[co-author: Mariah Leffingell]
The Cybersecurity Maturity Model Certification (“CMMC”) is the Department of Defense’s (“DoD”) latest verification mechanism prepared to ensure that cybersecurity controls and processes adequately protect controlled unclassified information on DoD systems and networks. The CMMC is a collaboration with DoD stakeholders, University Affiliated Research Centers, Federally Funded Research and Development Centers, and the Defense Industrial Base (“DIB”) sector. The CMMC program requires all DoD contractors to obtain an independent certification stating they sufficiently implemented the required cybersecurity controls and no waivers are envisioned.
The CMMC was set to be implemented as of July 1, 2020. This deadline was viewed as ambitious before the COVID-19 pandemic and questions have since emerged as to whether that deadline would still stand. The DoD answered those concerns last week. On March 26th, 2020, the DoD announced that COVID-19 will not delay the implementation of the CMMC on contracts beginning July 1st, 2020.
In preparation of the implementation, the Office of the Under Secretary of Defense for Acquisition and Sustainment (“OUSD(A&S)”) released version 1.0 of the CMMC on January 31, 2020, so that contractors could commence for compliance even though the CMMC formally is still considered a draft.
Broadly speaking, the CMMC aligns a set of processes and practices with the type and sensitivity of information to be protected and the associated range of threats. The CMMC model was derived from cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references in congruence with input from interested communities. The CMMC adds a certification element to verify the implementation of practices and processes resulting in the achievement of a cybersecurity maturity level. To quantify compliance and program adoption of these processes and practices, the CMMC includes a certification process that measures maturity over five levels.
The CMMC model framework organizes processes and practices, derived from the sources noted above, into a set of domains and maps them across the five maturity levels. Additional structure is added to the CMMC framework through a set of capabilities that support practices within each domain. The CMMC levels are cumulative, so for an organization to achieve a specific CMMC level it also must have achieved the preceding levels below it. To achieve certification at any level the organization must demonstrate the requisite institutionalization of processes and the implementation of practices for each CMMC level.
- CMMC level 1 measures the focus on basic cyber hygiene and is the foundation for the entire model and must be satisfied to receive CMMC certification.
- CMMC level 2 focuses on intermediate cyber hygiene and introduces ‘Process’ maturity to the model. At Level 2 an organization is expected to establish and document standard operating procedures, policies, and strategic plans to guide the implementation of its cybersecurity program.
- At CMMC Level 3 an organization will have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of the National Institute of Standards and Technology (NIST) SP 800-171 Rev 1 and that the organization can protect and sustain its assets and Controlled Unclassified Information (“CUI”). A Level 3 organization is expected to resource activities appropriately and adequately and review adherence to policy and procedures, demonstrating management of practice implementation.
- A CMMC Level 4 organization has a substantial and proactive cybersecurity program. The organization can adapt its protection and sustainment activities to address the changing tactics, techniques, and procedures (“TTPs”) in use by advanced persistent threats (“APTs”). For process maturity, a CMMC Level 4 organization is expected to review and document activities for effectiveness and inform high-level management of any issues.
- At CMMC Level 5, an organization has an advanced or progressive cybersecurity program with a demonstrated ability to optimize its cybersecurity capabilities. The organization can optimize its cybersecurity capabilities to recognize TTPs and repel APTs. For process maturity, a CMMC Level 5 organization is expected to ensure that its process implementation has been standardized across the organization.
Overall, the purpose of the CMMC is to enhance the protection of sensitive data by ensuring the defense supply chain is protected from security breaches. The CMMC protects the needs of the DoD to protect its unclassified information (i.e., Federal Contract Information and Controlled Unclassified Information) during the acquisition and sustainment of products and services from the DIB. By June 2020, the industry should begin to see CMMC requirements as part of Requests for Information, according to OUSD(A&S).
On March 25, 2020, the CMMC Accreditation Body (“CMMC-AB”) announced that it signed a Memorandum of Understanding with the DoD that formalized its authority to certify cybersecurity assessors for CMMC certification. CMMC industry stakeholders raised concerns over the DoD’s “very ambitious” rollout of the CMMC in a letter on March 26, 2020, addressed to Under Secretary Lord, OUSD(A&S), and Katie Arrington, Chief Information Security Officer for OUSD(A&S), especially given the COVID-19 pandemic. Even without COVID-19 concerns, stakeholders are concerned that current plans for implementation of the CMMC lack “sufficient clarity and predictability in key areas.” Despite concerns over progress during the COVID-19 pandemic, Katie Arrington, said, “work does continue” and that the DoD is “working a tremendous amount in the virtual environment.” Businesses should therefore continue efforts to work towards CMMC compliance in the coming months as the CMMC levels will appear in upcoming contracts.
To prepare for certification by Certified Third Party Assessment Organizations (“C-3PAOs”), contractors and sub-contractors should conduct a gap assessment that identifies risks and vulnerabilities to determine cybersecurity preparedness. Soon the CMMC-AB will release the process by which contractors may be certified by a C3PAO until such time organizations should assess themselves under the current Defense Federal Acquisition Regulation Supplement (DFARS) regulations and NIST 800-171 guidance. It is the law and there will be audits performed in 2020 to verify CMMC compliance.
Now is the time to assess and prepare before July 1st; thereafter, without certification, all unprepared organizations, including contracting primes and subcontractors, will not be eligible for new DoD contracts.