The Newest Version of CMMC and What It Means for Contractors
Each year breaches to supply chains containing controlled unclassified information (CUI) costs the U.S. economy 600 billion dollars per year. As a response to the exfiltration of data, the Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) to “serve as a unified standard for cybersecurity that will be incorporated as a ‘go/no-go’ requirement for DoD acquisitions.” Several sources were used in the formulation of CMMC including NIST SP 800-171, the Aerospace Industries Association’s National Aerospace Standard 9933, as well as Australia and the United Kingdom’s cybersecurity models, among others.
On January 31, 2020 Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, Kevin Fahey, Assistant Secretary of Defense for Acquisition, and Katie Arrington, the Chief of Information Security Officer for the DoD held a press conference to discuss the release of CMMC Version 1.0 and the anticipated timeline of its rollout. Shortly after the press conference concluded, CMMC Version 1.0 was officially released.
While significant updates have been made to previous draft releases of CMMC, the structuring and framework of CMMC remains the same. Two of the most notable changes that have been made include:
- An addition of ‘practices’ required to procure a Level 4 or Level 5 certification.
- “Practices more specifically outline the technical requirements to achieve compliance with a given capability.”
- The expansion of ‘clarifications’ section to cover Level 2 and Level 3 requirements.
- “These sections include brief discussions of the requirements, clarifications to further explain DoD expectations, and in some cases, examples that describe scenarios where compliance is appropriately demonstrated within an organization.”
The implementation of CMMC will occur at a slow pace; the DoD does not anticipate CMMC to be fully implemented until the 2026 Fiscal Year. The DoD will be selecting third-party accreditation vendors this year that will be called “C3PAOs” to provide CMMC accreditation services to contractors and subcontractors, in addition a new Defense Federal Acquisition Regulation Supplement (DFARS) regulation is expected as early as this spring. CMMC requirements will be added to ten procurements at the end of 2020, at the time of award all contractors and subcontractors will be required to meet all applicable CMMC requirements.
In addition, the January DoD briefing offered further insight into what will be called the Accreditation Body. It is expected to “consist of 13 members from the defense industrial base, cybersecurity community, and academic community who self-nominate to join”. The responsibility of the Accreditation Body will be to monitor quality, training, and administration of the C3PAOs. The names of members have not been released at this time, but it was confirmed that there is a Board of Directors and a Chairman that has been elected. The DoD is working to draft a memorandum of understanding with the Accreditation Body that will address any conflicts of interest due to the sensitive nature of information that the Accreditation Body and auditors will have access to, as well as roles and regulations they must abide by.
DoD officials also addressed operational questions regarding CMMC Version 1.0 implementation:
- DoD will not pursue applying CMMC retroactively to current contracts that apply to CMMC.
- Subcontractors will only need to be certified to the CMMC level that applies to the work they will be performing. For instance, a Level 3 procurement may have Level 1 subcontractors.
- CMMC accreditation will remain valid for three years; specifics on cost and audit processes are still unknown.
While the DoD addressed several questions surrounding CMMC Version 1.0 and its implementation timeline, there are still questions that remain unanswered. Contractors and subcontractors will need to remain proactive in acclimating themselves with the most current version of CMMC and preparing for the certification process once it becomes available. In the meantime, it would benefit contractors and subcontractors to be NIST SP 800-171 compliant during this time of transition. This may ease the transition to CMMC Version 1.0 compliance and could position themselves to attain a higher level CMMC certification as well as achieving a competitive advantage over others.