Cyber attackers continue to target contractors in the Defense Industrial Base (DIB) sector with increasing frequency. This sector supports the Department of Defense (DoD), in terms of research, development, acquisition, production, and delivery.
The loss of intellectual property (IP) in the DIB sector can undercut the U.S. advantage in technology, increasing the risk to national security. The DoD is, therefore, working with contractors to increase the protection of unclassified information within the DIB supply chain. This includes the development of the Cybersecurity Maturity Model Certification (CMMC) framework.
Because CMMC compliance requirements are still evolving, many DIB contractors have questions about it. We’ve tried to supply some answers to the most common questions contractors are asking.
What is the CMMC?
The CMMC framework includes many processes and best practices in cybersecurity that are drawn from a variety of sources, including DIB contractors and other DoD stakeholders. This framework organizes those processes and practices into domains and maps them across multiple maturity levels. It also aligns practices with capabilities within each domain.
How Is it Different from NIST SP 800-171?
The US government is using CMMC certification as a vehicle to audit compliance with NIST SP 800-171, a publication that recommends requirements for protecting CUI. DoD contractors have been required to comply with NIST SP 800-171 since January 1, 2018, but the levels of adoption have remained low since then. CMMC was created to remedy this problem, which will ultimately affect over 200,000 contractors even by the most conservative estimate.
Even if contractors comply with CMMC, it doesn’t mean they comply with all NIST SP 800-171 requirements. NIST 800-171 includes 110 CUI controls in addition to 63 Non-Federal Organization (NFO) controls. Contractors still need to comply with both the CUI and NFO controls, even though NIST 800-171 primarily focuses on the storage, transmission, and processing of CUI.
CMMC Assessment and Certification Process
The CMMC model includes five maturity levels designated ML 1 through ML 5. Each level has progressively greater compliance requirements with respect to NIST 800-171.
- ML 1 deals with performance. It has associated practices, but no process requirements.
- ML 2 adds documentation requirements. Organizations must establish domain policies and the CMMC practices needed to implement those policies to reach this level.
- ML 3 includes management requirements. Organizations must establish, maintain and provide resources for each of their domains.
- ML 4 requires organizations to review the effectiveness of activities within their domains.
- ML 5 adds the requirement for contractors to optimize and standardize their approach towards their domains across all organizational units.
Choosing a Third-Party Assessment Organization
The latest changes to CMMC prevent contractors and their subcontractors from self-assessing their security posture. An official CMMC third-party assessment organization (C3PAO) must now conduct on-site inspections to ensure contractors are in compliance with CMMC requirements.
DoD solicitations could include CMMC requirements as early as June 2020 and will become mandatory by September 2020. It doesn’t appear that these requirements will become retroactive at this time. Failure to meet the requirements of a particular maturity level prevents contractors from bidding on DoD solicitations with that maturity level or higher.
Watch this video for more information about the impact of updated CMMC cybersecurity assessment model, audit procedures, and certification standards for DoD contractors.
What Does it Mean to be Compromised?
Section 252.204-7012 the Defense Federal Acquisition Regulation Supplement (DFARS) describes a cyber incident as an action taken on a DOD contractor’s information system that results in an actual or potentially adverse effect on the data it contains. This broad definition includes actions taken by DoD contractors themselves and unauthorized intruders. In other words, a cyber incident includes any action performed by any party that could have compromised DoD data, even if it didn’t actually do so.
The compromise of a contractor’s information system doesn’t automatically result in the loss of certification. However, it does appear at this that the DoD will authorize program managers to require recertification from the contractor if they feel it’s necessary. It’s still unclear how the DoD will impose this obligation and what standard it will use to determine that recertification is necessary.
What Type of Companies Need CMMC?
All contractors doing business with the DoD are required to obtain a CMMC rating, whether they’re a prime contractor or sub-contractor. It also applies to equipment manufacturers and material suppliers, even if they don’t directly provide their products to DoD. Furthermore, CMMC requirements are only the first step towards improving the security of organizations in the DIB sector.
Your Compliance Partner
I.S. Partners can help you achieve and maintain CMMC, allowing you to continue doing business with the DoD. We begin this process with an evaluation to determine what changes you need to make in your security posture. We can then provide strategic advice on how to make those changes.