July 16, 2020
To address increasing cybersecurity risk to government contractors that are defense suppliers (collectively the Defense Industrial Base, or DIB), the U.S. Department of Defense (DoD) is aggressively implementing an enhanced cybersecurity compliance regime to protect sensitive data associated with DoD contracts.
The Cybersecurity Maturity Model Certification (CMMC) program is a consolidated framework of information security controls and practices that will apply to all DoD prime and subcontractors whose information systems touch Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
CMMC consists of 17 core security domains and integrates various existing cybersecurity control standards into one unified standard for DoD contractors to verify the maturity level of their cybersecurity programs and practices.
Prime defense contractors will be obligated not only to assure they comply with the appropriate level of cyber maturity required for the good and services they sell to the DoD, but also to verify that their subcontractors are certified to the required maturity level, a challenging new burden for prime contractors.
The CMMC program is a robust DoD initiative intended to address the national security risk from what the DoD considers inadequate security around CUI that is in place with government contractors across the DIB – whether they are U.S. based or not.
As a more prescriptive regime, CMMC will measure how well contractors and subcontractors in the defense supply chain have implemented and operationalized their cybersecurity practices and processes against a five-level maturity standard from Level 1 (Basic Cyber Hygiene) to Level 5 (Advance/Progressive). From a pure cybersecurity maturity perspective, CMMC is more of a solid baseline level of hygiene than an advanced requirement. It is the absence of full implementation of the current DFARS clause 252.204-7012, which includes NIST 800-171 across much of the DIB, that makes CMMC seem a tougher requirement than it should be.
The DoD accurately sees the security of our defense-related information as both critical and increasingly at significant risk from nation-state meddling. Ms. Katie Arrington, CISO in the Office of the Undersecretary of Defense for Acquisition, at the October 2019 Intelligence & National Security Summit made it plain that this will be a heavy lift for defense contractors that have lagged in their cybersecurity maturity when she advised that “Every company within the DoD supply chain — not just the defense industrial base, but the 300,000 contractors — are going to have to get certified to do work with the Department of Defense…., and then we can really start looking at our supply chain, where our most and greatest vulnerabilities lie…..It’s going to take time, it’s going to be painful, and it’s going to cost money.”
The current expectation is that CMMC will become memorialized in DFARS rulemaking in the fourth quarter of 2020. Between 2020 and the end of 2025 every new and renewing contract procurement from the DoD will require prime contractors and the subcontractors throughout their supply chains to be independently certified at one of the five CMMC levels as a binary condition of bidding. The five-year cycle reflects that DoD contracts typically include an initial contract year and up to four option years, so it will take this period to cycle through the universe of DoD acquisition contracts.
HOW THE MODEL WORKS – WHAT WE KNOW
As CMMC is being fully implemented, the approximately 300,000 companies that comprise the DIB continue to be obligated to meet the DFARS 7012 requirement to self-attest, including the NIST 800-171 standard for the protection of Controlled Unclassified Information (CUI). Even those DIB suppliers of commercial off-the-shelf (COTS) products, which will be exempted from CMMC requirements, must continue to follow the DFARS 7012 clause relative to their cybersecurity posture.
There is a range of 17 core CMMC security domains which integrate various existing cybersecurity control standards into one unified standard for DoD contractors to verify the maturity of their cybersecurity programs and practices. Each CMMC domain “crosswalks” to other common cybersecurity frameworks. Contractors that have been developing and managing their security programs to such frameworks and standards likely have been making meaningful progress against CMMC requirements as a result and will be better prepared for CMMC than contractors who have let their cybersecurity programs lag.
Starting in the summer of 2020 the first ten DoD requests for information (RFI) will include a specific CMMC maturity level as an essential requirement for participation. The actual requests for proposal (RFP) for these first contracts subject to CMMC are expected this fall. COVID-19 related delays may push these into early 2021. The remaining DoD contracts will roll in CMMC requirements over the ensuing five years.
All contracts will be assigned a CMMC level. Contractors must pass 100% of practice and process requirements at the requisite maturity level. When contractors are certifying for a maturity level the assessor must find they meet 100% of the requirements or risk being eliminated from DoD contract participation at that level, potentially for an extended period. The clear incentive is for contractors to get CMMC right the first time.
