with 15 additional practices to increase the depth and sophistication of cybersecurity capabilities. Level 5 entities must standardize and “optimize” cybersecurity process implementation.
What is the Implementation Timeline for the CMMC?
DoD is pursuing an aggressive implementation timeline for CMMC. Although full implementation is expected to be gradually rolled out over the next five years, DoD has a goal of soliciting and awarding contracts containing CMMC requirements this year. To that end, DoD intends to include CMMC requirements in Requests for Information (RFIs) beginning June 2020. DoD also aims to have 1,500 CMMC-certified contractors by FY 2021 and 48,000 by FY 2025. Additionally, DoD intends to issue a proposed rule–finalized by this fall—that would incorporate the CMMC requirements into the DFARS. However, existing contracts will not be modified to include CMMC requirements.
The third-party, non-profit CMMC Accreditation Body was formed in January and has appointed a board of directors. The Accreditation Body will be responsible for accreditation, certification, and training third-party assessors. The Accreditation Body intends to execute a memorandum of understanding with the DoD this month; “CMMC 101” training could also be released as early as this month. Given the imminence of CMMC developments, it is critical that contractors monitor the activities and progress of the Accreditation Body.
The audit process is expected to take some time. DoD has indicated that it will provide priority audit access to contractors that intend to bid on the early contracts that include CMMC requirements.
What Should Contractors, Subcontractors and Suppliers Do to Prepare for CMMC?
CMMC certification issues could present a significant compliance challenge for federal contractors. Contractors should prepare internal teams to monitor the activities of the CMMC Accreditation Body, particularly the process of obtaining certification, and review RFPs for possible CMMC requirements. A rigorous self-examination of compliance with the processes and practices set forth in the CMMC is also critical. This could build upon the self-examination conducted recently regarding the NIST 800-171 controls incorporated through the DFARS cyber security cloud.
Finally, managing the impact of CMMC on lower-tier partners will also be necessary. Higher-tier contractors and subcontractors should prepare their supply chains now to avoid supply disruptions should the CMMC requirement apply to the portions of the contract that those lower-tier subcontractors perform.