There are more than 350,000 vendors in the United States Department of Defense (DoD) supply chain. With so many vendors and so many bad actors after our government’s defense information, keeping good security around government data being developed and/or used by defense contractors and subcontractors is a necessity. That is the idea behind the development and implementation of the government’s new cybersecurity maturity model certification (CMMC). Here are a quick background and update on what’s happening with the implementation of CMMC.
The Background of Vendor Security
In the past, both DoD contractors and subcontractors were required to implement the cybersecurity standards outlined by the National Institute of Standards and Technology (NIST) SP 800-171. Through contracts with the Under Secretary of Defense, vendors have been required to implement and adhere to certain cybersecurity protocols. In the past, those vendors were able to self-assess, vouching for themselves that they were NIST compliant and met their contractual obligations to implementing the cybersecurity standards.
The New CMMC Standards
With CMMC, vendors within the defense industrial base (DIB) will now be mandated to achieve new cybersecurity standards and must achieve certification from a third-party assessor. The U.S. Under Secretary of Defense for Acquisition & Sustainment issued version 1.0 of the CMMC requirements on Jan. 30, 2020. Version 1.0 outlined five levels of certification DoD vendors can achieve though an updated version, v.1.02, was released March 18, 2020, to address administrative errors.
Level 1 is the simplest level and involves just 17 basic cybersecurity practices most businesses already utilize including the implementation of antivirus software and regularly updating passwords. Level 3 is more or less equivalent to the current NIST SP 800-171 standards that have been the guiding cybersecurity requirements for DoD vendors for the last several years. Level 5, the highest level of certification, covers 171 practices as well as certain capabilities and processes. Each certification level builds on and includes the requirements of the previous levels.
“Before a contractor, as either a prime or subcontractor, can even bid on or be awarded a defense contract, that contractor must obtain whichever of the five government-defined and increasingly stringent levels of CMMC certification are required of bidders in the contract’s request for proposals,” wrote Frank Kendall, former Under Secretary of Defense for Acquisition Technology and Logistics, for Forbes.
In other words, vendors wishing to conduct business with the DoD will be able to determine which level of CMMC certification is required for any given contract in sections L and M of the request for proposal (RFP). To even qualify to bid on a proposal, contractors and subcontractors will have to prove they have already achieved the required level of CMMC certification for that contract.
According to a piece published by FedScoop earlier this week, CMMC will not apply to all DoD suppliers. Contractors and subcontractors providing only commercial-off-the-shelf-products, will not be required to achieve CMMC certification.
When CMMC Will Be Implemented
Despite the upheaval caused by the COVID-19 pandemic, Katie Arrington, CMMC lead and Chief Information and Security Officer (CISO) for acquisition at the DoD’s Undersecretary of Defense, has repeatedly told industry leaders and the media that the government is sticking to its timeline for CMMC implementation. That means CMMC level requirements will begin to be incorporated into DoD requests for information (RFIs) starting next month in June 2020. The next deadline is in October 2020 when CMMC level requirements will begin to be included in requests for proposals (RFPs).
The CMMC Accreditation Body
To prepare third-party organizations to assess DoD contractors for certification, a CMMC accreditation body (CMMC-AB) was formed. This organization, completely separate from the government, is comprised of members of the IT and cybersecurity community. In January 2020, the CMMC-AB was registered as a 501(c)(3) organization within the state of Maryland.
The purpose of the CMMC-AB is to support and implement the intent of CMMC, “which is to both protect critical information and change the culture of the DIB as it relates to cybersecurity,” according to the new CMMC Accreditation Body website.
The new board will oversee the development of training and credential standards with the assistance of the NIST. While a 15-member CMMC-AB Board of Directors led by Ty Schieber has been announced, training courses and examinations for assessors have yet to be developed. This means despite the looming deadlines being imposed by the Under Secretary of Defense for Acquisition & Sustainment, vendors are not yet able to achieve CMMC certification at any level as assessors have not yet been licensed to conduct assessments and certification for DoD contractors.
Certified Third-Party Assessment Organizations
According to the CMMCAB.org website, “A C3PAO is an organization where certified assessors come together to hone their skills and register their licenses. Each C3PAO must be certified by the CMMC-AB prior to deploying its assessors into the field.”
What’s a Vendor to Do?
When CMMC version 1.0 was released in January, the CMMC-AB announced that achieving compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) was a good place for small businesses to start toward CMMC certification. Based on the fact that the NIST is going to be involved in the development of training and certification for assessors and that NIST SP 800-171 has been the “gold standard” for cybersecurity measures for DoD contracts in the past, Dox Electronics is also recommending businesses look at achieving those standards as well if they haven’t already done so.
Several third-party vendors, including Dox, are now assisting businesses with preparation for CMMC certification by conducting cybersecurity audits to ensure DFARS and NIST 800-171 compliance. Although the CMMC-AB has not yet developed a training program for assessors, the publication of the CMMC standard has enabled prospective assessors to offer their own informal gap assessments against the published standard. Again, no one can become CMMC certified yet, but conducting these gap assessments will prepare hopeful DoD contractors and subcontractors with a starting point. Additionally, Exostar, of which Dox is a partner, has unveiled a risk management tool to help organizations within the DIB that intend to conform to NIST SP 800-171 security controls in preparation for CMMC audits.
By starting the process of achieving DFARS and NIST 800-171 certification now, businesses can get a head start on the competition. Those who begin audits and implementation of these cybersecurity standards will have a competitive edge over other organizations that wait for the CMMC assessors to be licensed.
The Reciprocity Option
In a recent blog by MeriTalk, Arrington said work is being done to provide reciprocity between CMMC and the Federal Risk and Authorization Management Program (FedRAMP) certifications. That means if a vendor has FedRAMP certification, they will also be considered CMMC certified.
“They’ve [FedRAMP Program Management Office] already reached out and they’re working through that reciprocity,” Arrington stated during an April 29 CMMC Unpacking webinar, according to the MeriTalk blog. “You, as a taxpayer, paid for FedRAMP. I don’t want you to pay again.”
The same blog reported that Arrington has requested the CMMC-AB give reciprocity to any vendor that has the authority to operate with the Federal government through a third-party certification system such as FedRAMP. The condition to the reciprocity is that vendors will have to close their Plan of Actions and Milestones (POA&Ms) and adjudicate them to close gaps in a way the CMMC-AB is “comfortable with.”