DoD has nearly completed a critical new standard, called the Cybersecurity Maturity Model Certification (CMMC). This will be required on new DoD contracts starting the summer 2020. Currently, Defense Acquisition Regulations (DFARs) let contractors self-certify that they comply with required computer security safeguards.  However, the new CMMC will require Contractors to obtain third-party certification of their cyber security capability.

The CMMC contains five levels, ranging from basic hygiene to advanced cyber maturity. Every organization that does business with DoD must undergo an audit by an authorized auditing entity before performing on an applicable contract or subcontracting to a prime.

Potential auditors are already hawking their wares online, asking you to call and receive guidance or request a quote.  Among the auditors are groups such as CMMC Academy, ComplyUP, and the University of Georgia.

The Developers

CMMC is being developed through a collaborative effort of Johns Hopkins University Applied Physics Laboratory, Defense Industrial Base Sector Coordinating Council (DIB SCC), Carnegie Mellon University Software Engineering Institute, and the Office of Small Business Programs.  Industry groups including the National Defense Industrial Association (NDIA), the Aerospace Industries Association (AIA) have also been involved. There have been several releases of the CMMC so far and the final is due out in Q1 of 2020.  It is expected that corresponding changes to the DFARS will be released in the summer of 2020.

About DFARS 252.204-7012

The DFARS requirement is intended to ensure that defense contractors implement adequate security on covered contractor information systems. A “covered contractor information system” is an unclassified information system that is owned, or operated by or for a contractor, and that processes, stores, or transmits covered defense information.

If defense contractors are using cloud for covered defense information, the cloud resources must meet Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline requirements.

About CMMC

The CMMC is intended to augment DFARS 252.204-7012 by providing a way to verify that a contractor is compliant.  The CMMC is a maturity model with five levels of maturity.  The model is comprised of Domains, Processes, and Practices.  A contractor increases its maturity by improving its capability to implement Practices.  This is illustrated in the following table:

 

Levels Maturity Cyber Hygiene Practices
Level 5 Optimizing Advanced 171
Level 4 Reviewed Proactive 156
Level 3 Managed Good 130
Level 2 Documented Intermediate 72
Level 1 Performed Basic 17

 

A contractor at Level 1 has a basic capability. Level 2 is considered a transition step to improvement.  Levels 3, 4, and 5 are progressing steps with increasing protection capabilities, while Levels 4 and 5 indicate better capability to protect against Advanced Persistent Threats (APT).

Impact on Federal Proposal Writing

DoD says they plan to require CMMC compliance starting later this year.  It is expected that future defense procurements may specify a minimum level of CMMC maturity for a given solicitation, reflected in RFP sections L and M.  Contractors may be required to demonstrate verification of compliance at a CMMC maturity level as a minimum requirement, for instance a cutoff for a technically acceptable evaluation.  Or a contractor’s maturity level may be part of the evaluation criteria in a best-value type of evaluation.

Contractors should be preparing for CMMC by performing an assessment of where they stand against the CMMC Practices and by developing remediation plans to address gaps.  Additionally, contractors should be engaging with third-party CMMC evaluators to start the certification process.

Matthew Majot, the Sales Director at ComplyUP, estimates that the cost of an audit might be $5,000 for a small business up to $30-$50,000 for a large business with multiple divisions.

Capture teams should have a dialog with potential federal customer agencies regarding the CMMC requirements of upcoming procurements so they can be better positioned to win.  You don’t want to be surprised when the solicitation says you need to be at Level 5, and your organization is currently at Level 2.

Proposal teams will need to have access to their company’s most recent CMMC certification as this information will be required as part of the proposal submission.

Keep tabs on the CMMC Accreditation Body web site for more information about the progress of CMMC.  Once they start certifying auditors, third party assessments can begin.

About the Author:  Steven Bennett (CCISO, CISSP, CISA) has over 40 years of experience in federal contracting and information technology specializing in information security.  He is the former co-owner and COO of federal cybersecurity contractor G2, Inc.