THE CMMC CERTIFICATION PROCESS
The CMMC program materially raises the bar for the cybersecurity posture of suppliers by imposing formal certification of the maturity of their cybersecurity programs by certified third-party assessment organizations (C3PAOs), a far more robust process than the self-attestation still required of DoD suppliers under DFARS Clause 252.204-7012.
Through a memorandum of understanding with a Maryland not-for-profit – the CMMC Accreditation Body (CMMC-AB) – the DoD has assigned the independent certification training and licensing process to a volunteer group. The CMMC-AB is now publishing requirements for a range of designations, defining qualifications for applicants, and releasing RFPs for supporting work. There will be Licensed Publishing Providers that develop training content and curricula, Licensed Training Partners that train various classes of aspirants, and Licensed Instructors who facilitate the training – all meant to ensure that the process is consistent and produces a disciplined and credible credentialing program.
Organizations that want to work as advisors/consultants to DIB contractors to prepare them for certification will be Registered Provider Organizations staffed with Registered Practitioners and possibly with Licensed Assessors. Organizations that want to do the formal CMMC certifications will be Certified Third Party Assessment Organizations (C3PAOs) with Assessors initially licensed at the entry level as Certified Professional (CP) and further tested and licensed as Certified CMMC-AB Assessor 1, Assessor 2, or Assessor 3 levels that define which CMMC certification threshold they are able to certify.
It is expected that the first group of approximately 60 of these credentialed professionals will be trained and licensed by the 4th quarter of 2020, unless COVID-19 related delays push this into the first quarter of 2021. Many more will follow.
TOPLINE ISSUES, CHALLENGES, AND POTENTIAL PROBLEMS
The CMMC regime is likely to present the industry with the following challenges and areas that require additional clarification:
- Flow-Down of CMMC Level Requirements – It is not yet clear how the process of assigning CMMC levels will take place, presenting subcontractors with challenges around their CMMC readiness strategy, cost, and timeline. It is not clear when individual DoD contracts will come up for renewal and be assigned a CMMC requirement. It is further unclear if it is DoD Contracting Officers who will assign CMMC levels and the flow-down plan to subcontractors, or if that is the responsibility of the prime contractors. Finally, what constitutes CUI and how CUI flows down through the subcontractor ecosystem of a DoD contract may lack clarity and require technical and legal analysis.
- Consistency of the Certification Process – Managing a complex process of training and licensing an array of CMMC-AB certifiers among many different types of organizations aspiring to that work may be fraught with challenges around ensuring equal and predictable treatment, certification methodology, and auditing judgement regardless of who the assessor and assessment organization may be.
- Failing CMMC Certification – CMMC is a binary certification. Failing to achieve the requisite CMMC certification, by passing 100% of the controls at the assigned CMMC level, will be disqualifying from contract participation and may keep a contractor out of the defense market for an extended period of time, unless the CMMC-AB provides a window for a follow-up certification if a few control or process failures can be quickly remedied.
- Organizational Conflicts of Interest – The lack of clarity around whether consulting and advisory organizations can play both the roles of both a Registered Provider Organization with Registered Practitioners (on the pre-certification side) and a C3PAO with Certified Assessors potentially sets the stage for organizational conflicts of interest if these situations are not avoided. Even the situation where an organization plays a certifier role for one DIB contractor and a provider role for a different contractor could create the basis of a bid protest by an aggrieved party.
- Certification Protests – Not yet clarified are details around the process through which defense suppliers and their counsel will be able to challenge assessment findings with which they may disagree, how they can dispute and appeal an assigned certification level, or how long it may take to re-assess for certification at a more mature rating.
- Cost and Competition – It is unclear if C3PAOs will set their own fees for certification or if fees will somehow be suggested or regulated by the CMMC-AB. What is a DIB contractor to think about one certifier who charges significantly more than another? Will it be a higher quality process or just a higher fee for the same quality process? The costs to DIB contractors for the range of professional services they may pay to Registered Provider Organizations and Registered Practitioners to bring their security posture to the level that they are ready to then hire a Certified Assessor all may be allowable costs that are recoverable under DoD contracts, based on many variables. However, even to the extent they are allowable and recoverable, including them could well put the claimant at a competitive pricing disadvantage.
