There is a lot of uncertainty and misinformation around new Cybersecurity Maturity Model Certification (CMMC), especially for the downstream suppliers who do not directly contact a contracting officer. Small and medium-sized defense contractors should be far more concerned with the immediate requirements to conduct and submit assessments of their compliance with the existing requirements from NIST 800-171. Note that they do not have to be 100% compliant when they submit, they must have a plan to become 100% compliant.
As of November 30th, 2020, contractors are required to assess their compliance against 800-171. Contractors must conduct a self-assessment of their System Security Plan (SSP). The Department of Defense (DOD) provides a pdf to score and measure implementation. This assessment must then be uploaded to the Supplier Performance Risk System (SPRS).
For higher-risk companies, the DOD may review their assessments. For the highest risk companies (an estimated 300 of the largest contractors), the DoD will conduct audits of how controls are implemented. The reviews and audits that are already in progress are being performed by the Defense Contract Management Agency (DCMA), not any 3rd party company.
Over the next four years, additional requirements related to CMMC will start to show up in contracts. CMMC establishes five levels of certification and associated requirements for each level. Level 1 contractors only need to meet only basic cyber hygiene. At level 3, all 110 controls are required. The levels will be defined by the contracts themselves; however, if you handle any Controlled Unclassified Information (CUI), you will need to meet level 3 at a minimum. Levels 4 and 5 establish additional requirements beyond 800-171. The CMMC also sets auditing standards for third party assessments and certification. Two of these, level 1 and 3, have auditing guides publicly available today. The one exception defined so far is for makers of commercial off-the-shelf products (COTS).
50 individual assessors have been granted status to conduct CMMC audits. As of 12/22/20, 12 3CPAOs have been authorized, but before they can audit, their own cybersecurity programs must be approved by the DCMA. “C3PAOs shall not be accredited to conduct CMMC assessments until achieving CMMC Level 3 certification themselves”. Anyone claiming they can certify a business under CMMC at this time is mistaken.
Contractors need to make sure they have updated their SSP and POAM, then conduct and upload the self-certification. When CMMC comes into effect for contracts, all actions in the POAM must be fully implemented in the SSP.
Contact our compliance team for any specific questions related to your organization or client needs.