Table of Contents
In an effort to safeguard sensitive national security and supply chain information against increasingly complex and frequent cyberattacks, the U.S. Department of Defense (DoD) created a comprehensive framework knowns as the Cybersecurity Maturity Model Certification (CMMC).
The latest iteration, knowns as CMMC 2.0, has been designed to cut red tape for small and medium sized businesses, set priorities for protecting DoD information, and reinforce the cooperation between the DoD and industry in addressing cyber threats.
Overview of the CMMC program
The CMMC program is designed to enhance cyber protection standards for companies doing business with the U.S. government. The goal of the program is to protect sensitive unclassified information that is shared by the DoD with its contractors and subcontractors. The CMMC requirement will be incorporated into acquisition programs which will provide the DoD increased assurance all partners, vendors, and suppliers are meeting these heightened cybersecurity requirements.
The DoD first announced the CMMC program in June 2019 released version 1.0 of the CMMC model document in February 2020 and published an interim rule in September 2020 as an interim rule to the Defense Federal Acquisition Regulation Supplement (DFARS).
In response to the comments, it received on the interim rule, the DoD reviewed and restructured the program into “CMMC 2.0” in November 2021. The DoD consistently has said the CMMC 2.0 rulemaking process could take anywhere from 9-24 months, which left companies to wonder when that time period would begin and what the timeline might look like – and also whether this could mean a significantly reduced timeline from that originally announced. DoD has provided some clarity during recent speaking engagements and conferences.
Purpose of CMMC 2.0
The review process between CMMC 1.0 and CMMC 2.0 lead to a more streamlined and refined process. The primary goals of CMMC 2.0 are:
- Safeguard sensitive information to enable and protect the warfighter
- Dynamically enhance Defense Industrial Base (DIB) cybersecurity to meet evolving threats
- Ensure accountability while minimizing barriers to compliance with DoD requirements
- Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience
- Maintain public trust through high professional and ethical standards
Where are we now?
While the interim rule contemplated a phased approach with the CMMC requirement ultimately to be included in all DoD solicitations and contracts by October 1, 2025, The DoD recently announced at a “CMMC Day” conference it expects to complete its documentation to submit to the Office of Management and Budget (OMB) for the rulemaking process by July 2022 and expects to issue interim final rules by March 2023.
If the DoD sticks to this new timeline, the CMMC requirements could begin appearing in solicitations as early as May 2023 (60 days after the rules are published).
The DoD also announced it plans to roll out the CMMC requirements in solicitations under a “phased approach.” In particular, for phase one, when the CMMC requirement first starts appearing in solicitations, all offerors will be required to conduct a CMMC self-assessment (rather than have a third-party certification) and provide a positive affirmation of compliance. Then, in phase two (with timing still to be determined), solicitations will require either self-assessments or third-party certifications (depending on the type of CUI and required certification level).
The DoD also has confirmed that the third-party CMMC certification (associated with some Level 2 and all Level 3 programs) will be good for three years, but contractors will be required to provide an annual affirmation confirming compliance. DoD plans to store the CMMC certificates (and the associated third-party assessment data) in the CMMC Enterprise Mission Assurance Support Services (eMASS) database. The CMMC eMASS automatically will post a copy of a company’s CMMC certificate to the Supplier Performance Risk System (SPRS), but the detailed results of a CMMC assessment will not be made public.
Apart from the third-party certifications required for Level 3 and some Level 2 programs, the self-assessments required for Level 1 and some Level 2 programs must be performed on an annual basis (accompanied by an associated affirmation by a senior company official). At least for Level 1, DoD has clarified that after performing the self-assessment, the company will be required to submit the results and annual affirmation via SPRS. This means many companies that have not yet had to use SPRS will need to create an account and ensure access to the platform.
Next steps for businesses
It seems the time finally has come for DoD contractors to acknowledge that CMMC is imminent (and sooner than many had anticipated).
Contractors should prepare their information systems for a CMMC assessment (if they have not already), and seriously consider performing a comprehensive self-assessment sooner rather than later.
Companies that already are required to have a NIST 800-171 assessment score posted in SPRS (based on the requirements in DFARS 252.204-7019 and -7020) should be actively working to remediate any gaps and consider updating their score to ensure it reflects the current posture of the system. In this regard, the DoD has announced it will be checking the accuracy of reported scores in SPRS by performing “medium assessments” as described in the DFARS.
Immediate focus on a comprehensive CMMC assessment will help further the goal to enhance the security of the Defense Industrial Base and may be beneficial from a cost standpoint as well. NIST recently announced plans to update NIST SP 800-171. In parallel, DoD announced that “companies who receive a CMMC certification prior to the update to NIST 800-171 will only need to meet the requirements in the current standard” rather than having to work against the updated standards in the forthcoming Revision 3. An earlier assessment may allow companies more time to understand and digest changes to the standard and any additional security controls before using it as a baseline for future assessments.
How can a third-party help with CMMC compliance?
A third-party with experience can assist you in getting your arms around any gaps you might have. A guided self-assessment would include the following:
- Identify relevant data (includes CUI & FCI)
- Review baseline controls
- Test your baseline controls using the NIST SP 800-171A publication – SP 800-171A and assessing security requirements for CUI
- Create a Gaps list and POAM
- Assist in conducting a risk assessment
- Assist writing a systems security plan based on controls
- Help create a rollout plan
Ongoing compliance maintenance
Once you have reached compliance, how do you keep the program on track? While it can be done with spreadsheets and spot checks, these are often inconsistent, inaccurate and time consuming. Consider using an Integrated Risk Management and compliance tool.
These tools should be able to ingest information such as vulnerability scans, endpoint information, and other relevant data as well as incorporate up-to-date threat information and provide an immediate snapshot of the program making it faster, easier, and less expensive to manage your compliance program.