- DoD Audits – Ever-present under the focus on CMMC remains the obligations DIB contractors continue to have for self-attesting to the DFARS 204-7012 clause relative to their cybersecurity posture alignment with NIST 800-171. Failure of a CMMC certification could make it more difficult for a DoD contract officer to accept an organization’s self-attestation and could potentially trigger an audit of a contractor’s NIST 800-171 compliance from the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
- Liability – It will be the obligation of prime contractors to verify that relevant subcontractors in their supply chain have become CMMC compliant at the contract-appropriate level. Falsely validating compliance exposes organizations to potential liability under the Contracts Disputes Act and the False Claims Act.
WHAT ORGANIZATIONS ARE COVERED ENTITIES?
CMMC affects approximately 300,000 global providers of over $360 billion in goods and services procured by the Pentagon through 350,000 active contracts, whether they are large prime contractors or in the supply chain of another contractor. The DIB is a large network of companies across many product classifications, from obvious defense sector products like weapon and communication systems to less obvious products sold to the Pentagon, such as clothing, food, or building materials. The DIB includes manufacturers, systems integrators, service and technology providers, research organizations, and other direct or indirect suppliers to the DoD. CMMC covers both domestic companies and those domiciled elsewhere.
Colleges and universities that operate research labs in the defense supply chain, University Affiliated Research Centers (UARC), or Federally Funded Research and Development Centers (FFRDC) are also covered entities. Even companies selling commercial-off-the-shelf (COTS) products to the DoD, while exempt from CMMC, still have to self-attest to DFARS requirements to align with NIST 800-171 standard. COTS determination can be nuanced, because many standard products include changeable components that may nullify the COTS claim and mean the provider is covered under CMMC.
Every company that sells directly into the DoD or may sell into a primary or secondary defense supplier should determine – with legal advice – if they are likely to be entities covered by the CMMC program.
OPTIMAL CMMC STRATEGY
Organizations that directly or indirectly participate in the DIB and may be covered entities under the CMMC program should make these initial preparations:
- Consult with counsel to determine if your organization is likely to be affected by the CMMC program as a covered entity.
- Either internally assess the current state of your company’s cybersecurity program, capabilities and practices, or engage a third-party expert firm to independently assess your security environment against the NIST 800-171 standard, the optimal pro forma cybersecurity standard for indicating your potential gaps against the mid-range of the CMMC requirements. Self-attesting around NIST 800-171 remains a requirement of the DFARS Clause and continues to expose contractors to potential DCMA audits.
- Explore the gaps the company may have aligning to the NIST 800-171 standard and begin to remediate those gaps with a purposeful and credible System Security Plan (SSP) and Plan of Actions and Milestones (POAM). If your assessment reveals that your organization meets with NIST 800-171, it essentially meets CMMC Level 1. This strategy places contractors in a good place to most readily address the incremental seven (7) controls that are required for Level 2, and 13 additional controls required to meet Level 3.
Organizations that achieve this level of maturity will be well-positioned to pursue all but the most sensitive DoD contracts for “mission systems”, which will be rated at CMMC Level 4 or 5 and will comprise far fewer than 1% of all DoD contracts.
The required CMMC level must be in place and certified by the time of contract award. By implementing a smart, phased approach to CMMC readiness now, DIB contractors can deliberately manage their cybersecurity program enhancement, reduce compliance risk, and enable continued ability to compete for and win DoD business. Contractors that wait or pursue a haphazard approach may increase their risk, shorten their compliance window, and may be excluded from DoD contract opportunities or purged from prime contractors’ supply chains as a result.
HARD WORK AHEAD
Organizations that wish to provide services or goods to the DoD face the unambiguous Pentagon cyber requirements of CMMC. The DoD expects all suppliers to protect CUI and implement the appropriate controls and processes, and to provide the demonstration of that compliance through an independent certification. As the threat landscape evolves, so will CMMC, which is not intended to be a “meet and forget” schema of protection, but instead a living process for ensuring that CUI is protected throughout the entirety of its lifecycle and use, regardless of when and where it takes place. Every affected organization needs to prepare now.
Scott Corzine contributed to this article.
This insight was prepared for the Association for Data and Cyber Governance https://adcg.org
 Ellen M. Lord, Under Secretary of Defense for Acquisition & Sustainment, Kevin Fahey, Assistant Secretary of Defense for Acquisition, and Katie Arrington, Chief Information Security Officer for Acquisition, “Press Briefing”, Jan. 31, 2020.
 The Department of Defense, Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD (A&S)), and Cybersecurity Maturity Model Certification Accreditation Body, Inc., “Memorandum of Understanding”, Page 1, March 23, 2020.