CMMC ACCREDITATION BODY MOVING AHEAD WITH PILOT PROGRAM OF NEW REQUIREMENTS IN CONTRACTS
By Ken Michael
From secure wireless communications capable of controlling unpiloted aircraft to cruise missiles that race through the air at speeds of one mile per second, the United States military is looking to make some technological upgrades in the coming decade. The hitch is, aerospace organizations and other United States Department of Defense (DoD) contractors must have certain cybersecurity standards in place before they will be awarded new contracts.
In 2020, the U.S. DoD released new cybersecurity standards through the Cybersecurity Maturity Model Certification (CMMC). Achieving CMMC is now part of the cost associated with doing business with both the DoD and the National Aeronautics and Space Administration (NASA).
While government contractors and subcontractors that comprise the military’s commercial supply chain have been warned about the impending jump in cybersecurity requirements, it’s coming down to crunch time for many as a new timeline for pilots of CMMC-loaded requests for proposals is planned for release in April.
In a Town Hall hosted online by the CMMC Accreditation Body (CMMC-AB) on Jan. 26, 2021, Katie Arrington, the Chief Information Security Officer (CISO) for the DoD, said President Joe Biden and his new administration are moving full-speed ahead with the implementation of the CMMC requirements. She also said the pilot program for implementing the CMMC standards in requests for proposals is expected to begin rolling out in mid-March.
“This really about you all (government contractors) and what you can do to make our nation as safe as possible and to protect your company and individuals,” Arrington said.
Diane Knight, the newest member of the government’s CMMC team, offered a DoD CMMC pilot overview during the town hall. She said 2020 was a very busy year for initiating CMMC coordination and team building. This year will be the first year in the phased five-year rollout of the CMMC for the Department of Defense starting with CMMC pilot contracts.
The defense industrial base (DIB) has seen a laundry list of cybersecurity compliance standards roll out since May 2016 when the U.S. federal government mandated all contractors become compliant with FAR clause 52.204-21. The FAR clause specifies 15 basic cybersecurity safeguarding requirements. Next came DFARS clause 252.204-7012, also in 2016, which additionally directs compliance with NIST SP 800-171.
That brought us to the interim DFARS rule that went into effect Nov. 30, 2020 (read the full rule details here). The DFARS Interim Rule assesses contractor implementation of security requirements in NIST SP 800-171 and initiated the phased five-year rollout of the CMMC.
“This is all predicated on the national cybersecurity crisis that we’re experiencing with all of the data exfiltration,” said Knight during the town hall. “Research has proven that most of the exfils are happening in the defense industrial base supply chain. All of these efforts were instituted to help mitigate the loss of data.”
Requirements for CMMC
The requirements of DFARS are still in effect for any contracts including controlled unclassified information (CUI) as the CMMC standards are rolled out. In addition to the 15 basic safeguarding requirements of FAR 52.204-21, the CMMC model includes an additional five processes and 61 practices across levels 2-5 that demonstrate a progression of cybersecurity maturity. The five CMMC levels and their requirements are as follows:
Level 1: Consists of the 15 basic safeguarding requirements of FAR clause 52.204-21.
Level 2: Consists of 65 security requirements from NIST SP 800-171 implemented via DFARS clause 252.204-7012, 7 CMMC practices, and two CMMC processes. Intended as an optional intermediary step for contractors as part of their progression to Level 3.
Level 3: Consists of all 110 security requirements from NIST SP 800-171, 20 CMMC practices, and three CMMC processes.
Level 4: Consists of all 110 security requirements from NIST SP 800-171, 46 CMMC practices, and four CMMC processes.
Level 5: Consists of all 110 security requirements from NIST SP 800-171, 61 CMMC practices, and five CMMC processes.
A final rule for DFARS is expected to be implemented sometime between April and July 2021, though Knight wouldn’t give a definitive date during the town hall. She did warn that there may be changes to the interim rule in the meantime.
For now, to obtain contract awards, suppliers must adhere to the interim rule clauses for applicable contracts, task orders, and delivery orders. One provision of DFARS 7019 requires contractors to demonstrate compliance with all 110 security requirements from NIST SP 800-171. Furthermore, DFARS 252.204-7012 is applicable to any contract that manages, stores, or moves CUI as part of a government contract including the reporting of cyber incidents. Additionally, the supply chain is required to flow down these requirements for any subcontractor handling CUI as part of their work.
CMMC Pilots Get Underway
Knight said the Office of the Undersecretary of Defense funded risk reduction activities to inform CMMC implementation including mock assessments starting in April 2020. Candidate acquisitions have also been identified by the Army, Navy, Air Force, Missile Defense Agency, and Defense Logistics Agency to move further into CMMC implementation. The piloting of CMMC will occur in a phased rollout through 2025 that ramps up with CMMC requirements being included in up to 475 new prime contracts.
“The key takeaway is that Ms. Arrington has to approve the use of the CMMC clauses,” Knight said. “This year we have planned for up to 15 pilots. We are still welcoming pilot nominations and the piloting will go through fiscal year 2025. By then we can have up to 475 contracts that are piloting CMMC.”
The CMMC pilot programs will include applicable CMMC requirements in requests for proposals. With the pilot contracts, Knight said CMMC certification must be met by the contract award date. The CMMC certification must be maintained for the duration of the contract as well. This means recertification may be necessary depending on the expiration date of the CMMC certification versus the end of the contract date since the certification is good for just three years. With that being said, until Oct. 1, 2025, CMMC requirements will only be included in new acquisitions with the approval of the OUSD.
Get Started Now
Any contractor seeking certification will need to implement the CMMC practices and processes immediately. Potential contractors will then need to perform a self-assessment and may hire a CMMC Registered Provider Organization (RPO) such as Dox to help them prepare for certification. Finally, the vendor will hire a CMMC Third Party Assessment Organization (C3PAO) to perform an accredited assessment. It is the C3PAO that issues the cybersecurity maturity model certification. It is a requirement of CMMC to adhere to this process, according to Knight.
For more information about the requirements of CMMC or preparing for certification, visit Dox online or call (585) 473-7766.