Estimated reading time: 4 minutes

Defense Speak Interpreted: Be Prepared for CMMC

If you are a current or future Defense Department contractor or subcontractor, you need to be prepared for the next cybersecurity requirements coming online during 2020. This is the Cybersecurity Maturity Model Certification, or CMMC, in Defense speak. There will be five levels of cybersecurity requirements for various amounts of Controlled Unclassified Information (CUI) you handle, with increasing requirements from one (least) to five (most).

All of this is to protect CUI. The definition of this somewhat vague concept is, “CUI is information the government creates or possesses—or that an entity creates or possesses for or on behalf of the government—that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” While various Federal Government departments handle CUI, the CMMC regulations are being applied to the Defense Department—the first federal function to implement this procedure.

Many of you may be compliant (or working toward compliance) to NIST SP 800-171. This cybersecurity concern dates to an executive order in 2010, and NIST SP 800-171 was created to comply with DFARS clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting” ^[1]. The Executive Agent for CUI is the National Archives and Records Administration (and you thought they only kept a copy of the Constitution!).

NIST SP 800-171 was principally rolled out in 2017, with updates added up to December of 2019. Businesses could self-assess their cybersecurity by using the NIST SP 800-171 Handbook or get help from an outside certification entity. My take on NIST 800-171 is that “I have thought about my cybersecurity, audited myself, and have this plan to implement improvements.”

This somewhat voluntary effort to comply with cybersecurity requirements has not been a total success, hence the implementation of CMMC. According to one source ^[2], The Council of Economic Advisers, an agency within the Executive Office of the President, estimated that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. Globally, there is also an estimate that 1% of the World Gross Domestic Product is lost to cybercrime each year ^[3].

CMMC compliance will be a Federal Acquisition Requirement (FAR) in certain Defense requests for information (RFI) starting in June 2020, and in Defense contracts (RFPs) awarded after that information review (some months later). The CMMC structure consists of five levels of compliance, each more advanced building on the previous level of requirements (Figure 1).

Figure 1: CMMC practices per level ^[4].

As you can see, the levels are:

1. Basic
2. Intermediate
3. Good
4. Proactive
5. Advanced/progressive

How does a company know what CMMC level is required in future contracts? That is established by the language in sections L and M of Request for Proposal (RFP) for the contract. Section L is “Instructions, Conditions, and Notices to Offeror’s” ^[5], and Section M is “Evaluation Factors for Award” ^[6].

It is anticipated that major Defense prime contractors will have to be certified to at least Level 4, if not Level 5. However, subcontractors may only be required to certify to a lower level, such as Level 3 for PCBs and assemblies. It is understood that any company contracting with Defense will have at least a Level 1 certification. One key point is that the certification is only required at the time of award, but that date is usually set in the RFP. CMMC requirements started showing up in 2020, meaning the certification level must be achieved some months later—probably in early 2021.

The DoD expects that by 2026, all contracts will have these cybersecurity requirements. Defense estimates that 1,500 companies will have some level of certification by 2021—an estimate based on 10 “pathfinder” Defense contracts in 2020, each having 150 subcontractors.

So, how do you get certified? First, visit the Office of the Under Secretary of Defense for Acquisition and Sustainment’s website for initial questions ^[7]. The next step is to acquaint yourself with the CMMC Accreditation Board (CMMC-AB) ^[8]. This is a not-for-profit organization being set up as a sort of policeman for the CMMC accreditation process. See the section on C3PAO—certified third-party assessment organizations (not a droid from “Star Wars”). An internet search lists something like 200 organizations all over the USA who are prepared to help companies get certification to CMMC. However, the CMMC-AB is rushing to finish their certification work for C3PAOs. Talk about an instantly created consulting business!

Overall, get started now. Don’t wait.

References

1. “Safeguarding Covered Defense Information and Cyber Incident Reporting,” 252.204-7012, 204.7304(c), December 2019.
2.  “The Cost of Malicious Cyber Activity to the U.S. Economy,” The Council of Economic Advisers, February 2018.
3. “Economic Impact of Cybercrime: No Slowing Down,” Center for Strategic and International Studies (CSIS) and McAfee, February 2018.
4. “Cybersecurity Maturity Model Certification (CMMC): CMMC Model v1.0,” January 31, 2020.
5. “Proposal Development: Section L, Instructions,” AcqNotes, June 29, 2018.
6. “Proposal Development: Section M, Evaluation Factors for Award,” AcqNotes, June 29, 2018.
7. “CMMC FAQs,” The Office of the Under Secretary of Defense for Acquisition and Sustainment.
8. “CMMC Accreditation Board.”

Dennis Fritz was a 20-year direct employee of MacDermid Inc. and has just retired after 12 years as a senior engineer at (SAIC) supporting the Naval Surface Warfare Center in Crane, Indiana. He was elected to the IPC Hall of Fame in 2012.