In 2019, the Department of Defense unveiled the Cybersecurity Maturity Model Certification (CMMC), a five-level certification designed to ensure that all Department of Defense (DoD) contractors had appropriate levels of cybersecurity controls and processes. The CMMC is built on the foundation of the Defense Acquisition Federal Regulation Supplement, otherwise known as DFARS, that mandated private DoD contractors abide by specific cybersecurity standards. A DoD report in 2018 titled “Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War” identified that a substantial majority of government contractors were not meeting the DFARS requirements.
DFARS allowed significant vulnerabilities in the supply chain process, not because the technical security requirements were inadequate, but rather because the enforcement mechanisms were lacking. Previously, a contractor could be awarded a contract without sufficient security protocols in place; the vendor would request a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) to bring their processes into alignment. Because this could occur post-award, several companies failed to comply with the requirement and were subsequently penalized under the False Claims Act. A driving concern behind this certification was that foreign adversaries had become better thieves instead of better innovators. One significant example of the repercussions of these security failures is the Chinese J-31 fighter aircraft, which has numerous similarities to US Air Force F-35 Joint Strike Fighter.
The Certification Process
The CMMC addresses this by prohibiting any DoD vendor from receiving a contract if they haven’t been certified at the appropriate level. Certification requirements extend to subcontractors at all levels, although a tiered approach is likely, where subcontractors would be required to be evaluated at a lower level than the primary. Although CMMC requirements are not currently in effect, the certification process has already begun and is progressing according to the following timeline.
- January 2020: CMMC Levels, requirements, and auditor training materials were released.
- February – May 2020: The initial round of auditors are being trained.
- June – September 2020: The first round of audits will begin, starting with a pool of DoD Programs and RFIs that have been identified at a particular CMMC Level. Any contractor wishing to bid on these will need to be certified at the appropriate level to be considered.
Five different CMMC levels can be achieved, ranging from “Basic Cyber Hygiene” to “Advanced / Progressive.” Requirements for each of these levels are determined by compliance with various controls outlined in NIST SP 800-171 Rev 1 and NIST SP 800-171 Rev B. Earning certification at each level requires meeting requirements in control families referred to as “Domains,” which are broken down into “Capabilities” and further refined into “Practices and Processes.” Each level builds upon previous ones, and auditors will award certifications based on how many of the practices a particular contractor has successfully implemented.
The first step in obtaining a CMMC should be performing a comprehensive self-analysis. Unlike the NIST guidance referenced above, CMMC does not permit self-certification and requires passing an assessment by an independent auditor. As a starting point, however, the NIST Handbook 162 can provide guidance through Level 3—the DoD is developing guidance for Levels 4 and 5. Some companies do not possess the resources to interpret and apply these requirements; these vendors should seek independent, third-party assistance to bring their cybersecurity mechanisms up to par. Managed Security Service Providers (MSSP) are specialists in interpreting, implementing, and monitoring cybersecurity for DoD contractors. MSSPs will be able to perform not only an initial assessment but also any remediation work required to earn the necessary CMMC level.
Once a company has completed a self-analysis, any shortfalls should be included in a remediation plan and brought up to speed as quickly as possible. Fix actions could be relatively minor and easy to address, or they could require a substantial overhaul of a company’s networks, policies, and processes to bring them into compliance. Delaying will only extend this timeline and likely impact a contractor’s ability to provide goods and services to the DoD.
The Overall Impact
Due to the sheer number of contractors seeking certification simultaneously, failing an assessment will likely result in substantial delays before a secondary inspection can be performed. The good news is that those contractors who aggressively pursue and receive certification will likely experience a competitive advantage in bidding.
Although this certification is currently only being implemented for DoD contractors, there has been significant speculation that the program will eventually expand to include all Federal vendors. It would be wise for contractors to begin working to align their cybersecurity protocols with DFARS requirements sooner rather than later to avoid any disruption to their contract lifecycles.
For information on how Dynamic can help with your cybersecurity needs, contact us at 866-399-1084 or firstname.lastname@example.org.