Why The DoD Created The CMMC
Department of Defense (DoD) contractors are now well aware of the cybersecurity mandates that have been sweeping across the defense industry over the past several years. In 2015, The U.S. Department of Defense published the Defense Acquisition Federal Regulation Supplement, known as DFARS, which mandates that private DoD Contractors adopt cybersecurity standards according to the NIST SP 800-171 cybersecurity framework. This is all part of a government-led effort to protect the U.S. defense supply chain from foreign and domestic cyber threats, and reduce the overall security risk of the sector.
Since the passing of DFARS, over 300,000 U.S. DoD contractors have been scrambling to understand DFARS and implement NIST SP 800-171 standards within their companies to become compliant with the law. Some have had the resources to become compliant themselves, while others have outsourced the task to a Managed Cyber Security company, such as SysArc, who helps DoD contractors comply with the DoD’s cybersecurity mandates. Even though the DoD has incentivized compliance by making it a “competitive advantage” within the contract awards process, many contractors have chosen to put off compliance. There are even reported cases in which DoD contractors have stated false claims, stating to be in compliance on DoD contracts, but have later been found to be non-compliant. Because of this, the Department of Defense has released the Cybersecurity Maturity Model Certification (CMMC) to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) on DoD contractor systems.
The CMMC is currently in its development stages. This guide was written for DoD contractors specifically and provides information about what we currently know about the CMMC, what contractors can expect as the DoD rolls out this program, and the options they have to prepare for a CMMC audit so they can become certified and continue to offer their products and services to the DoD without delay.
Note: This guide will be updated as more information is released by the Department of Defense.
The CMMC Model
The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use it as a “go / no go decision.”
In its final form, the CMMC will intend to combine various cybersecurity control standards such as NIST SP 800-171 (Rev. 1 & Rev. B), NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.
What the CMMC Means for DoD Contractors
The DoD has built upon existing DFARS 252.204-7012 regulation and developed the CMMC as a “verification component” with respect to cybersecurity requirements. The DoD has entrusted DoD contractors to achieve compliance, and with continued pressure to ensure 100% adoption of cybersecurity controls, the DoD is updating its policies.
So what does this mean for DoD Contractors?
It means that all DoD Contractors will need to become CMMC Certified by passing a CMMC Audit to verify they have met the appropriate level of cybersecurity for their business. This will be a requirement for any organization who wants to hold contracts with the Department of Defense. For more information on the appropriate levels of cyber security, see “About CMMC Levels” below.
What We Currently Know About CMMC Certification and Audits
To verify that DoD Contractors have met the appropriate level of cybersecurity controls, the DoD will deploy certified independent 3rd party organizations to conduct audits on DoD Contractor information systems and inform risk. It is from this audit that a DoD contractor will be awarded a certification or not.
Important Dates and Milestones for DoD Contractors
- Effective Immediately: Now is the time for contractors to get an assessment to determine where they stand regarding NIST 800-171 controls and the CMMC Level they want to achieve in order to be certified by the 2nd quarter of 2020.
- 4th Quarter of 2019: In Q4 of 2019, the DoD will release the CMMC Levels and their associated NIST 800-171A controls. The DoD will also announce the non-profit that will be in charge of the certification process and will start training 3rd party certifiers
- January 2020: In January 2020 the official CMMC Levels and requirements will be released and the certifiers will be available soon thereafter to begin audits. There is likely to be a big backlog since there are approximately 70,000 companies requiring audits in a short timeframe and a limited supply of certifiers/auditors.
- June 2020: In June 2020 the CMMC requirements will be in Requests for Information (RFI’s)
- Late 2020: In late 2020 DoD contractors will need to be certified to bid on Requests for Proposal (RFP’s).
DoD Contractors will need to coordinate directly with an accredited and independent third party commercial certification organization to request and schedule a CMMC assessment. DoD Contractors will specify the level of the certification requested based on the DoD Contractor’s specific business requirements. Contractors will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.
Third party certification organizations will be available in January 2020. We will update this guide as soon as they become available.
About CMMC Levels
The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced.
Here’s what we currently know about the CMMC levels and their respective requirements:
- Level 1 – “Basic Cyber Hygiene” – In order to pass an audit for this level, the DoD contractor will need to implement 17 controls of NIST 800-171 rev1.
- Level 2 – “Intermediate Cyber Hygiene” – In order to pass an audit for this level, the DoD contractor will need to implement another 46 controls of NIST 800-171 rev1.
- Level 3 – “Good Cyber Hygiene” – In order to pass an audit for this level, the DoD contractor will need to implement the final 47 controls of NIST 800-171 rev1.
- Level 4 – “Proactive” – In order to pass an audit for this level, the DoD contractor will need to implement 26 controls of NIST 800-171 RevB (still in the Public Comments stage)
- Level 5 – “Advanced / Progressive” – In order to pass an audit for this level, the DoD contractor will need to implement the final 4 controls in NIST 800-171 RevB.
Note: This information is based on a draft version of the CMMC model. The number of controls per level are expected to change in future revisions of the CMMC model. We will update this document as official updates are released.
In January 2020, the official CMMC Levels and requirements will be released to the public. The government will determine the appropriate tier (i.e. not all contracts require the highest level of security) for the contracts they administer. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.
For more information, a full list of frequently asked questions can be found here.
How to Prepare for a CMMC Audit
As mentioned above, the various CMMC levels call for different controls outlined in NIST SP 800-171 Rev. 1 and NIST SP 800-171 Rev. B. DoD Contractors should determine which CMMC level they wish to obtain and then implement the controls necessary. For DoD contractors that have already implemented all NIST SP 800-171 controls, they should have no issues with passing a CMMC audit successfully up to CMMC Level 3.
