Cybersecurity Maturity Model Certification (CMMC) 1.0 is here!
What is CMMC?
The Office of the Secretary of Defense released CMMC (Cybersecurity Maturity Model Certification) version 1.0 on January 31, 2020 to verify contractors of the Defense Industrial Base (DIB) are operating with effective cyber hygiene. In order to bid on, maintain, and win future DoD contracts, all organizations will need to prove their required level of cyber maturity. We covered CMMC basics and Draft 0.7 in this webinar and will be discussing CMMC 1.0 and how to prepare in this upcoming webinar.
- A DoD certification process that measures the DIB’s ability to protect FCI and CUI
- It builds off the existing requirements of CFR 52.204-21 and DFARS 252.204-7012
- It incorporates Best Practices from NIST SP 800-171 as well as the UK’s Cyber Essentials and Australia's Es
- A framework of levels, domains and processes affiliated with the DoD and DIB
- Certification of Primes and Subs at the appropriate levels will determine contract award eligibility in the future
What Changed from CMMC Draft 0.7 to CMMC 1.0?
The good news for DOD contractors is that there were not any drastic changes from CMMC Draft 0.7 and CMMC 1.0.
- First and foremost, if a DOD supplier handles Controlled Unclassified Information, they will need to be a CMMC level 3 at minimum.
- One key change in CMMC 1.0, is the language around what Level 2 is all about. Level 2 is now clearly defined as the “transitioning step to protect CUI”…ie CMMC Level 3.
- The use of Federal Contract Information (FCI) was removed from Level 2 examples, and more in-line with the basic requirements of Level 1 (all of the safeguarding requirements from FAR Clause 52.204-21).
- There were a few processes and practices removed from levels 3 through 5, centered around business process when handling CUI. For example, in level 3 under the domain "Asset Management (AM)", the practice laid out in draft 0.7 "P1035 - Identify, categorize, and label all CUI data (ISO/IEC 27001 A.8.2.1, ISO/IEC 27001 A.8.2.2) was removed. There are only level 3 practice in the AM domain in 1.0 is "AM.3.036 - Define procedures for the handling of CUI data." The handful of other removed practices/processes include proactive measures that require further buy-in from key stakeholders in the organization.
One could argue some of these were consolidated for the sake of simplification, which makes sense. Perhaps in the future, practices and processes like this will be added in future versions/enhancements of the CMMC as the DOD supply chain matures. The CMMC's purpose, after all, is to drive maturity at all times as threats evolve, right? We would love to see more accountability type practices and processes added in the future. Putting focus on practices and processes that go beyond anything a technology or security professional can do is always recommended.
CMMC Schedule Moving Forward
As mentioned above and reinforced during the CMMC 1.0 announcement video, there is still a lot of work to do and lots to learn as the roll-out continues. The released schedule is subject to change but given how the CMMC team has met most of their goals to this point, it is best to assume these deadlines are accurate. Ms. Arrington talks about the roll-out as a "crawl, walk, run" approach in order to make the CMMC effective for everyone.
Key schedule dates to be aware of:
- March/April 2020 - CMMC Marketplace Created
- April 2020 - CMMC A.B. will provide updates on training classes, which are planned to begin in early Spring 2020
- June 2020 - CMMC Requirements in select number (10 was the mentioned target) of RFI's
- June 2020 - Defense Acquisition University (DAU) Training Available
- October 2020 - CMMC Requirements in select number (10 was the mentioned target) of RFP's
From a crawl, walk, run standpoint, these dates make sense. They allow for some room to make minor changes to the program.
What DOD Suppliers Can Do Next
Given that no Third Party Assessment Organizations (C3PAO's) currently exist, every DOD supplier and contractor should be laser focused on completing their Plan of Actions and Milestones (POAM), if they currently have one. If no POAM exists, contractors need to create a System Security Plan (SSP), which includes information for each system in their environment that processes, stores, and transmits Controlled Unclassified Information (CUI).
As for POAMs, the current format of milestones taking place two, three or four years down the road will no longer be allowed. Any organization doing business with the DOD will need to have the CMMC maturity level requirements fully implemented by the time of contract award. If your organization is looking for help creating a SSP and POAM, we can help.
CMMC 1.0 Does Not Mean "Breathing Room"
The announcement of the CMMC back in the Summer of 2019 caused a flurry of activity within the DOD supply chain. Over the past seven months, much of the activity was caused by fear. Many small to medium size businesses in the DOD supply chain are not ready – and they know it. Others were taking the proactive approach so they don't lose their competitive advantage and don’t want to put their business at risk. This is more than cybersecurity risk and supply chain risk. It’s financial risk, intellectual property risk, innovation risk, personal risk, and so on. This is about overall risk management.
Just because certifications are not going to take place right away, that does not mean DOD suppliers get "breathing room." The DFARS 252.204-7012 clause is still the requirement. Primes have the right, today, to ask how their sub's POAM completion progress is going.
Is your organization ready for that question? Is your organization ready for when your customer starts looking for potential suppliers to replace yours?
Keep in mind, there is a lot of risk on prime contractors as well. If primes have to replace a supplier because they are a cybersecurity risk, they will. In fact, they have to in order to meet the CMMC requirements.
Many DOD suppliers and contractors have told their customer(s) they are "working on" their POAM. This used to be allowed because there was no way to verify if they were being true to their word. What happens if an organization suffers a CUI data breach tomorrow? Next week? Next Month? What is the excuse going to be? "We were waiting for more clarification about CMMC 1.0 before making a plan" will not work.
Take the Correct Path
In order to achieve compliance with DFARS 252.204-7012 by implementing all 110 controls of NIST 800-171, DOD suppliers and contractors handling CUI will need to provide proof via audit artifacts. There is no technology that meets all 110 controls. There are a large portion of requirements within NIST 800-171 that are non-technical, many of which require policy and procedure being created, implemented and documented.
Technology cannot perform those requirements. Administration, understanding CUI data flows, and other non-technical requirements require the business to proactively implement and manage. This is much easier to accomplish when working with subject matter experts who understand NIST, CUI, cybersecurity and information security. We can help your organization identify the best path for your business.
Is your organization looking for the answer to completing your POAM? CUICK TRAC combines both the technical and non-technical controls of NIST 800-171 into a single programmatic process.
Does your organization need to better understand if they handle CUI or not? And if so, where it does CUI reside? How can an organization develop and execute an effective plan if it doesn't understand where sensitive data resides within the business?
Don't drag your feet and get left behind. Our national defense depends on the lower tier suppliers in the DOD supply chain!
Join us on March 10, 2020 for a webinar covering CMMC 1.0: What to Know and Where to Start!
About Derek White
Derek is the Director of Business Development & Equity Partner at Beryllium. Beryllium uses its experience and expertise with the National Institute of Standards and Technology, as well as their work within the Federal Government and the Defense Industrial Base, to increase their cyber security maturity.