The Department of Defense (DoD) implemented the Cybersecurity Maturity Model Certification (CMMC) to standardize cybersecurity practices across the federal government’s defense industrial base. These efforts are part of an ongoing initiative to protect national security in today’s digital world and improve readiness for cyberthreats. But you may wonder, who needs CMMC certification?
Who Needs to be Compliant?
To understand who needs CMMC certification, we must first understand CMMC compliance. This term applies to more than 300,000 organizations that engage with the Department of Defense, including contractors and subcontractors working with primes to execute and/or fulfill DoD contracts. However, many companies are still unsure who needs CMMC certification or what CMMC level they may be required to achieve.
What is Cybersecurity Maturity Model Certification?
The CMMC 2.0 framework is a single standard for verifying the implementation of cybersecurity requirements across the DIB. It’s the DoD’s response to a significant number of data breaches involving sensitive DoD information stored on contractors’ systems.
The primary goal of CMMC on a tactical level is to improve the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that’s stored, processed and transmitted by federal contractors.
According to the most recent Bloomberg Government data, in fiscal 2020 the U.S. Department of Defense awarded $445.5 billion in contracts, with 54 percent of this budget allocated to small businesses. With over 300,000 companies in the U.S. defense industrial base (DIB), many of which handle sensitive data for the DoD, securing the nation’s supply chain is a growing risk.
The DoD’s reliance on such a large network of contractors significantly increases the DIB’s risk profile, especially for small businesses that lack the resources of major defense contractors.
The risk of information theft is also a growing concern for the DoD, as it currently drains the global gross domestic product (GDP) of about $600 billion each year. As a result of these risks to data security, the DoD has released the Cybersecurity Maturity Model Certification (CMMC) to promote the adoption of best practices in cybersecurity across its entire contractor base.
The DoD released the first version of the CMMC on January 31, 2020, with much anticipation by the defense community. Organizations such as the Federal Funded Research and Development Centers (FFRDC), University Affiliated Research Centers (UARC) and various industry groups also provided significant input to the CMMC.
The DoD began issuing a few requests for information (RFI) with CMMC specifications in September 2020, and expects all DoD requests for proposals (RFPs) to include CMMC requirements by 2026.
Prior to CMMC, contractors were responsible for ensuring their cybersecurity measures met the standards required to protect the DoD data stored, processed and transmitted by their information systems. Contractors are still responsible for implementing these measures, but CMMC now requires Third-Party Assessment Organizations (C3PAOs) to verify them.
This assessment process includes mandatory capabilities, practices and procedures that can adequately protect DoD information from both existing threats and threats from future adversaries.
What are the levels of CMMC compliance?
CMMC consists of different maturity levels, providing a comprehensive, scalable framework to describe the maturity and reliability of the IT infrastructure for government contractors. These levels are hierarchical such that the requirements of each level include the requirements of the level below it.
The process of obtaining a specific CMMC maturity level generally consists of an organization demonstrating that it meets the requirements of that level. The level that a contractor needs to work on a DoD contract depends on the sensitivity of the information that the contractor will handle. (Learn more: Ultimate Guide to CMMC Levels)
CMMC Level 1
Level 1 is classified as Basic Cyber Hygiene and is the minimum CMMC certification level. It focuses on the protection of FCI, which is government information not intended for public release. The government may provide FCI to contractors, but contractors can also generate it on the government’s behalf while working under contract.
FCI doesn’t include any information that the government has provided to the public. The primary requirement of this level is that the organization must use antivirus software and sanitize storage media containing FCI before disposal.
Level 1 requires the organization to follow specific practices that meet the basic requirements for safeguarding data specified in 48 CFR 52.204-21. However, it may do so in an ad hoc manner that doesn’t require it to rely on documentation. As a result, C3PAOs don’t assess process maturity for level 1.
CMMC Level 2
Level 2 is classified as Intermediate Cyber Hygiene, which requires the organizations to establish and document best practices and policies in cybersecurity. They must also demonstrate that their approach encompasses all activities needed to protect CUI.
The organization’s documentation of processes must allow them to be performed repeatedly. They must also perform those processes as documented. The practices for this level also include those from other standards and references. In addition, a subset of Level 2 practices reference the protection of CUI.
Learn more about CMMC Level 3 Requirements & Controls
Who needs CMMC Certification?
Any organization that performs work for the DoD will eventually be required to have CMMC in most cases, including prime and subcontractors. This requirement also applies to all suppliers in all tiers of the Defense Industrial Base (DIB), whether they’re enterprise-level contractors, small businesses or foreign suppliers. However, the specific application of cybersecurity standards can vary depending on whether the contracting organization is a prime contractor, subcontractor or supplier.
