By 2026, any contractor that works with the Department of Defense must meet the standards set by version 1.0 of its Cybersecurity Maturity Model Certification (CMMC). The Pentagon released the new standards on Jan 31, which will require third-party certification of cyber resilience from DoD contractors and subcontractors.
For contractors who hope to work with the DoD, CMMC certification will be required as part of Requests for Proposals (RFPs) starting in June 2020. Although DoD contractors have had to meet requirements for data security in the past, CMMC is a new third-party verification system that combines various other standards, including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933. If your business works with the DoD, here’s what you need to know about the new mandatory cybersecurity certification.
The Five Maturity Levels
Different contractors will be held to different standards. There are five cybersecurity maturity levels depending on the expectations placed on the contractor for handling certain information. These levels are cumulative, meaning that to achieve any level, a contractor will need to fulfill all the requirements for the levels before it.
- Level 1 is the requirement for any contractor that does not handle controlled unclassified information (CUI). The focus of this level is safeguarding federal contract information (FCI).
- Level 2 serves as a transitional step for contractors that protect CUI, with maturity requiring the documentation of policies and the implementation of practices for protecting CUI.
- Level 3 is for contractors tasked with the protection of CUI. Such contractors will need to show that they can establish, maintain and resource plans for protection.
- Levels 4 and 5 are the highest maturity standards in place for contractors that protect CUI. To achieve this level, not only will contractors need to show maturity in protecting CUI but reducing the risk of advanced persistent threats as well. Such contractors will need to review and measure activities for effectiveness to reach Level 4 and standardize and optimize an organizational approach to reach Level 5.
“Practices” Are Organized Into 17 “Capability Domains”
“Practices” are defined as cybersecurity processes contractors must master in order to meet the CMMC standard. The amount of “practices” a contractor needs to show maturity ranges from 17 practices for level 1 to 171 practices for level 5.
These practices can be categorized into 17 capability domains. Most practices are contained in six domains:
- Access Control
- Audit and Accountability
- Incident Response
- Risk Management
- Systems and Communications Protection
- System and Information Integrity
For the higher levels of maturity, there are 11 additional domains:
- Asset Management
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Media Protection
- Personnel Security
- Physical Protection
- Security Assessment
- Situational Awareness
CMMC Could Bring Forth Challenges for New Contractors
The key change heralded by CMMC is the shift to a stricter third-party certification system. In the past, contractors have had to self-certify under the Defense Federal Acquisition Regulation Supplement (DFARS). These have been shown to lead to liability under the False Claims Act, as self-certification significantly increases the risk of cybersecurity noncompliance.
Additionally, past cybersecurity standards have often left room for multiple interpretations of contractor compliance. The CMMC is meant to combat this ambiguity and decrease the risk of FCA liability.
However, certification poses a new set of challenges for small businesses hoping to work with the DoD. According to a report by law firm Baker Donelson, certification could be borderline impossible for businesses who have not already developed systems that comply with the National Institutes of Standards and Technology (NIST) standards. Such businesses might need to be mentored by or even merge with larger, already compliant businesses if they hope to work with the DoD. Additionally, obtaining certification and developing compliant cybersecurity systems could pose a massive cost to businesses.
What Happens Next?
When CMMC implementation begins in June, it will first apply only to confirmed contractors, but existing contracts will not be modified. The DoD plans to wait around five or six years for these contracts to die out to replace them with new contracts with CMMC requirements. By fall, any contractors sending a proposal to the DoD will need to be CMMC-certified. Contractors pursuing DoD work will need to start the certification process now, so they can be certified when they make a proposal.