In 2019, the Department of Defense (DoD) announced the Cybersecurity Maturity Model Certification (CMMC), a new set of standards for cybersecurity compliance across the Defense Industrial base (DIB). Last December, the CMMC finally went into effect under an “interim rule” which gives organizations in the defense sector time to fully comply while the DoD prepares for enforcement.
Since 2017, organizations doing business with the federal government have been required to comply with the National Institute of Standards and Technology (NIST) special publication (SP) 800-171. The 110 security practices listed in NIST 800-171 have been incorporated and supplanted by CMMC with new rules to deal with modern threats. But just how much does this change for defense contractors?
In this article, we will explain the current status of CMMC under Defense Federal Regulation Supplement (DFARS) rules 252.204 – 7019. The new DFARS rules lay out a roadmap for CMMC implementation which will shape federal security for years to come.
What is CMMC?
In recent years, the number of cybersecurity threats to government agencies and contractors have multiplied due to many factors, including an increased number of cyber actors, growth of remote employment, and the Internet of Things (IoT). CMMC is focused on protecting Controlled Unclassified Information (CUI) from falling into enemy hands by responding to the problem of increased cybersecurity threats.
While NIST 800-171 shared the same purpose, its role was hindered by a self-certification process which sometimes resulted in substandard levels of compliance across DIB organizations. In the face of rising cyber incidents, the DoD has decided that stricter standards must be enforced.
The CMMC is envisioned as the next step in federal security compliance, requiring organizations to undergo a third-party assessment before they are eligible to apply for sensitive defense contracts. Despite stricter standards, the CMMC also provides greater flexibility through five tiers that recognize different levels of cybersecurity maturity.
The Interim Rule
Last November, the DoD unexpectedly issued an “interim rule” which creates a period of transition before CMMC is fully implemented. The details of this transition are outlined in an update to DFARS (DFARS 7019).
- Rule 7019 – defense contractors that process, store or create CUI are still required to submit a NIST 800-171 self-assessment and submit their score until CMMC is fully implemented
- Rule 7020 – if the government decides that a further assessment is necessary, defense contractors must grant access to their facilities, systems and employees.
- Rule 7021 – the CMMC is now Defense Department policy. This rule lays out a timeline for compliance; an increasing number of contracts will formally require CMMC compliance until October 1st, 2025, when it will become a default requirement for all DoD contracts.
In the meantime, certified third-party assessment organizations (C3PAOs) must be verified by the CMMC Accreditation Body (AB). This may take some time: currently, there are only two such organizations, and no more than 360 are expected by the end of 2021.
CMMC: What You Need to Know Right Now
Due to the low number of C3PAOs, most organizations will be unable to receive the third-party assessment required for CMMC certification at this time. Until that changes, organizations should familiarize themselves with CMMC requirements under the interim rule and prepare to apply for certification at a later date.
Trust But Verify
With CMMC, the Defense Department is adopting a “trust but verify” policy. Moving forward, checking off boxes will not be enough: organizations will have to make a real commitment to cybersecurity if they want to be CMMC-certified.
During the third-party assessment process, employees will be interviewed, facilities will be inspected, and systems will be analyzed to ensure that proper protections have been implemented. Being prepared means adopting a mindset of cybersecurity and aligning organizational goals with the goals of CMMC.
Until CMMC is fully implemented, organizations will still be required to perform NIST 800-171 self-assessments to ensure they are compliant with minimum standards. Under DFARS 7019, contractors must perform this assessment every three years in order to be considered for a contract award.
Guidelines for conducting a NIST 800-171 assessment can be found in NIST Handbook 162. Results must be documented for training purposes and submitted to the Supplier Performance Risk System (SPRS). This requirement will elapse on October 1st, 2025 when CMMC becomes mandatory for all defense contracts.
The “maturity” portion of CMMC is reflected in five certification tiers which recognize that different organizations are farther along in their cybersecurity program than others. These levels are summarized below:
- Levels 1 – 3 – right now these are the only levels whose certification standards are fully known. They correspond to Basic, Intermediate and Good “cyber hygiene. Level 3 includes 130 total security practices, and is roughly equal to NIST 800-171 in the level of cybersecurity it provides.
- Level 4 – includes “enhanced” security requirements for a “Proactive” security program. At Level 4, organizations are expected to be prepared for advanced persistent threat (APT) groups and their tactics.
- Level 5 – entails highly optimized cybersecurity practices for an “advanced” security program. At this level, organizations must be able to defend sensitive data from advanced cyber actors.
When CMMC is fully implemented, all contractors handing CUI will be required to achieve level 3, just as all are currently required to meet the requirements of NIST 800-171. Level 3 will remain the most common certification level on DoD contracts, with levels 4 and 5 reserved for highly sensitive applications.
Prepare for CMMC With Securicon
Based on our years of experiencing conducting assessments for compliance with NIST regulations like SP 800-53 and SP 800-171 which form the basis of CMMC, Securicon can perform readiness assessments and mock audits to help your organization prepare for the real thing. With a DoD background, our world-class experts are ready to take stock of your IT assets and build a security response plan that is tailored to your organization’s needs.
Securicon provides information security solutions to public and private sector organizations. Our expert cyber security teams help our clients manage and secure their Information Technology (IT) and Operational Technology (OT) environments by providing vulnerability and penetration testing/assessments; governance, risk and compliance services (GRC) and security architecture review and design services. Contact Us to learn more!