Understanding Cybersecurity Maturity Model Certification (CMMC)
[ZOOM EVENT] Wednesday, June 23, 2021 @ 11AM-12PM ET


Contractors will still be required to achieve CMMC by 2025

By Ken Michael

The United States Department of Defense (DoD) is developing a means for contractors to achieve reciprocity for cybersecurity measures they have already taken when it comes to achieving the new Cybersecurity Maturity Model Certification (CMMC). Many contractors of the DoD and other government entities involved in the defense industrial base (DIB) have achieved cybersecurity standards set by other government certification programs. To ask contractors to begin from scratch to achieve CMMC could be costly, confusing, and frustrating so the DoD is working toward a reciprocity program to help reduce such problems for contractors.


The CMMC is meant to replace a current system of overlapping government cybersecurity requirements ranging from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, the Defense Federal Acquisition Regulation (DFARS), and the Federal Risk and Authorization Management Program (FedRAMP), a government cloud security certification program. Many of these programs allow contractors to pledge their adherence to government cybersecurity standards through submitting a plan of action and milestones (POA&M).

With CMMC, a risk-based tiered structure of cybersecurity levels, government contractors will achieve certification based on where they are at the time of review, either they are able to be certified or not. Additionally, the certification is not self-certified as other government cybersecurity programs have been in the past. To achieve CMMC, vendors must work with a CMMC Third-Party Assessor Organization (C3PAO), which costs time and money.

The Reciprocity Promise

Government vendors have expressed concerns about time and money when it comes to achieving CMMC, especially after the previous investments they have already made in achieving government cybersecurity standards. Through the course of development and implementation of CMMC in government contracts, defense officials have tried to reassure contractors and their subcontractors that CMMC auditors would offer reciprocity for FedRAMP certifications despite no formal mention of it in the CMMC interim rule implemented Nov. 30, 2020.

Katie Arrington, Chief Information Officer (CIO) for the Defense Department, had made a previous pledge that vendors would be able to save money and time toward achieving CMMC by leveraging other government cybersecurity certification programs including FedRAMP. The CIO has previously stated there is reciprocity to be had since it was an “investment” companies had already made in achieving government cybersecurity standards.

Furthermore, speaking at an event hosted by CompTIA in January, Arrington said CMMC will officially provide reciprocity for FedRAMP audits as well as those from the International Organization for Standardization (ISO). The issue lays in figuring out how that reciprocity will work and for how long it will be good for given the CMMC Accreditation Body (CMMC-AB) has posted on its website that “by 2025, all DoD suppliers need CMMC certification.”
At the Billington Cybersecurity Conference in September 2020, Arrington said, “Reciprocity means something, but we need to have reciprocity from companies or certification programs that actually have a basis.”

According to a piece by Nextgov, Arrington said, “A CMMC level 3 is a FedRAMP moderate, so if you’re using a cloud service provider to supplement portion of a CMMC 3, then absolutely, you need to have the (cloud service provider’s) certification for the assessor. The contractor with the assessor needs to show proof of this. The difference between CMMC and FedRAMP is we are not allowing plans of action to get better, right, you either are or you aren’t.”

Figuring Out Reciprocity

An online article by FCW reported that reciprocity for CMMC is only achievable if plans of action are closed and can be validated. For example, if a company is supposed to be following NIST SP 800-171 requirements but has only implemented 80 percent of the controls, they won’t be eligible for CMMC certification. Arrington also said the majority of the 300,000 vendors involved in the DIB will only be required to achieve CMMC level 1 certification, the lowest level of CMMC.

The challenge comes in taking FedRAMP, NIST SP 800-171, DFARS and other government cybersecurity certifications and breaking them down to compare with CMMC levels. Furthermore, the DoD and CMMC-AB are working toward identifying exactly what will be counted toward reciprocity for each of those certifications when it comes to CMMC certification.

Executivegov.com reported that Stacy Bostjanick, director of CMMC at the DoD’s office of the Undersecretary for Acquisition and Sustainment, said a team effort underway “to align the methodologies, levels and requirements of FedRAMP and the CMMC program, which is expected to be included in all defense contracts by 2025.” That team includes representatives from the DoD, the General Services Administration, and the CMMC-AB.

Arrington said since existing contracts with the DoD can’t be altered, most contractors won’t be required to achieve certification until their contracts end or new acquisitions and requests for proposals (RFPs) are rolled out starting this month starting with the Air Force. However, she did warn vendors not to wait to achieve CMMC.

“If you’re in the supply chain, within the next five years, you are going to have to be certified,” Arrington said, according to the FCW piece. “It just depends on when your contract comes up.”

In another article by FCW, “CMMC reciprocity guidelines are still a work in progress,” Arrington indicated while CMMC reciprocity will be given to some degree, achieving CMMC certification may require additional investments by contractors and subcontractors. She added that the CMMC-AB is currently working on the particulars of how reciprocity will work and DIB contractors should provide feedback to the CMMC-AB as those details become available. Those details are expected to become available before the end of 2021.

Keep Your CMMC Certification Private

Arrington did issue a warning to vendors about keeping their CMMC certification status confidential. She told contractors not to post their CMMC level certification on their website stating that such information is proprietary and publishing that information could put vendors at risk. If a bad actor knows your certification level, they can create attacks that target your company accordingly.

Contact Dox Electronics at (585) 473-7766 for more information on CMMC reciprocity, preparing for CMMC certification, or cybersecurity for your business. The initial consultation is free and there is no obligation.
Share This Posting
Copyright ©   DoxWeb Design & SEO by Scriptable Solutions