Counting Down to 2020 and the Department of Defense’s Cybersecurity Maturity Model Certification Program
2019 has been a year of pivotal developments for defense contractors in the realm of cybersecurity compliance. The Department of Defense (DoD) issued six guidance memoranda to assist its acquisition personnel in developing “effective cybersecurity strategies to enhance existing protection requirements,” including a mandate for the Defense Contract Management Agency to include cybersecurity compliance as a part of a contractor’s purchasing system audit and approval. 2019 also saw the first False Claims Act whistleblower litigation related to contractors’ compliance with DoD cybersecurity contracting provisions.
Beyond merely focusing on enforcement of existing compliance obligations, the DoD upped the ante in June 2019 with its announcement of its forthcoming Cybersecurity Maturity Model Certification (CMMC). CMMC is the next step in the DoD’s efforts to protect the government’s sensitive, unclassified information against data exfiltration, and once it goes into effect CMMC will be a mandatory, third-party certification for all DoD contractors and subcontractors.
While there remain many unanswered questions surrounding the details and implementation of CMMC, the DoD has made clear that CMMC is coming and the defense contracting community must be ready to implement these requirements in order to continue receiving defense contracts, subcontracts and other DoD-funded agreements.
What Will CMMC Require?
As currently drafted, CMMC will require all defense contractors and subcontractors to undergo a third party assessment of their internal cybersecurity technical practices and process maturity against published standards. This assessment will result in certification at one of five levels – 1 being the lowest and 5 the highest – or no certification. Each subsequent level is cumulative, meaning a company must meet the requirements of all lower levels to qualify for a higher level of certification. In addition, an organization must satisfy both the defined practices and process maturity criteria within a given level across all areas of the model to achieve certification at that level (e.g., having a Level 3 assessment on technical practices and Level 2 on process maturity results in an overall Level 2 certification).
The DoD expects contractor CMMC assessments to begin in early June 2020. CMMC requirements will start appearing in DoD Requests for Information around this same time, and they become mandatory in all DoD solicitations beginning fall 2020. Once implemented, each DoD solicitation will identify the minimum required CMMC level a company must have to be eligible for that contract award.
On December 6, 2019, the DoD released Version 0.7 of the draft CMMC framework. This update refines the technical practice requirements for Levels 1-5 and provides further guidance regarding process maturity expectations. Level 1 identifies 17 basic requirements, mostly consistent with existing general government contractor cybersecurity requirements, while Level 3 aligns with full NIST SP 800-171 Rev 1 compliance. Levels 4 and 5 require “proactive” and “progressive” cybersecurity programs, respectively, and impose additional practices derived from Draft NIST SP 800-171B and other heightened cyber standards. These top two levels are expected to be reserved for companies handling information related to critical technologies.
The CMMC model will not be static, however: it will be adapted and revised whenever and however needed as the DoD identifies new threat vectors. While a company’s certification is generally expected to last for three years, including interim spot checks, model revisions could necessitate earlier reassessment.
Who Is Affected by the Upcoming CMMC Requirements?
The DoD states that all contractors and subcontractors – including commercial item subcontractors – at any level of the defense supply chain will need to be certified at a minimum of Level 1 in order to be eligible to receive DoD-funded contracts and agreements. The DoD has also left open the possibility that the CMMC qualification requirements may apply to other types of contractual agreements, including DoD-funded grants, cooperative agreements, and other transactions.
A company may meet a specific CMMC level across its entire enterprise network or particular segment(s) or enclave(s). At the subcontractor level, the DoD anticipates limiting CMMC application to companies providing products and services in direct support of a defense program, thereby excluding ‘back office’ products and personnel supporting general corporate overhead functions from these requirements.
If performance of a contract or subcontract necessitates access to any Controlled Unclassified Information (CUI), a Level 3 minimum certification will be required. CUI includes export controlled information, “For Official Use Only” information, and other information created or possessed by a contractor that is subject to government-mandated safeguarding or dissemination controls. The DoD is still drafting a formal CUI baseline definition to clarify the specific types of information that must be protected, as well as guidance regarding how the government will assign CMMC levels to individual procurement.
How Does This Differ from Today’s DoD Cybersecurity Requirements?
DoD contractors and subcontractors are currently required in every procurement contract to self-certify their compliance with DFARS 252.204-7012. This DFARS clause mandates that contractors provide “adequate security” – generally equivalent to full compliance with NIST SP 800-171 Rev 1 – on all of its unclassified information systems that process, store or transmit Covered Defense Information (“CDI,” the current DoD-equivalent of CUI). The clause also imposes reporting and cooperation requirements in the event of defined “cyber incidents.” Importantly, the DFARS clause, while mandatory in all contracts, does not apply if no processing, storing, or transmitting of CDI occurs within a contractor’s information system. In addition, in practice, the DoD has allowed companies that have not yet but are working to achieve full compliance with the NIST standards to receive contracts and subcontracts, so long as the contractor can demonstrate it has an acceptable System Security Plan and Plan of Action and Milestones (POAM) in place to achieve full compliance.
While NIST SP 800-171 Rev 1 continues to form the substantial baseline for CMMC compliance up to Level 3, the above three key hallmarks of DFARS 252.204-7012 – self-certification, applicability caveats, and flexibility for in-process compliance – are effectively eliminated under CMMC. An independent third party assessment and certification process will replace self-certification, all DoD contractors and subcontractors must be certified at least at Level 1 in order to qualify for award, and the CMMC approach as currently drafted does not include a waiver or deviation process for individual control gaps.
In addition, as previously noted, CMMC imposes additional requirements over and above those mandated by NIST SP 800-171 for Level 4 and 5 critical technology contracts, and certification may also become mandatory for research, prototype, and other non-procurement instruments.
What Are My Recommended Next Steps to Prepare for CMMC?
The DoD has not yet published draft regulations implementing CMMC and many details remain unclear. Despite this, the agency continues to state that the final CMMC framework (version 1.0) will be published in late January 2020, and its requirements will begin to appear in Requests for Information beginning in June. The DoD has also indicated that it expects to issue an interim rule to accelerate implementation.
Companies should begin preparing for the new accreditation system by ensuring compliance with the appropriate NIST SP 800-171 Rev 1 requirements, depending on the level of CUI they expect to handle:
Determine if your company receives federal funds from the Department of Defense either directly as a prime contractor or indirectly via subcontracts, purchase orders, or other contractual agreements. If so, you should be prepared to obtain at least a Level 1 or 2 certification.
Determine whether your company currently or in the future expects to electronically process, store, or transmit Controlled Unclassified Information in the performance of its defense contracts. If so, you should be prepared to obtain at least a Level 3 certification.
If you are a subcontractor, consider reaching out to your major higher-tier contractor customers to understand how they are preparing to implement CMMC across their supply base.
Review your company’s current NIST SP 800-171 Rev 1 compliance level against your expected certification level requirements. If you currently have a POAM in place or identify additional concerns, dedicate appropriate resources to ensure that progress is being made to close any gaps as quickly as possible.