One exemption to the CMMC requirements is organizations that only develop Commercial-Off-The-Shelf (COTS) products aren’t currently required to obtain CMMC certification, but this is a narrow case. It’s best to verify this exemption with your contracting officer as this information can change over the upcoming months.
The CMMC Accreditation Body (CMMC-AB) will develop procedures for certifying independent CP3AOs in coordination with the DoD. These assessors will evaluate the CMMC level of affected organizations.
All DoD contracts will require some CMMC maturity level by 2026 according to the DoD’s current schedule. The DoD currently plans to issue contracts based on maturity level, so some will only require Level 1 while others will need Level 2.
The specific CMMC level depends on the contractor’s access to CUI and FCI. For example, a contractor that doesn’t need to handle CUI but does need access to FCI will need at least CMMC Level 1. Furthermore, the contractor in this example would also need to meet the requirements specified in FAR Clause 52.204-21.
Prime Contractors
Prime contractors have a direct contract with DoD entities and are usually larger organizations. They typically require a higher CMMC level than subcontractors because primes have access to all the information involved in that contract.
Subcontractors
Smaller businesses often subcontract to prime contractors to provide specific services as part of a larger project. These products are still part of the contract, so they need to comply with CMMC at the maturity level appropriate for the data they handle. However, other parts of the project may require higher CMMC levels.
Suppliers
Prime contractors may rely on other organizations to supply certain products in support of their contract with the DoD, but these suppliers are still part of the DIB. As a result, these sub-tier suppliers still need to comply with the requirements for the CMMC maturity level appropriate for those products. This maturity level is independent of the one that the prime contractor must achieve.
What actions should DoD contractors take now to help enable compliance?
The DoD estimates that the DIB currently includes over 300,000 contractors, all of which will eventually require CMMC to continue competing for DoD contracts. With such a large number of suppliers needing a third-party audit by authorized C3PAOs, this could lead to a longer timeline for CMMC to be fully implemented across the DIB.
Nevertheless, it’s vital for DoD contractors to complete their compliance obligations today (DFARS 252.204-7012 & NIST SP 800-171), while also preparing for a successful CMMC audit. (Learn more: Guide to CMMC Audits)
In general, this process will consist of an organization documenting its current practices and implementing additional practices if needed. Documentation of practices that already comply with CMMC is vital for obtaining an overall picture of the organization’s current security posture. This phase lays the foundation for implementing the additional procedures needed to obtain a higher CMMC level.
Prime contractors should begin working with their subcontractors now if they aren’t already doing so. The primary purpose of this coordinated effort should be to review the compliance programs that are already in place and develop new ones if needed.
Contractors should also review RFIs and RFPs for their minimum CMMC requirements to ensure they won’t be overly burdensome. It’s important for prime contractors to understand the certification level required throughout their supply chain before bidding on a contract.
Contractors should closely engage with contracting agencies during this period as the procedures for obtaining CMMC are still evolving. These agencies should provide the DoD with contractor feedback during this stage to clarify any ambiguity in an RFP, especially with regard to CMMC requirements.
Contractors have the option of filing a pre-award protest if these issues aren’t resolved to their satisfaction. However, the US Court of Federal Claims and Government Accountability Office (GAO) will likely defer to the DoD on contract issues related to technical requirements or national security.
Contractors need to follow the challenges in obtaining CMMC as they develop. They should be particularly concerned about the due process that will be available in the event that a CMMC audit result is in error. These assessments can have a great impact on an organization’s ability to continue competing for DoD contracts in any meaningful way.
The CMMC doesn’t currently establish any right of appeal for the contractor, although the DoD has indicated that it will do so. In the meantime, contractors should continue providing the DoD with detailed feedback on proposed due process procedures.
Contractors should also be prepared to be agile with respect to CMMC. While CMMC is a minimum requirement for eligibility on DoD contracts, a contract may have additional cybersecurity requirements. The DoD has repeatedly emphasized that CMMC is only a starting point that may not be adequate to address evolving threats. Contractors must therefore continue to foster a culture of flexibility when it comes to cybersecurity.
Get Prepared for CMMC Compliance Today
The requirement for CMMC is expected to appear in DoD contracts in 2021 and will apply to all contracts by 2026. Cuick Trac can help your organization satisfy the 110 NIST SP 800-171 controls in addition to the emerging CMMC requirements.
Learn why so many small to medium size defense contractors choose Cuick Trac as their DFARS 252.204-7012 & NIST SP 800-171 compliance solution.
Call 612-428-3008 or schedule a Cuick Trac demo today.