For DoD contractors who have not implemented the NIST SP 800-171 Rev1 or RevB controls, the following options are available to prepare for a CMMC audit:
Do it Yourself: Meet Requirements In-House
DoD contractors or suppliers who have the resources and IT staff available, can meet the appropriate CMMC level of cybersecurity in-house. Internal IT departments can use the “Self Assessment Handbook – NIST Handbook 162” provided by the National Institute of Standards and Technology (NIST). This handbook was created by NIST with the intention of assisting U.S. DoD contractors who provide products and services for the Department of Defense. Unfortunately, this handbook only covers NIST SP 800-171 Rev. 1 (Good for certification up to CMMC Level 3) and there is currently not a Self Assessment Handbook for NIST SP 800-171 Rev. B. However, a draft of the Rev. B can be found here.
If the contractor does not have the expertise to meet the requirements of NIST SP 800-171 Rev. 1 or Rev. B, DoD contractors have the option of outsourcing the requirements to a third-party CMMC consultant who offers CMMC compliance services. There are many qualified and experienced Managed Security Service Providers (MSSP) in the U.S. who specialize in compliance services and monitored cyber security for DoD contractors who need to implement NIST cybersecurity controls. A qualified MSSP will be able to perform this assessment and perform any remediation work necessary to pass a CMMC Audit.
Outsource: Work with a CMMC Consultant
For many DoD contractors, the most effective way to meet the CMMC cybersecurity requirements is to outsource the task to a Managed Security Service Provider (MSSP) that specializes in CMMC Consulting. Remember that DoD contractors remain ultimately responsible for ensuring that their company meets the appropriate cybersecurity requirements, so it is essential to choose an MSSP you are sure they can trust.
By outsourcing the NIST cybersecurity work to a qualified provider, DoD contractors should save a lot of time and money getting and staying compliant with CMMC. An outsourced provider will have all of the required document templates for the Gap Analysis and the System Security Plan as well as the advanced tools required to monitor and respond to security incidents. They will also have the resources required to perform the remediation steps required to become compliant and the legal documentation to prove compliance has been reached and is being maintained when the time comes for a CMMC Audit.
The Gap Analysis
The first step towards compliance will require the MSSP is see how close, or how far away, the DoD contractor is from meeting the minimum requirements outlined in the appropriate CMMC Level. This process is called the Gap Analysis. Gap Analyses are designed to discover inadequate systems setups and processes that may not meet the requirement. Taking a close look at a company’s network and procedures is the first step to ensuring compliance.
The results of the Gap Analysis may reveal issues not limited to:
- How access to information systems is controlled
- How managers and information system administrators are trained
- How data records are stored
- How security controls and measures are implemented
- How incident response plans developed and implemented
Without a gap analysis, it’s impossible to know what changes an organization needs to make before it meets the required CMMC Level. The professionals at an MSSP use their findings to create remediation plans that will correct any problems and keep our clients in line with CMMC requirements.
The gap analysis will either aid a DoD contractor in performing their own remediation plan, or they may opt to have a third-party, such as an MSSP, perform the remediation for them.
The Remediation Plan
An MSSP will develop a remediation plan based on the findings outlined in the gap analysis. A remediation plan may involve small relatively inexpensive fixes to a network and/or its processes, or it may involve more extensive, from the ground up, development of compliant networks and processes that meet today’s NIST cyber security standards.
Remediation plans provide careful documentation of processes that don’t meet today’s standards. Having a well-researched plan also makes it easier for DoD Contractors to make necessary changes to their systems.
Ongoing Cyber Security Monitoring and Reporting
Once the remediation plan is complete and a DoD Contractor’s systems and procedures are compliant with the appropriate CMMC Level, an MSSP will have the tools and processes in place to monitor, detect, and report on cyber security breaches within the DoD Contractor’s systems. If the DoD Contractor is not outsourcing compliance to an MSSP, they have the option to report cyber incidents themselves, given they have tools to monitor and detect such incidents.
Legal Documentation: How to Prove Your Compliant with the DoD in Case of a CMMC Audit
Once the MSSP helps clients implement the security controls of NIST SP 800-171 Rev1 or RevB, they will provide legal documentation that proves implementation of the required security controls. This documentation provides CMMC auditors with the proof necessary to certify the DoD contractor.
The Importance of Passing the First CMMC Audit
For many companies, DoD contracts make up a substantial percentage of their revenue, and because CMMC certification will now be an absolute requirement for contract awards, it’s extremely important that contractors pass the CMMC audit on the first pass. If a contractor fails a CMMC audit, they will be unable to offer products and services to the DoD for an extended period due to:
- The time it takes to implement NIST 800-171 controls effectively
- The time it takes for another CMMC audit to become certified
Therefore, it is highly recommended that a contractor consult with an experienced CMMC consultant who can ensure that the contractor meets the requirements of their specified CMMC Level and can pass a CMMC Audit on the first try.
CMMC Audit Preparation & Assessment Services
SysArc has helped DoD contractors and their Primes throughout the U.S. navigate the complexities and financial hurdles of CMMC and NIST SP 800-171. We work closely with the DoD and are at the forefront of the latest cybersecurity frameworks that the DoD utilizes in CMMC. We have extensive knowledge and experience with implementing NIST and other frameworks’ cybersecurity controls and can help DoD contractors prepare and successfully pass a CMMC audit and become certified.
For more information, please see our CMMC Preparation Solution. If you’d like to speak with someone about preparing for a CMMC audit now, feel free to give us a call at (800) 481-1984 or schedule a CMMC consultation now.